Edit tour

Windows Analysis Report
Zam.exe

Overview

General Information

Sample name:	Zam.exe
Analysis ID:	1565072
MD5:	3ae2502b4152cb98314ac0b6833b2957
SHA1:	8743d14fe00e1cca03574687adfa709e81c4b636
SHA256:	baa7b027ef4fed86e02b6ffa8d6143dd09db213a53bceee7cf02d5cec64f760f
Tags:	exeuser-julianmckein
Infos:

Detection

Discord Token Stealer, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Discord Token Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Zam.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\Zam.exe" MD5: 3AE2502B4152CB98314AC0B6833B2957)

powershell.exe (PID: 7472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ymvnpo.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7884 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7568 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

ymvnpo.exe (PID: 7952 cmdline: C:\Users\user\AppData\Roaming\ymvnpo.exe MD5: 3AE2502B4152CB98314AC0B6833B2957)

schtasks.exe (PID: 8092 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 8144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1773823325.0000000005740000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1717030586.0000000007480000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1712662630.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1826323666.00000000027E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1711032371.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Zam.exe PID: 7276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7744	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7744	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RegSvcs.exe PID: 7744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7744	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ymvnpo.exe PID: 7952	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 8144	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8144	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: RegSvcs.exe PID: 8144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8144	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Zam.exe.3fd24e8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.RegSvcs.exe.5740000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Zam.exe.7480000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Zam.exe.3fd24e8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Zam.exe.7480000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Zam.exe.2836240.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zam.exe", ParentImage: C:\Users\user\Desktop\Zam.exe, ParentProcessId: 7276, ParentProcessName: Zam.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe", ProcessId: 7472, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ymvnpo.exe, ParentImage: C:\Users\user\AppData\Roaming\ymvnpo.exe, ParentProcessId: 7952, ParentProcessName: ymvnpo.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp", ProcessId: 8092, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Zam.exe", ParentImage: C:\Users\user\Desktop\Zam.exe, ParentProcessId: 7276, ParentProcessName: Zam.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp", ProcessId: 7568, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zam.exe", ParentImage: C:\Users\user\Desktop\Zam.exe, ParentProcessId: 7276, ParentProcessName: Zam.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe", ProcessId: 7472, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Zam.exe", ParentImage: C:\Users\user\Desktop\Zam.exe, ParentProcessId: 7276, ParentProcessName: Zam.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp", ProcessId: 7568, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ymvnpo.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ymvnpo.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Zam.exe

Joe Sandbox ML: detected

Source: Zam.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Zam.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Zam.exe	Code function: 4x nop then jmp 0EAB0C64h		0_2_0EAB035E
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 4x nop then jmp 0AB5F78Ch		10_2_0AB5EE86

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 193.34.212.17:33102

Source: unknown

DNS traffic detected: query: 87.228.1.0.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17
Source: unknown	TCP traffic detected without corresponding DNS query: 193.34.212.17

Source: global traffic

DNS traffic detected: DNS query: 87.228.1.0.in-addr.arpa

Source: Zam.exe, ymvnpo.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Zam.exe, ymvnpo.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Zam.exe, ymvnpo.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Zam.exe, 00000000.00000002.1711032371.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, ymvnpo.exe, 0000000A.00000002.1762213796.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: RegSvcs.exe, 00000008.00000002.1769391679.0000000004198000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://icanhazip.com/
Source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/
Source: RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id
Source: RegSvcs.exe, 00000008.00000002.1780538821.00000000076E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000008871000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1769391679.00000000042D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.0000000003896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: RegSvcs.exe, 00000008.00000002.1780538821.00000000076E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1782276200.000000000AB81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000008871000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1769391679.00000000042D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1847929406.0000000006821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1848405246.00000000079A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1850444088.0000000009CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.0000000003896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2t
Source: Zam.exe, ymvnpo.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privac
Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.0000000003896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B92310	0_2_00B92310
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90F98	0_2_00B90F98
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B9752C	0_2_00B9752C
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B92082	0_2_00B92082
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B92015	0_2_00B92015
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B92047	0_2_00B92047
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B921F7	0_2_00B921F7
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B9A698	0_2_00B9A698
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B908CF	0_2_00B908CF
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B909A9	0_2_00B909A9
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B909F5	0_2_00B909F5
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B909C9	0_2_00B909C9
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B9093C	0_2_00B9093C
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90914	0_2_00B90914
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90AE9	0_2_00B90AE9
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90BB5	0_2_00B90BB5
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90B41	0_2_00B90B41
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B92B40	0_2_00B92B40
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90CDC	0_2_00B90CDC
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90C1D	0_2_00B90C1D
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B92C58	0_2_00B92C58
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90DC1	0_2_00B90DC1
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90D05	0_2_00B90D05
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90D52	0_2_00B90D52
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90E95	0_2_00B90E95
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90EF0	0_2_00B90EF0
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B90E29	0_2_00B90E29
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B916B8	0_2_00B916B8
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B916A8	0_2_00B916A8
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B93790	0_2_00B93790
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B93780	0_2_00B93780
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B91B47	0_2_00B91B47
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B91C59	0_2_00B91C59
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B91DAB	0_2_00B91DAB
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B91D36	0_2_00B91D36
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_00B91F01	0_2_00B91F01
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09562106	0_2_09562106
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09562DD8	0_2_09562DD8
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09856D00	0_2_09856D00
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_098528D8	0_2_098528D8
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_098528E8	0_2_098528E8
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_0985B840	0_2_0985B840
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09859D30	0_2_09859D30
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09856CF2	0_2_09856CF2
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_0985C1F0	0_2_0985C1F0
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_0985A168	0_2_0985A168
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09850012	0_2_09850012
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09850040	0_2_09850040
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_0985A5A0	0_2_0985A5A0
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_0EAB0040	0_2_0EAB0040
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_0EAB21F0	0_2_0EAB21F0
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_0EAB003E	0_2_0EAB003E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F11E40	8_2_02F11E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F1DD08	8_2_02F1DD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F13EE8	8_2_02F13EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F12E9E	8_2_02F12E9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F1223B	8_2_02F1223B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F12211	8_2_02F12211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F14A00	8_2_02F14A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F143E9	8_2_02F143E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F11BB8	8_2_02F11BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F11BA8	8_2_02F11BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F15360	8_2_02F15360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F15352	8_2_02F15352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F121FD	8_2_02F121FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F121D1	8_2_02F121D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F121BC	8_2_02F121BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F11E40	8_2_02F11E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02F12D6B	8_2_02F12D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_055D2B68	8_2_055D2B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_055D2B47	8_2_055D2B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0566D5D8	8_2_0566D5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05668F40	8_2_05668F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0566098D	8_2_0566098D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0566CDF8	8_2_0566CDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0566D5C8	8_2_0566D5C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0566D744	8_2_0566D744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05668F30	8_2_05668F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0566CE08	8_2_0566CE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0568B610	8_2_0568B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05687D7B	8_2_05687D7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05685FF8	8_2_05685FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0568BB60	8_2_0568BB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0568DBF0	8_2_0568DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0568B5FF	8_2_0568B5FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0568BB4F	8_2_0568BB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0568BB30	8_2_0568BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0568DBE0	8_2_0568DBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05A87B3F	8_2_05A87B3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05A87E77	8_2_05A87E77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05A88BE8	8_2_05A88BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6B5B8	8_2_05C6B5B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6E467	8_2_05C6E467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C68160	8_2_05C68160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C68386	8_2_05C68386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6EE60	8_2_05C6EE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6A9A0	8_2_05C6A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6E4C2	8_2_05C6E4C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6E72B	8_2_05C6E72B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C68150	8_2_05C68150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6836E	8_2_05C6836E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C682CF	8_2_05C682CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C67298	8_2_05C67298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C672A8	8_2_05C672A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6ACE8	8_2_05C6ACE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C6EE50	8_2_05C6EE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0612C158	8_2_0612C158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062A09C8	8_2_062A09C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062A38D8	8_2_062A38D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062A25EF	8_2_062A25EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062A25F0	8_2_062A25F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062A8C37	8_2_062A8C37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062A8C48	8_2_062A8C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062A09B8	8_2_062A09B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07340006	8_2_07340006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0734007E	8_2_0734007E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07340040	8_2_07340040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07340093	8_2_07340093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0734B888	8_2_0734B888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_073434E5	8_2_073434E5
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E22310	10_2_00E22310
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E20F98	10_2_00E20F98
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E2752C	10_2_00E2752C
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E2A698	10_2_00E2A698
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E22C48	10_2_00E22C48
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E22C58	10_2_00E22C58
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E23780	10_2_00E23780
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_00E23790	10_2_00E23790
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_06F60778	10_2_06F60778
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_09100040	10_2_09100040
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_09102DD8	10_2_09102DD8
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB5EB66	10_2_0AB5EB66
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB56CF2	10_2_0AB56CF2
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB528E8	10_2_0AB528E8
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB528D8	10_2_0AB528D8
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB5B9C0	10_2_0AB5B9C0
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB59E90	10_2_0AB59E90
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB5A2E8	10_2_0AB5A2E8
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB5C370	10_2_0AB5C370
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB50006	10_2_0AB50006
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB50040	10_2_0AB50040
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB5A720	10_2_0AB5A720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A1DD08	13_2_00A1DD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A11E40	13_2_00A11E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A11E40	13_2_00A11E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A121BC	13_2_00A121BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A121FD	13_2_00A121FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A121D1	13_2_00A121D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A1223B	13_2_00A1223B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A14A00	13_2_00A14A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A12211	13_2_00A12211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A11BA8	13_2_00A11BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A11BB8	13_2_00A11BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A143E9	13_2_00A143E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A15360	13_2_00A15360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A15351	13_2_00A15351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A12D6B	13_2_00A12D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A12E9E	13_2_00A12E9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00A13EE8	13_2_00A13EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_048E2B68	13_2_048E2B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_048E2B4D	13_2_048E2B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AED5D8	13_2_04AED5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AE8F40	13_2_04AE8F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AE098D	13_2_04AE098D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AE34E0	13_2_04AE34E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AECDF8	13_2_04AECDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AED5C8	13_2_04AED5C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AECE08	13_2_04AECE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AE8F30	13_2_04AE8F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AED744	13_2_04AED744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BFB610	13_2_04BFB610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BF5DB8	13_2_04BF5DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BF7D7B	13_2_04BF7D7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BFDBF0	13_2_04BFDBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BFBB60	13_2_04BFBB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BFB5E0	13_2_04BFB5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BFDBE0	13_2_04BFDBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04BFBB4F	13_2_04BFBB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5AFC8	13_2_04C5AFC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C57B3F	13_2_04C57B3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C504F9	13_2_04C504F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5148D	13_2_04C5148D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5045A	13_2_04C5045A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5342D	13_2_04C5342D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C52586	13_2_04C52586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5058D	13_2_04C5058D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5055C	13_2_04C5055C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51562	13_2_04C51562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C506D8	13_2_04C506D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C516F1	13_2_04C516F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50649	13_2_04C50649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51649	13_2_04C51649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50618	13_2_04C50618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C527CF	13_2_04C527CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5279C	13_2_04C5279C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5074D	13_2_04C5074D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5275E	13_2_04C5275E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50083	13_2_04C50083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C500A0	13_2_04C500A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C500BD	13_2_04C500BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5306A	13_2_04C5306A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5303B	13_2_04C5303B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5103A	13_2_04C5103A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C511C2	13_2_04C511C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C52190	13_2_04C52190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C501AA	13_2_04C501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51124	13_2_04C51124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C502DE	13_2_04C502DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51200	13_2_04C51200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5023D	13_2_04C5023D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C523D8	13_2_04C523D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51345	13_2_04C51345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50CF0	13_2_04C50CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C52C78	13_2_04C52C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50D70	13_2_04C50D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50D1F	13_2_04C50D1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C52E48	13_2_04C52E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C57E77	13_2_04C57E77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50F0E	13_2_04C50F0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C509D7	13_2_04C509D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C519DF	13_2_04C519DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C52980	13_2_04C52980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C529B1	13_2_04C529B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C5293E	13_2_04C5293E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50A89	13_2_04C50A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50ABA	13_2_04C50ABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C52A46	13_2_04C52A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50A5A	13_2_04C50A5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51A6E	13_2_04C51A6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C52A04	13_2_04C52A04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C58BE8	13_2_04C58BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50BE8	13_2_04C50BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51B8F	13_2_04C51B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C50B97	13_2_04C50B97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51B5E	13_2_04C51B5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04C51B2D	13_2_04C51B2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05369510	13_2_05369510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05360418	13_2_05360418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05364CB8	13_2_05364CB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05362F30	13_2_05362F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0536C321	13_2_0536C321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05360505	13_2_05360505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05369500	13_2_05369500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05364D59	13_2_05364D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05360408	13_2_05360408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05360418	13_2_05360418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05364C95	13_2_05364C95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05362F20	13_2_05362F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0536AF98	13_2_0536AF98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0536AF89	13_2_0536AF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05362FE4	13_2_05362FE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05366810	13_2_05366810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05366870	13_2_05366870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_053688B0	13_2_053688B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05366880	13_2_05366880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_053688C0	13_2_053688C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055BB5B8	13_2_055BB5B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055BE4C3	13_2_055BE4C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B8160	13_2_055B8160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B8386	13_2_055B8386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055BEE60	13_2_055BEE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055BA9A0	13_2_055BA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055BE72B	13_2_055BE72B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B8150	13_2_055B8150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B836E	13_2_055B836E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B82E6	13_2_055B82E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B7298	13_2_055B7298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B72A8	13_2_055B72A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055BACE8	13_2_055BACE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055BEE50	13_2_055BEE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0572B7B0	13_2_0572B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05721560	13_2_05721560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05721553	13_2_05721553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05721512	13_2_05721512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_057215B3	13_2_057215B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0572159E	13_2_0572159E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05724A05	13_2_05724A05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_058FC158	13_2_058FC158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC77A0	13_2_05AC77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC7771	13_2_05AC7771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC1998	13_2_05AC1998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC2BC0	13_2_05AC2BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC55DE	13_2_05AC55DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05ACC408	13_2_05ACC408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC7C01	13_2_05AC7C01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC7787	13_2_05AC7787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC564B	13_2_05AC564B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC2E57	13_2_05AC2E57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC1988	13_2_05AC1988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC2130	13_2_05AC2130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05ACC900	13_2_05ACC900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05ACC910	13_2_05ACC910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC7080	13_2_05AC7080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC7090	13_2_05AC7090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05ACC8D0	13_2_05ACC8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC2BB1	13_2_05AC2BB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC7BF8	13_2_05AC7BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC5377	13_2_05AC5377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AC1A76	13_2_05AC1A76

Source: Zam.exe

Static PE information: invalid certificate

Source: Zam.exe, 00000000.00000002.1719166232.000000000AFC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Zam.exe
Source: Zam.exe, 00000000.00000002.1708600813.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Zam.exe
Source: Zam.exe, 00000000.00000002.1711032371.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Zam.exe
Source: Zam.exe, 00000000.00000002.1717030586.0000000007480000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Zam.exe
Source: Zam.exe, 00000000.00000002.1711032371.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTqgcnlea.exe" vs Zam.exe
Source: Zam.exe, 00000000.00000000.1650781119.000000000033E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKbjw.exe. vs Zam.exe
Source: Zam.exe, 00000000.00000002.1712662630.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Zam.exe
Source: Zam.exe	Binary or memory string: OriginalFilenameKbjw.exe. vs Zam.exe

Source: Zam.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Zam.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ymvnpo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zam.exe.44f07e0.1.raw.unpack, Account.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zam.exe.44f07e0.1.raw.unpack, Account.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zam.exe.44f07e0.1.raw.unpack, WriterSerializer.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zam.exe.7480000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zam.exe.4485bc0.2.raw.unpack, Account.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zam.exe.4485bc0.2.raw.unpack, Account.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Zam.exe.4485bc0.2.raw.unpack, WriterSerializer.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, BUkgCv8TQ7YM2fhUbnA.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, BUkgCv8TQ7YM2fhUbnA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, BUkgCv8TQ7YM2fhUbnA.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Zam.exe.43759f8.3.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, thgqr2F4HhNlxExjYJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, thgqr2F4HhNlxExjYJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, al4FnQHweJoDiNvuPf.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, thgqr2F4HhNlxExjYJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/16@2/1

Source: C:\Users\user\Desktop\Zam.exe

File created: C:\Users\user\AppData\Roaming\ymvnpo.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\64a995522cec8326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Mutant created: \Sessions\1\BaseNamedObjects\WZqgJDYQDSAJe
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03

Source: C:\Users\user\Desktop\Zam.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp

Jump to behavior

Source: Zam.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Zam.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Zam.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Zam.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003546000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Zam.exe

File read: C:\Users\user\Desktop\Zam.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Zam.exe "C:\Users\user\Desktop\Zam.exe"
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ymvnpo.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ymvnpo.exe C:\Users\user\AppData\Roaming\ymvnpo.exe
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ymvnpo.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Zam.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\Zam.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Zam.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Zam.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Zam.exe

Static file information: File size 1052680 > 1048576

Source: Zam.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256}Lq source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Zam.exe.44f07e0.1.raw.unpack, Account.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Zam.exe.7480000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Zam.exe.4485bc0.2.raw.unpack, Account.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, sga1JWgPmYSTxXVSxen.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Zam.exe.43759f8.3.raw.unpack, al4FnQHweJoDiNvuPf.cs	.Net Code: pXUaeRRmqA System.Reflection.Assembly.Load(byte[])
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, al4FnQHweJoDiNvuPf.cs	.Net Code: pXUaeRRmqA System.Reflection.Assembly.Load(byte[])
Source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.Zam.exe.44f07e0.1.raw.unpack, WriterSerializer.cs	.Net Code: PatchConnection System.AppDomain.Load(byte[])
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, al4FnQHweJoDiNvuPf.cs	.Net Code: pXUaeRRmqA System.Reflection.Assembly.Load(byte[])
Source: 0.2.Zam.exe.7480000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.Zam.exe.4485bc0.2.raw.unpack, WriterSerializer.cs	.Net Code: PatchConnection System.AppDomain.Load(byte[])
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, weSArHJy04VrUk5WcT.cs	.Net Code: dCy31m67RGYrYtmCjfU System.AppDomain.Load(byte[])
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, rwHfjZ7I5kDCaWiF6hZ.cs	.Net Code: zW3V9to6MY

Yara detected Costura Assembly Loader

Source: Yara match	File source: 8.2.RegSvcs.exe.5740000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1773823325.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8144, type: MEMORYSTR

Source: Zam.exe

Static PE information: 0xD6E15B1F [Tue Mar 28 14:45:51 2084 UTC]

Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_095648E0 push esi; ret	0_2_0956490B
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_098591FA push esp; ret	0_2_09859201
Source: C:\Users\user\Desktop\Zam.exe	Code function: 0_2_09852640 pushfd ; retf	0_2_098526AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_055D225F pushad ; ret	8_2_055D2279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C64534 pushfd ; ret	8_2_05C64535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C62363 pushad ; ret	8_2_05C62371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05C62373 push esp; ret	8_2_05C62381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062ADC80 push es; retf 0005h	8_2_062ADCBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062ADCEF push es; retf 0005h	8_2_062ADCBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062AFBE0 push ds; retf 0005h	8_2_062AFBEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_062E2618 pushfd ; ret	8_2_062E2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_07342A76 push FFFFFFB9h; iretd	8_2_07342A79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0734426F push edx; retf	8_2_07344270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0734428E push FFFFFFB9h; iretd	8_2_07344295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_073440EB push FFFFFFB8h; iretd	8_2_073440F2
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Code function: 10_2_0AB526A8 pushfd ; retf	10_2_0AB526AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_04AEFC65 push edi; retf 0016h	13_2_04AEFC66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0536A492 push 8B034E48h; retf	13_2_0536A497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05367135 push ds; ret	13_2_0536713F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B4534 pushfd ; ret	13_2_055B4535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B2372 push esp; ret	13_2_055B2381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_055B236B pushad ; ret	13_2_055B2371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_057261CE push ss; iretd	13_2_057261CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05723CA4 push es; retf	13_2_05723CAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0572432A push es; retf	13_2_05724333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0572578F push edx; retf	13_2_05725790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05723A09 push ebx; retn 001Dh	13_2_05723A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_05AB2618 pushfd ; ret	13_2_05AB2619

Source: Zam.exe	Static PE information: section name: .text entropy: 7.821132747291478
Source: ymvnpo.exe.0.dr	Static PE information: section name: .text entropy: 7.821132747291478

Source: 0.2.Zam.exe.43759f8.3.raw.unpack, h0OmdYddhCHglRs5Cm8.cs	High entropy of concatenated method names: 'kP5MKKy9c7', 'NSbMzf2B1m', 'xDd1ivpcle', 'bHb1dZddL4', 'NTv1wXLCsg', 'Uuf12VleXJ', 'vZ71aQOt1S', 'TAR1GwUqZR', 'y071LVXlh8', 'Ofv1k7tlsW'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, lYc8ftKTv3DSgVqquA.cs	High entropy of concatenated method names: 'Ad3MZR9MSc', 'ai4MEaF06F', 'nPtMOHikA6', 'wdVMQJ7nva', 'EvxMjFrCBS', 'PV4MH60fcX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, m1uGt5apEyH1foiiZM.cs	High entropy of concatenated method names: 'w11dQhgqr2', 'OHhdHNlxEx', 'x3vdDLthlJ', 'mwPd5Uv1A4', 'FWpdrlFhji', 'g7nd3TZNaG', 'ffOB59gyKXjZg2mrxm', 'aIsAs6GGWnMt3aoNmB', 'fqkddr2G5J', 'c4Zd2hkyi9'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, IT6Gt9hJQWgRRkvMum.cs	High entropy of concatenated method names: 'S8jc3dAeHmwP3OONip7', 'GlCyl1AcHQY5ShWGdBK', 'mMgORSuHt3', 'zEPOj6JfpV', 'WKdOM7vucf', 'nCNPOsA4GsDqkFJCBkM', 'OcLSbyA3VBJaJb0XDJ2'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, thgqr2F4HhNlxExjYJ.cs	High entropy of concatenated method names: 'cTJkumRidP', 'esOkVnA5HF', 'r75k0H5otq', 'wIPklJBmj1', 'bxykfiWZ3Z', 'pyvkNerCZk', 'yvDksDdMsn', 'sDSkWC0AIc', 'QQ6kI8njF5', 'S5vkKpw4EI'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, tV7YIDNBl6HBcRY0Uj.cs	High entropy of concatenated method names: 'Ag87WAoa5y', 'xml7KVYMg1', 'e38RiL2Bjm', 'P0DRdXsKUB', 'jF974y8n36', 'hup7qPrC8o', 'kuZ7gQZX2U', 'Cln7uRWLdN', 'Ih37V6jloc', 'wjr700p7IP'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, sYbQ88ZMT0rI85smWx.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YMuwIKw0RN', 'OcrwKXvla6', 'hIxwzy7wyE', 'gS62iO8Mhw', 'QgH2dYwRo2', 'vu92wfDyQA', 'cvA22qNOFR', 'gL3id2UfSaDpXOKKtNW'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, al4FnQHweJoDiNvuPf.cs	High entropy of concatenated method names: 'WHP2G6cA7c', 'RRg2LsoAig', 'MH22kvX7Ti', 'fAy2ZjPZHs', 'LSq2EhuIX3', 'Toh2O7Vn8E', 'yJR2Q6ZbCD', 'Bx52H8BLtY', 'Ns728hr1lC', 'z4f2D13fvh'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, utrAtfuwlkTrpi4R7P.cs	High entropy of concatenated method names: 'mG2rT5F9kk', 'lgqrqaNo3D', 'PZRruB8o8D', 'VsnrVqx6ND', 'qKSrhE3DFQ', 'xmhrpeWbAQ', 'o3VrUhhxvp', 'gWQr9BZary', 'VBOrxF4Q8C', 'F2yrnnArsR'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, rFkWWSAHvaxDPnRGLA.cs	High entropy of concatenated method names: 'NQLQPKLPcJ', 'HIaQ6Gu3Uc', 'OQKQevLqyj', 'HqHQBXRXEJ', 'RjZQJYZxye', 'fvCQXhxkj7', 'plbQCtgHuT', 'O1RQFkSQkO', 'RCrQo5V47u', 'L8AQynP25T'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, z0aJREkb2yKVvkhg2H.cs	High entropy of concatenated method names: 'Dispose', 'CK8dIjvMPi', 'DZ7whwL3UE', 'Oyq7evV9GO', 'HCKdK3Dk9j', 'uv2dz1CB2M', 'ProcessDialogKey', 'MMvwiF5nMr', 'mKqwdT39dd', 'Yfcww8Yc8f'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, B8yCVLzlX9uU5aScff.cs	High entropy of concatenated method names: 'BWmMX4cKMm', 'Ok0MF8MCGF', 'jtvMoeDCU0', 'SqQMcmVuFA', 'hKwMhjgnts', 'wpVMUQsmjG', 'kdGM9eZs9I', 'SwwMt1qF4B', 't1UMPCmh06', 'mZCM6Wjvlq'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, BQfbpEdwomc7Ptr6ZYm.cs	High entropy of concatenated method names: 'ToString', 'kGG1FLKcCQ', 'LTM1ovOc2o', 'd9b1yFx6hW', 'pYy1c7idmW', 'IdV1hdlfC3', 'ydj1pZv2Ti', 'UkH1UPAyJc', 'LDQvrVJzwyALWErKS2a', 'xk3HuJtSfKmMia4MGYB'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, vF5nMrI5KqT39ddKfc.cs	High entropy of concatenated method names: 'LhYjcXUBcK', 'uCljhtISw0', 'vuGjpf5tdm', 'tn7jUcQ3xq', 'jnCj9AMp8O', 'L0KjxY3UVM', 'e9fjnnEKGU', 'uawjm0dBQx', 'rQmjAh11wQ', 'dMejThCWVv'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, zu3vJJsVrCK8jvMPip.cs	High entropy of concatenated method names: 'IdAjrD0S2F', 'hOvj7ZQoSX', 'YB4jj83lic', 'pGRj1UaE4H', 'JpRjvmrsg9', 'FG6jtm9lWt', 'Dispose', 'OFZRLpjRRV', 'sHsRkeJJff', 'zKDRZrIHhN'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, b8jDTRdicoAQnKpZnQo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ACLM4t8J3d', 'KLXMqemCcC', 'slsMgD6nkS', 'BWGMuLOImx', 'uLFMVYtHBP', 'R5FM0lQjwC', 'u5fMlIQQwB'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, DkH8lllbDJIeQXNQTG.cs	High entropy of concatenated method names: 'Gtx7Dvw5RB', 'C3s75p5mA1', 'ToString', 'oCP7LXAWwF', 'M367kiBGd0', 'wnF7ZrEags', 'MxJ7EbQea2', 'vQh7OJcjc9', 'c1r7Q1LZaH', 'OmC7HKYmso'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, xuF2QPo3vLthlJ5wPU.cs	High entropy of concatenated method names: 'OCKZBtVF7w', 'AjCZXu4tQU', 'BOIZF20Mpp', 'bpjZoWanFX', 'KJ0ZrBE0J4', 'OUEZ3JvDq1', 'EpaZ7bMDmd', 'yX2ZRLLRUX', 'Ia5ZjvbF1Y', 'd00ZMuMmp6'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, v1A4uiy6xfhcpyWplF.cs	High entropy of concatenated method names: 'VF1EJSOKch', 'bpnECw0eB1', 'SlFZpIi9LJ', 'RgjZUCq7Am', 'L6eZ9ZBbrS', 'WjJZxGjadw', 'xFKZnYidKA', 'xK9Zm8nhgR', 'ROFZAXwxSZ', 'QgiZT4IaCT'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, UNbOwrwU244hwPETiV.cs	High entropy of concatenated method names: 'dHFeOumhi', 'npnBWKbep', 'g5OXoOduN', 'O0PCsZwgm', 'kl2oIjv3M', 'rqlyJxw8H', 'ROW5fgC2Nuoh3f2wM9', 'Tj63rPVBKUcdO65xnu', 'xQsSdAvkJ4UKI1fbc0', 'cKdRgJJ5b'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, q0vDNXdaSrbd8RQcLoE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kDgbjHLdaa', 'oHgbM2egia', 'fAyb1XQpTn', 'tG2bbE2a87', 'POTbv2HujQ', 'vvkbYJgkjD', 'tcubtsex3D'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, Hjik7ncTZNaG5QOA6M.cs	High entropy of concatenated method names: 'ClEOG1iCde', 'TgnOk1XOYv', 'RL3OE2q4Ho', 'vI0OQTfxd0', 'yqwOHQnOuv', 'MbrEfPTa1p', 'MTOENtpx7H', 'E7CEspB2se', 'J1EEW30xx2', 'YZNEIjeEvT'
Source: 0.2.Zam.exe.43759f8.3.raw.unpack, q5sPmCgHa5QSAdGBY6.cs	High entropy of concatenated method names: 'TXlSFW8Alo', 'BvaSoN0t6V', 'ufDScWIjjv', 'XpHShuKcsa', 'RaiSUuYLYT', 'dvJS9bGVtR', 'NdlSnoUDqn', 'ag5SmHP73G', 'zCfSTZxm5M', 'IBFS4DRDmd'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, h0OmdYddhCHglRs5Cm8.cs	High entropy of concatenated method names: 'kP5MKKy9c7', 'NSbMzf2B1m', 'xDd1ivpcle', 'bHb1dZddL4', 'NTv1wXLCsg', 'Uuf12VleXJ', 'vZ71aQOt1S', 'TAR1GwUqZR', 'y071LVXlh8', 'Ofv1k7tlsW'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, lYc8ftKTv3DSgVqquA.cs	High entropy of concatenated method names: 'Ad3MZR9MSc', 'ai4MEaF06F', 'nPtMOHikA6', 'wdVMQJ7nva', 'EvxMjFrCBS', 'PV4MH60fcX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, m1uGt5apEyH1foiiZM.cs	High entropy of concatenated method names: 'w11dQhgqr2', 'OHhdHNlxEx', 'x3vdDLthlJ', 'mwPd5Uv1A4', 'FWpdrlFhji', 'g7nd3TZNaG', 'ffOB59gyKXjZg2mrxm', 'aIsAs6GGWnMt3aoNmB', 'fqkddr2G5J', 'c4Zd2hkyi9'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, IT6Gt9hJQWgRRkvMum.cs	High entropy of concatenated method names: 'S8jc3dAeHmwP3OONip7', 'GlCyl1AcHQY5ShWGdBK', 'mMgORSuHt3', 'zEPOj6JfpV', 'WKdOM7vucf', 'nCNPOsA4GsDqkFJCBkM', 'OcLSbyA3VBJaJb0XDJ2'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, thgqr2F4HhNlxExjYJ.cs	High entropy of concatenated method names: 'cTJkumRidP', 'esOkVnA5HF', 'r75k0H5otq', 'wIPklJBmj1', 'bxykfiWZ3Z', 'pyvkNerCZk', 'yvDksDdMsn', 'sDSkWC0AIc', 'QQ6kI8njF5', 'S5vkKpw4EI'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, tV7YIDNBl6HBcRY0Uj.cs	High entropy of concatenated method names: 'Ag87WAoa5y', 'xml7KVYMg1', 'e38RiL2Bjm', 'P0DRdXsKUB', 'jF974y8n36', 'hup7qPrC8o', 'kuZ7gQZX2U', 'Cln7uRWLdN', 'Ih37V6jloc', 'wjr700p7IP'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, sYbQ88ZMT0rI85smWx.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YMuwIKw0RN', 'OcrwKXvla6', 'hIxwzy7wyE', 'gS62iO8Mhw', 'QgH2dYwRo2', 'vu92wfDyQA', 'cvA22qNOFR', 'gL3id2UfSaDpXOKKtNW'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, al4FnQHweJoDiNvuPf.cs	High entropy of concatenated method names: 'WHP2G6cA7c', 'RRg2LsoAig', 'MH22kvX7Ti', 'fAy2ZjPZHs', 'LSq2EhuIX3', 'Toh2O7Vn8E', 'yJR2Q6ZbCD', 'Bx52H8BLtY', 'Ns728hr1lC', 'z4f2D13fvh'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, utrAtfuwlkTrpi4R7P.cs	High entropy of concatenated method names: 'mG2rT5F9kk', 'lgqrqaNo3D', 'PZRruB8o8D', 'VsnrVqx6ND', 'qKSrhE3DFQ', 'xmhrpeWbAQ', 'o3VrUhhxvp', 'gWQr9BZary', 'VBOrxF4Q8C', 'F2yrnnArsR'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, rFkWWSAHvaxDPnRGLA.cs	High entropy of concatenated method names: 'NQLQPKLPcJ', 'HIaQ6Gu3Uc', 'OQKQevLqyj', 'HqHQBXRXEJ', 'RjZQJYZxye', 'fvCQXhxkj7', 'plbQCtgHuT', 'O1RQFkSQkO', 'RCrQo5V47u', 'L8AQynP25T'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, z0aJREkb2yKVvkhg2H.cs	High entropy of concatenated method names: 'Dispose', 'CK8dIjvMPi', 'DZ7whwL3UE', 'Oyq7evV9GO', 'HCKdK3Dk9j', 'uv2dz1CB2M', 'ProcessDialogKey', 'MMvwiF5nMr', 'mKqwdT39dd', 'Yfcww8Yc8f'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, B8yCVLzlX9uU5aScff.cs	High entropy of concatenated method names: 'BWmMX4cKMm', 'Ok0MF8MCGF', 'jtvMoeDCU0', 'SqQMcmVuFA', 'hKwMhjgnts', 'wpVMUQsmjG', 'kdGM9eZs9I', 'SwwMt1qF4B', 't1UMPCmh06', 'mZCM6Wjvlq'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, BQfbpEdwomc7Ptr6ZYm.cs	High entropy of concatenated method names: 'ToString', 'kGG1FLKcCQ', 'LTM1ovOc2o', 'd9b1yFx6hW', 'pYy1c7idmW', 'IdV1hdlfC3', 'ydj1pZv2Ti', 'UkH1UPAyJc', 'LDQvrVJzwyALWErKS2a', 'xk3HuJtSfKmMia4MGYB'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, vF5nMrI5KqT39ddKfc.cs	High entropy of concatenated method names: 'LhYjcXUBcK', 'uCljhtISw0', 'vuGjpf5tdm', 'tn7jUcQ3xq', 'jnCj9AMp8O', 'L0KjxY3UVM', 'e9fjnnEKGU', 'uawjm0dBQx', 'rQmjAh11wQ', 'dMejThCWVv'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, zu3vJJsVrCK8jvMPip.cs	High entropy of concatenated method names: 'IdAjrD0S2F', 'hOvj7ZQoSX', 'YB4jj83lic', 'pGRj1UaE4H', 'JpRjvmrsg9', 'FG6jtm9lWt', 'Dispose', 'OFZRLpjRRV', 'sHsRkeJJff', 'zKDRZrIHhN'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, b8jDTRdicoAQnKpZnQo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ACLM4t8J3d', 'KLXMqemCcC', 'slsMgD6nkS', 'BWGMuLOImx', 'uLFMVYtHBP', 'R5FM0lQjwC', 'u5fMlIQQwB'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, DkH8lllbDJIeQXNQTG.cs	High entropy of concatenated method names: 'Gtx7Dvw5RB', 'C3s75p5mA1', 'ToString', 'oCP7LXAWwF', 'M367kiBGd0', 'wnF7ZrEags', 'MxJ7EbQea2', 'vQh7OJcjc9', 'c1r7Q1LZaH', 'OmC7HKYmso'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, xuF2QPo3vLthlJ5wPU.cs	High entropy of concatenated method names: 'OCKZBtVF7w', 'AjCZXu4tQU', 'BOIZF20Mpp', 'bpjZoWanFX', 'KJ0ZrBE0J4', 'OUEZ3JvDq1', 'EpaZ7bMDmd', 'yX2ZRLLRUX', 'Ia5ZjvbF1Y', 'd00ZMuMmp6'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, v1A4uiy6xfhcpyWplF.cs	High entropy of concatenated method names: 'VF1EJSOKch', 'bpnECw0eB1', 'SlFZpIi9LJ', 'RgjZUCq7Am', 'L6eZ9ZBbrS', 'WjJZxGjadw', 'xFKZnYidKA', 'xK9Zm8nhgR', 'ROFZAXwxSZ', 'QgiZT4IaCT'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, UNbOwrwU244hwPETiV.cs	High entropy of concatenated method names: 'dHFeOumhi', 'npnBWKbep', 'g5OXoOduN', 'O0PCsZwgm', 'kl2oIjv3M', 'rqlyJxw8H', 'ROW5fgC2Nuoh3f2wM9', 'Tj63rPVBKUcdO65xnu', 'xQsSdAvkJ4UKI1fbc0', 'cKdRgJJ5b'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, q0vDNXdaSrbd8RQcLoE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kDgbjHLdaa', 'oHgbM2egia', 'fAyb1XQpTn', 'tG2bbE2a87', 'POTbv2HujQ', 'vvkbYJgkjD', 'tcubtsex3D'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, Hjik7ncTZNaG5QOA6M.cs	High entropy of concatenated method names: 'ClEOG1iCde', 'TgnOk1XOYv', 'RL3OE2q4Ho', 'vI0OQTfxd0', 'yqwOHQnOuv', 'MbrEfPTa1p', 'MTOENtpx7H', 'E7CEspB2se', 'J1EEW30xx2', 'YZNEIjeEvT'
Source: 0.2.Zam.exe.42c69d8.4.raw.unpack, q5sPmCgHa5QSAdGBY6.cs	High entropy of concatenated method names: 'TXlSFW8Alo', 'BvaSoN0t6V', 'ufDScWIjjv', 'XpHShuKcsa', 'RaiSUuYLYT', 'dvJS9bGVtR', 'NdlSnoUDqn', 'ag5SmHP73G', 'zCfSTZxm5M', 'IBFS4DRDmd'
Source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, h0OmdYddhCHglRs5Cm8.cs	High entropy of concatenated method names: 'kP5MKKy9c7', 'NSbMzf2B1m', 'xDd1ivpcle', 'bHb1dZddL4', 'NTv1wXLCsg', 'Uuf12VleXJ', 'vZ71aQOt1S', 'TAR1GwUqZR', 'y071LVXlh8', 'Ofv1k7tlsW'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, lYc8ftKTv3DSgVqquA.cs	High entropy of concatenated method names: 'Ad3MZR9MSc', 'ai4MEaF06F', 'nPtMOHikA6', 'wdVMQJ7nva', 'EvxMjFrCBS', 'PV4MH60fcX', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, m1uGt5apEyH1foiiZM.cs	High entropy of concatenated method names: 'w11dQhgqr2', 'OHhdHNlxEx', 'x3vdDLthlJ', 'mwPd5Uv1A4', 'FWpdrlFhji', 'g7nd3TZNaG', 'ffOB59gyKXjZg2mrxm', 'aIsAs6GGWnMt3aoNmB', 'fqkddr2G5J', 'c4Zd2hkyi9'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, IT6Gt9hJQWgRRkvMum.cs	High entropy of concatenated method names: 'S8jc3dAeHmwP3OONip7', 'GlCyl1AcHQY5ShWGdBK', 'mMgORSuHt3', 'zEPOj6JfpV', 'WKdOM7vucf', 'nCNPOsA4GsDqkFJCBkM', 'OcLSbyA3VBJaJb0XDJ2'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, thgqr2F4HhNlxExjYJ.cs	High entropy of concatenated method names: 'cTJkumRidP', 'esOkVnA5HF', 'r75k0H5otq', 'wIPklJBmj1', 'bxykfiWZ3Z', 'pyvkNerCZk', 'yvDksDdMsn', 'sDSkWC0AIc', 'QQ6kI8njF5', 'S5vkKpw4EI'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, tV7YIDNBl6HBcRY0Uj.cs	High entropy of concatenated method names: 'Ag87WAoa5y', 'xml7KVYMg1', 'e38RiL2Bjm', 'P0DRdXsKUB', 'jF974y8n36', 'hup7qPrC8o', 'kuZ7gQZX2U', 'Cln7uRWLdN', 'Ih37V6jloc', 'wjr700p7IP'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, sYbQ88ZMT0rI85smWx.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YMuwIKw0RN', 'OcrwKXvla6', 'hIxwzy7wyE', 'gS62iO8Mhw', 'QgH2dYwRo2', 'vu92wfDyQA', 'cvA22qNOFR', 'gL3id2UfSaDpXOKKtNW'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, al4FnQHweJoDiNvuPf.cs	High entropy of concatenated method names: 'WHP2G6cA7c', 'RRg2LsoAig', 'MH22kvX7Ti', 'fAy2ZjPZHs', 'LSq2EhuIX3', 'Toh2O7Vn8E', 'yJR2Q6ZbCD', 'Bx52H8BLtY', 'Ns728hr1lC', 'z4f2D13fvh'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, utrAtfuwlkTrpi4R7P.cs	High entropy of concatenated method names: 'mG2rT5F9kk', 'lgqrqaNo3D', 'PZRruB8o8D', 'VsnrVqx6ND', 'qKSrhE3DFQ', 'xmhrpeWbAQ', 'o3VrUhhxvp', 'gWQr9BZary', 'VBOrxF4Q8C', 'F2yrnnArsR'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, rFkWWSAHvaxDPnRGLA.cs	High entropy of concatenated method names: 'NQLQPKLPcJ', 'HIaQ6Gu3Uc', 'OQKQevLqyj', 'HqHQBXRXEJ', 'RjZQJYZxye', 'fvCQXhxkj7', 'plbQCtgHuT', 'O1RQFkSQkO', 'RCrQo5V47u', 'L8AQynP25T'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, z0aJREkb2yKVvkhg2H.cs	High entropy of concatenated method names: 'Dispose', 'CK8dIjvMPi', 'DZ7whwL3UE', 'Oyq7evV9GO', 'HCKdK3Dk9j', 'uv2dz1CB2M', 'ProcessDialogKey', 'MMvwiF5nMr', 'mKqwdT39dd', 'Yfcww8Yc8f'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, B8yCVLzlX9uU5aScff.cs	High entropy of concatenated method names: 'BWmMX4cKMm', 'Ok0MF8MCGF', 'jtvMoeDCU0', 'SqQMcmVuFA', 'hKwMhjgnts', 'wpVMUQsmjG', 'kdGM9eZs9I', 'SwwMt1qF4B', 't1UMPCmh06', 'mZCM6Wjvlq'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, BQfbpEdwomc7Ptr6ZYm.cs	High entropy of concatenated method names: 'ToString', 'kGG1FLKcCQ', 'LTM1ovOc2o', 'd9b1yFx6hW', 'pYy1c7idmW', 'IdV1hdlfC3', 'ydj1pZv2Ti', 'UkH1UPAyJc', 'LDQvrVJzwyALWErKS2a', 'xk3HuJtSfKmMia4MGYB'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, vF5nMrI5KqT39ddKfc.cs	High entropy of concatenated method names: 'LhYjcXUBcK', 'uCljhtISw0', 'vuGjpf5tdm', 'tn7jUcQ3xq', 'jnCj9AMp8O', 'L0KjxY3UVM', 'e9fjnnEKGU', 'uawjm0dBQx', 'rQmjAh11wQ', 'dMejThCWVv'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, zu3vJJsVrCK8jvMPip.cs	High entropy of concatenated method names: 'IdAjrD0S2F', 'hOvj7ZQoSX', 'YB4jj83lic', 'pGRj1UaE4H', 'JpRjvmrsg9', 'FG6jtm9lWt', 'Dispose', 'OFZRLpjRRV', 'sHsRkeJJff', 'zKDRZrIHhN'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, b8jDTRdicoAQnKpZnQo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ACLM4t8J3d', 'KLXMqemCcC', 'slsMgD6nkS', 'BWGMuLOImx', 'uLFMVYtHBP', 'R5FM0lQjwC', 'u5fMlIQQwB'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, DkH8lllbDJIeQXNQTG.cs	High entropy of concatenated method names: 'Gtx7Dvw5RB', 'C3s75p5mA1', 'ToString', 'oCP7LXAWwF', 'M367kiBGd0', 'wnF7ZrEags', 'MxJ7EbQea2', 'vQh7OJcjc9', 'c1r7Q1LZaH', 'OmC7HKYmso'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, xuF2QPo3vLthlJ5wPU.cs	High entropy of concatenated method names: 'OCKZBtVF7w', 'AjCZXu4tQU', 'BOIZF20Mpp', 'bpjZoWanFX', 'KJ0ZrBE0J4', 'OUEZ3JvDq1', 'EpaZ7bMDmd', 'yX2ZRLLRUX', 'Ia5ZjvbF1Y', 'd00ZMuMmp6'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, v1A4uiy6xfhcpyWplF.cs	High entropy of concatenated method names: 'VF1EJSOKch', 'bpnECw0eB1', 'SlFZpIi9LJ', 'RgjZUCq7Am', 'L6eZ9ZBbrS', 'WjJZxGjadw', 'xFKZnYidKA', 'xK9Zm8nhgR', 'ROFZAXwxSZ', 'QgiZT4IaCT'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, UNbOwrwU244hwPETiV.cs	High entropy of concatenated method names: 'dHFeOumhi', 'npnBWKbep', 'g5OXoOduN', 'O0PCsZwgm', 'kl2oIjv3M', 'rqlyJxw8H', 'ROW5fgC2Nuoh3f2wM9', 'Tj63rPVBKUcdO65xnu', 'xQsSdAvkJ4UKI1fbc0', 'cKdRgJJ5b'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, q0vDNXdaSrbd8RQcLoE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kDgbjHLdaa', 'oHgbM2egia', 'fAyb1XQpTn', 'tG2bbE2a87', 'POTbv2HujQ', 'vvkbYJgkjD', 'tcubtsex3D'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, Hjik7ncTZNaG5QOA6M.cs	High entropy of concatenated method names: 'ClEOG1iCde', 'TgnOk1XOYv', 'RL3OE2q4Ho', 'vI0OQTfxd0', 'yqwOHQnOuv', 'MbrEfPTa1p', 'MTOENtpx7H', 'E7CEspB2se', 'J1EEW30xx2', 'YZNEIjeEvT'
Source: 0.2.Zam.exe.afc0000.7.raw.unpack, q5sPmCgHa5QSAdGBY6.cs	High entropy of concatenated method names: 'TXlSFW8Alo', 'BvaSoN0t6V', 'ufDScWIjjv', 'XpHShuKcsa', 'RaiSUuYLYT', 'dvJS9bGVtR', 'NdlSnoUDqn', 'ag5SmHP73G', 'zCfSTZxm5M', 'IBFS4DRDmd'
Source: 0.2.Zam.exe.7480000.6.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.Zam.exe.7480000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.Zam.exe.7480000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, AssemblyLoader.cs	High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'dm6CAl6vMv6tZtTsBJx'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, weSArHJy04VrUk5WcT.cs	High entropy of concatenated method names: 'g0ZZTJMBw', 'bVuw9M3f7', 'v4Uj7gmxW', 'HY2cktVxp', 'dXfESyang', 'JVLvmyyZE', 'EnS6XfCBl', 'm5kIX5flX', 'HG415vm5d', 'r5rRugM7D'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, u9J6F189Juvy9c8GjcF.cs	High entropy of concatenated method names: 'qRv8u9DZtF', 'O4v8Kx8GU5', 'ueY8od7l32', 'hTMP4AR18wFcw3Sqqai', 'F5GV1URR7CDJgDdnQ75', 'lR5mIwRZGRHlbrqsphA', 'vWS4i2RwTGZ8CP7tdU7', 'V9SXf5RtUrgtw3fZV94', 'BFuMkfR6U5olu3GtQdm', 'crCGvkRIN1jGhB0HDKH'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, BUkgCv8TQ7YM2fhUbnA.cs	High entropy of concatenated method names: 'jK18a4aGge', 'JPP8UxsZwu', 'XW8ophRmqtMMTTiLRes', 'gdmmThRe1fx2a5SmykQ', 'ISIUP5RzkhEPRwNZbHY', 'KIJgt3ZBoLYcLMtm50o', 'weFX2PZHMiKldaCQfp2', 'rXJNUgZSCjRF73BgenH', 'Eyj6wgR2hncrYKHopgn', 'rVEOk3RFpCYdZbexNeG'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, jZ8THk368OpCC7WSjR.cs	High entropy of concatenated method names: 'rLf8ziSXDD', 'nuydqWZb1tAPiyYrUa3', 'FCgt9tZ0NWGixT7k9sH', 'V1CZqKZLJayw7KUckac', 'PjTHpFZhc3iXyFftLer', 'l6WcgUZJ5ds6QScc16f', 'TDRTrjytx', 'Hd9W9JrD9', 'g5ja3MorG', 'JwRULwIan'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, rwHfjZ7I5kDCaWiF6hZ.cs	High entropy of concatenated method names: 'VvmbaNtrRk', 'HpAbUs3hnC', 'AXobf7xnDG', 'blTb26e4pJ', 'DSWbFsbT8R', 'nPwbmaIwPM', 'nrrbetwhZ8', 'mi47WLdlb9', 'bTBbz1eZ7t', 'SYL0BlxDaq'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, KTX5nTHiVsN75uOJV8V.cs	High entropy of concatenated method names: 'qu3gSdLwER', 'PkFoLLZESPbLZqPYQNL', 'sbEeifZvq52QaFp1tvx', 'D1ViudZ6dOYKj6IfWDu', 'XTgaI6ZI8FcI98QQGua', 'bDMHPgY7YW', 'vHnH8ldsOa', 'HZRHgIGVtm', 'ofrHyLdEh9', 'c10H77FqGF'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, lAt25NntnjaKMJMGx6.cs	High entropy of concatenated method names: 'M2fG56VFy', 'npv4u4vRGvD8pIJLux6', 'SkpW4JvZmDQnBovAPgi', 'MjqRwTvwhwXr5SmCeg9', 'TOZbW4vtSwVDGLKfwSm', 'mkm8byvjnbHHZPIyQme', 'R3wdd5vcfKmCLiGO46j', 'KsRUS5vpehD3xt2MstA', 'cuTccTvCFIljrBKel2v', 'BFakKdvsU2IjDGYNh8K'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, AD78IrrlQxxB1kmm25.cs	High entropy of concatenated method names: 'E6ux20b3V', 'lI4N7SwUV', 'I57kIiw6B', 'wbmYWeXaG', 'xXZPLC6myphqn8bHyud', 'bQDlwj6e4DVmyj218B7', 'PshoUX62DoP83Zt66wZ', 'vVHE5n6FwaMD42OtLe7', 't7B5fe6zTm1bK8OIxu0', 'AYyboAIBftdBTo829Pv'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, oBUBUm7di2B1I18KjrK.cs	High entropy of concatenated method names: 'veZ7MqDEK7', 'xXO7bFsiwR', 'MAB70PhKBT', 'lgf7LDTV0X', 'YvS7h8MTso', 'vIu7J1LIyH', 'KGb74X210f', 'd6s7EFb7uT', 'YTm7v3Z6qo', 'OhI76r09q1'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, fiQH388fv2MqTTuNkCQ.cs	High entropy of concatenated method names: 'MkD8FEmX8F', 'vnr8m1TP9W', 'noqaJDZPIBtrSjpx7ks', 'ch3vTJZ8FlsDTGZ11PL', 'hQSX6EZgvx9XAkQnDhp', 'ysfgHfZif924yAQdKoj', 'EgrcfMZAh0Yrfrr6pOp', 'GUK4wSZyViPaDt3eClK', 'b7nOncZ7Cop0ZltrDOm', 'WtX9rxZnjjZK3h1RQvK'
Source: 8.2.RegSvcs.exe.56a0000.2.raw.unpack, sga1JWgPmYSTxXVSxen.cs	High entropy of concatenated method names: 'OhQfH5ZoPeXsWD50mg3', 'sd7moPZD2HlKN2jeYvn', 'DbcyDKhMo3', 'bFuvXEZN0kfaGuk3NQJ', 'TjLynZZkBXiQ5yhARyX', 'rMAWEvZYQVZFJckVsWx', 'eRABJ3Z3UcTtWLxRdgN', 'fMgX9nZX3KZIgwhGgvC', 'qFI1hjZT9gum9GSIFCr', 'IWaKLeZWuyEPGa40T2d'

Source: C:\Users\user\Desktop\Zam.exe

File created: C:\Users\user\AppData\Roaming\ymvnpo.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Zam.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Zam.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ymvnpo.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8144, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegSvcs.exe, 00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: 4C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: 5C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: 5D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: 6D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: B070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: C070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: C500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: D500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: 5FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: 6100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: 7100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: AB60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: BB60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Zam.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5699	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 734	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4544	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4178	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7047

Source: C:\Users\user\Desktop\Zam.exe TID: 7280	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe TID: 7296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep count: 5699 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep count: 734 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe TID: 7956	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Zam.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 33000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32651	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32223	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 32066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31850	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31707	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31589	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31466	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31240	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 31109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30451	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|Xen4win32_process.handle='{0}'
Source: RegSvcs.exe, 00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: RegSvcs.exe, 00000008.00000002.1774341567.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1843289242.0000000004F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Zam.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_05C6C0A0 LdrInitializeThunk,

8_2_05C6C0A0

Source: C:\Users\user\Desktop\Zam.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Zam.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe"
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ymvnpo.exe"
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ymvnpo.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Zam.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46E000	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 470000	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E61008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 46E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 470000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 268008	Jump to behavior

Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ymvnpo.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Users\user\Desktop\Zam.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Zam.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Queries volume information: C:\Users\user\AppData\Roaming\ymvnpo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ymvnpo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\Zam.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 0000000D.00000002.1843289242.0000000004F70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8144, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.7480000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.3fd24e8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.7480000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.2836240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1717030586.0000000007480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712662630.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711032371.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003590000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum_c,&
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash@\^q
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty!
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003590000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @\^q$ElectrumLTC_l
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q0C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q<C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum1
Source: RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,^q5C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: Zam.exe, 00000000.00000002.1711032371.00000000027B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1826323666.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8144, type: MEMORYSTR

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8144, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Zam.exe.3fd24e8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.7480000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.3fd24e8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.7480000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Zam.exe.2836240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1717030586.0000000007480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1712662630.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711032371.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Zam.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ymvnpo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ymvnpo.exe	32%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
87.228.1.0.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2t	RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	RegSvcs.exe, 00000008.00000002.1769391679.0000000004198000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discordapp.com/api/v9/users/	RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	RegSvcs.exe, 00000008.00000002.1780538821.00000000076E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1782276200.000000000AB81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000008871000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1769391679.00000000042D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1847929406.0000000006821000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1848405246.00000000079A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1850444088.0000000009CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.0000000003896000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://icanhazip.com/	RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://steamcommunity.com/profiles/	RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Zam.exe, 00000000.00000002.1711032371.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, ymvnpo.exe, 0000000A.00000002.1762213796.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-net	RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	RegSvcs.exe, 00000008.00000002.1780538821.00000000076E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1780950450.0000000008871000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1769391679.00000000042D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1833041222.0000000003896000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Zam.exe, ymvnpo.exe.0.dr	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	RegSvcs.exe, 00000008.00000002.1762289733.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefox	RegSvcs.exe, 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	RegSvcs.exe, 00000008.00000002.1775332684.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	Zam.exe, 00000000.00000002.1717487980.0000000008E52000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id	RegSvcs.exe, 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegSvcs.exe, 0000000D.00000002.1833041222.00000000033DD000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.34.212.17	unknown	Poland		201814	PL-SKYTECH-ASPL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565072
Start date and time:	2024-11-29 08:55:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Zam.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/16@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 528 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Zam.exe

Simulations

Behavior and APIs

Time	Type	Description
02:56:00	API Interceptor	3x Sleep call for process: Zam.exe modified
02:56:02	API Interceptor	41x Sleep call for process: powershell.exe modified
02:56:03	API Interceptor	93x Sleep call for process: RegSvcs.exe modified
02:56:05	API Interceptor	3x Sleep call for process: ymvnpo.exe modified
07:56:04	Task Scheduler	Run new task: ymvnpo path: C:\Users\user\AppData\Roaming\ymvnpo.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.34.212.17	KRcLFIz5PCQunB7.exe	Get hash	malicious	Quasar	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PL-SKYTECH-ASPL	KRcLFIz5PCQunB7.exe	Get hash	malicious	Quasar	Browse	193.34.212.17
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	91.223.3.164
	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	95.214.53.96
	4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dll	Get hash	malicious	Unknown	Browse	193.34.212.14
	4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dll	Get hash	malicious	Unknown	Browse	193.34.212.14
	SH20240622902.scr.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	193.34.212.15
	arm7.elf	Get hash	malicious	Unknown	Browse	95.214.52.167
	mpslbot.elf	Get hash	malicious	Unknown	Browse	95.214.52.167
	mipsbot.elf	Get hash	malicious	Unknown	Browse	95.214.52.167
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	193.34.212.15

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1434
Entropy (8bit):	5.342612360333169
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhRAE4KzecKIE4oKNzKoZsXE4qdKqE4Kx1qE4DJE4TE4Ks:MxHKlYHKh3oRAHKzectHo60H8HKx1qHN
MD5:	522A73769A186964B7301AF1CBF6AF40
SHA1:	99FD48F31A76D9984243447AB9A0F00F3527463A
SHA-256:	9FCD97D035F201EA395E416D2C082AA59CB814B7EC1F3B72C97A870FEBBE097A
SHA-512:	5548DA45D1D1DFE399DCEEA81720B1B24F83FFCD775573B8A7F62A779D84853262EB97BA4142BE71DD19204FE5594949B6F2BB4650BDEAC17FEA17D6F703785A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Managemen

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zam.exe.log

Download File

Process:	C:\Users\user\Desktop\Zam.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ymvnpo.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ymvnpo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:tLHxcIalLgZ2KRHWLOugEs
MD5:	CC07A40FD642FE9582948CD965382D98
SHA1:	8A1DCD9EA81AB47D283805EAA2C92579762DDDE5
SHA-256:	FE16BA81A78DB31DECABC6535B2F6BE47486337E90D8FEB95C96A62B487C3FD8
SHA-512:	933652DD28817DB470E54D5079E0A418366EE0FE458C7ADC2D8AED11955F291EDCBC3A9010C646AE1A2B772BDBBEB0EC55E0DA794BF7E1875982CC7C23DFEE0D
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.ConfigurationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu2gr1mn.cvq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cooi1fkd.1t1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvk42joq.azs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfhbddxc.nhj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2iewkag.5dv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r35n0t0k.5ta.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdnjen1i.ogt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yszadek5.m4r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp

Download File

Process:	C:\Users\user\Desktop\Zam.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102938387221063
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTXv
MD5:	8ED1D0B1DBC476105DE878456ACE54D9
SHA1:	9974259F22508676297B6E7E8D949A614AD86AC2
SHA-256:	B2B3121F47BA6570B4EAD768D634267A4BB664326B19BD4CB52F4E08C70B895C
SHA-512:	0807926B8F9798724DB86EDA4381139F504E485385258D2C929EBA579E1DCE1A4E69FC39B3327F4E46C08C65C93F5F23EB2058F9989C7C35AACA85ACDA21C8DA
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpD037.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ymvnpo.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.102938387221063
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTXv
MD5:	8ED1D0B1DBC476105DE878456ACE54D9
SHA1:	9974259F22508676297B6E7E8D949A614AD86AC2
SHA-256:	B2B3121F47BA6570B4EAD768D634267A4BB664326B19BD4CB52F4E08C70B895C
SHA-512:	0807926B8F9798724DB86EDA4381139F504E485385258D2C929EBA579E1DCE1A4E69FC39B3327F4E46C08C65C93F5F23EB2058F9989C7C35AACA85ACDA21C8DA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\ymvnpo.exe

Download File

Process:	C:\Users\user\Desktop\Zam.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1052680
Entropy (8bit):	7.819238180463476
Encrypted:	false
SSDEEP:	24576:z1zGUxjbVLayM8BCsWKTmDXQrbrF3ROcEBe2emGF:pLffMv3KTGAvrBROcEA2Fa
MD5:	3AE2502B4152CB98314AC0B6833B2957
SHA1:	8743D14FE00E1CCA03574687ADFA709E81C4B636
SHA-256:	BAA7B027EF4FED86E02B6FFA8D6143DD09DB213A53BCEEE7CF02D5CEC64F760F
SHA-512:	059A29C957214015239A4B554D1E4A6E66D291CB36210BF1F981044C6AD0DC1701132BABD0F454CF2C7F2B3CD01FC1CAD0CB54831D0A90FC551587E1AAD1A0E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[................0.................. ........@.. .......................@............@.................................D...W.......................6... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...........,..................@..@.reloc....... ......................@..B........................H.......P...............`....J..........................................K....x5......*.z../.~.9....IC..Iv.^.d.4..J...x..7..b.....y.d1.l.LoI\0Yz[Q`+a.J.Zl['......9.%.S.T....C....R..Rr]..T.M..+.c.7.....\..D_ANI5.h..`..DE.>ej....W..!4]....".=npi........`..$.Lq6..D..]6`..Z.....;.<..P.(.....e....A..+..&S.JL:....`yJ...st..0.I_.0..LB..:F-.2.N.m k.@...Q.\:S..o=..c%..U..0M.!...w...a...no..O....:L.}._.h....]t. 9......k........2.4..AW.&..p..$;..-7G.0.......$..I{..B. sc%

C:\Users\user\AppData\Roaming\ymvnpo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Zam.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.819238180463476
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Zam.exe
File size:	1'052'680 bytes
MD5:	3ae2502b4152cb98314ac0b6833b2957
SHA1:	8743d14fe00e1cca03574687adfa709e81c4b636
SHA256:	baa7b027ef4fed86e02b6ffa8d6143dd09db213a53bceee7cf02d5cec64f760f
SHA512:	059a29c957214015239a4b554d1e4a6e66d291cb36210bf1f981044c6ad0dc1701132babd0f454cf2c7f2b3cd01fc1cad0cb54831d0a90fc551587e1aad1a0e7
SSDEEP:	24576:z1zGUxjbVLayM8BCsWKTmDXQrbrF3ROcEBe2emGF:pLffMv3KTGAvrBROcEA2Fa
TLSH:	7125E1883111B58FC8A3CD718995DD74A6306CAB970BC203E5DB2DEFBA1D6979E101F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[................0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	323636b29699c72c

Static PE Info

General

Entrypoint:	0x4fc99e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD6E15B1F [Tue Mar 28 14:45:51 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfc944	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfe000	0x2ab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xfda00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfa9a4	0xfaa00	cf4b8b8c5eee65df2381f12855876b2d	False	0.9098162796134663	data	7.821132747291478	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xfe000	0x2ab8	0x2c00	5302018a8e62c3d963dfa56421bbbe64	False	0.8825461647727273	data	7.523508199361022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xc	0x200	a85d67c2f968cffb1bc6e392d090cf81	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xfe130	0x244f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9797740720817644
RT_GROUP_ICON	0x100580	0x14	data	1.05
RT_VERSION	0x100594	0x338	data	0.4405339805825243
RT_MANIFEST	0x1008cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 08:56:03.953763962 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:04.074126005 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:04.074218035 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:04.090831995 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:04.210895061 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:04.211004019 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:04.331064939 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413466930 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413489103 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413501024 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413513899 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413533926 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413544893 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413556099 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413568974 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413578987 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413578987 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.413618088 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.413618088 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.413733959 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.413774014 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.533734083 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.533829927 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.533884048 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.538635015 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.539642096 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.539700985 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.653825045 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.653841019 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.653892994 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.659509897 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.659523964 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.659574986 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774013996 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774034023 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774045944 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774063110 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774077892 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774096012 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774100065 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774106979 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774117947 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774121046 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774135113 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774146080 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774147987 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774156094 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774164915 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774167061 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774178028 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774182081 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774188995 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774198055 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774199963 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774210930 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774221897 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774228096 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774234056 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774244070 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774245024 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774256945 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774267912 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.774267912 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.774295092 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.796889067 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.796942949 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.797034979 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.801038027 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.801084995 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.802544117 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.802726984 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.802892923 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.811018944 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.811129093 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.811279058 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.894392967 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.894474030 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.894540071 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.898546934 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.898629904 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.898730040 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.906928062 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.907025099 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.907075882 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.915333033 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.915436983 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.915936947 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.920463085 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.920577049 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.920744896 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.925620079 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.925709963 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.925757885 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.930773020 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.930870056 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.930919886 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.935915947 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.936002016 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.936054945 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.941063881 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.941231012 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.941318035 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.946166039 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.946269989 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.946312904 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.951353073 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.951386929 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.951457977 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.956274033 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.956372976 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.956434011 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.961386919 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.961436033 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.961488962 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.966356993 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.966450930 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.966499090 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.971421003 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.971522093 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.971575022 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.976469040 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.976514101 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.976814032 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.981503963 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.981623888 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.981678009 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.986520052 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.986632109 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.986677885 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.991595030 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.991738081 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.991789103 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:05.996601105 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.996721983 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:05.996776104 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.001674891 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.001770973 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.001982927 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.006707907 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.006799936 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.006882906 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.011761904 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.011841059 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.012020111 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.016807079 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.016840935 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.017127037 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.021862030 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.021958113 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.022005081 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.026904106 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.026937008 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.027071953 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.031949043 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.032057047 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.032104015 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.037013054 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.037071943 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.037302017 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.042059898 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.042143106 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.042213917 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.047060013 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.047162056 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.047250032 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.052102089 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.052205086 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.052262068 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.057161093 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.057264090 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.057307959 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.062202930 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.062330961 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.062380075 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.066904068 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.067055941 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.067110062 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.071542978 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.071657896 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.071746111 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.076252937 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.076383114 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.076426983 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.080943108 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.081058025 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.081206083 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.085429907 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.085522890 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.085629940 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.089895964 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.090035915 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.090101957 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.094098091 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.094177008 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.094237089 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.098234892 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.098330021 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.098381996 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.102072954 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.102154016 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.102205038 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.105820894 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.105941057 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.105989933 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.109407902 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.109518051 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.109587908 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.112919092 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.113168001 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.113215923 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.116445065 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.116564989 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.116677999 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.119834900 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.119945049 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.120320082 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.123219013 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.123306036 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.123363018 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.126516104 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.126609087 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.126663923 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.129811049 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.129980087 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.130024910 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.133014917 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.133097887 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.133141041 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.136281967 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.136382103 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.136421919 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.139494896 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.139594078 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.139641047 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.142729998 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.142817974 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.142859936 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.145998955 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.146111965 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.146254063 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.148987055 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.149080038 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.149122000 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.151926994 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.152036905 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.152090073 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.154910088 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.154984951 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.155040979 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.180527925 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.180598021 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.180702925 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.180995941 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.181077003 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.181114912 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.182779074 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.182915926 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.183487892 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.184578896 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.184694052 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.184752941 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.186336040 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.186439991 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.186481953 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.188102961 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.188205957 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.188574076 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.189878941 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.189995050 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.190073013 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.191699028 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.191811085 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.192116022 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.193411112 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.193536997 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.193587065 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.195179939 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.195359945 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.195395947 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.196939945 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.197052956 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.197242022 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.198708057 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.198806047 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.198844910 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.200478077 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.200656891 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.200692892 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.202208996 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.202311993 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.202668905 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.203982115 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.204178095 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.204225063 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.205699921 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.205813885 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.205924034 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.207495928 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.207537889 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.207690954 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.209196091 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.209314108 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.209362984 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.210947990 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.211091042 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.211133003 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.212699890 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.212793112 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.212840080 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.214421034 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.214551926 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.214597940 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.216169119 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.216270924 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.216372013 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.217900038 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.218004942 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.218049049 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.219609976 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.219706059 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.219818115 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.221338987 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.221494913 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.221543074 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.223057985 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.223143101 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.223355055 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.224745035 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.224865913 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.224911928 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.226469994 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.226614952 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.226732016 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.228166103 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.228264093 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.228302956 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.229851961 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.229944944 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.230032921 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.231518984 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.231645107 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.231688976 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.233196020 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.233283997 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.233329058 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.234854937 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.234992027 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.235042095 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.236525059 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.236640930 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.236681938 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.238153934 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.238260031 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.238369942 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.239844084 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.239974976 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.240010023 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.241466999 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.241555929 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.241594076 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.243207932 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.243221998 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.243267059 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.244712114 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.244822979 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.244992018 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.246315002 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.246383905 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.246479034 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.247927904 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.248030901 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.248070955 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.249488115 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.249658108 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.249697924 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.251084089 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.251179934 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.251219034 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.252645969 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.252777100 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.252831936 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.254214048 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.254410028 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.254470110 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.255769014 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.255887985 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.257302999 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.257440090 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.257539988 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.258872032 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.258936882 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.258960009 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.259006977 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.321883917 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.321976900 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.322020054 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.322453976 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.322505951 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.322654009 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.323690891 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.323803902 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.323842049 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.325047016 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.372785091 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.372805119 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.372838020 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.373246908 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.373382092 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.373404980 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.373965025 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.374005079 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.374073982 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.374874115 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.375000954 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.375041008 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.375658035 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.375706911 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.375783920 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.376480103 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.376523972 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.376602888 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.377311945 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.377409935 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.377451897 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.378098011 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.378140926 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.378221989 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.378936052 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.379020929 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.379060984 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.379745960 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.379790068 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.379826069 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.380570889 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.380625010 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.380666018 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.381426096 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.381510973 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.381557941 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.382200003 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.382242918 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.382312059 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.383018970 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.383121014 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.383161068 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.383812904 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.383852959 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.383896112 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.384601116 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.384639978 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.384711981 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.385426044 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.385462046 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.385515928 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.386225939 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.386266947 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.386327028 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.387027979 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.387070894 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.387130976 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.387845993 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.387888908 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.387934923 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.388634920 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.388668060 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.388817072 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.389441013 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.389549017 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.389566898 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.390248060 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.390297890 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.390347958 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.391079903 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.391171932 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.391216993 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.391861916 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.391913891 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.392023087 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.392684937 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.392729044 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.392762899 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.393471956 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.393512964 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.393569946 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.394279957 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.394380093 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.394406080 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.395064116 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.395106077 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.395191908 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.395972013 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.396013975 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.396063089 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.396701097 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.396739006 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.396795988 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.397495031 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.397625923 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.397667885 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.398287058 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.398323059 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.398350000 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.399137020 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.399178028 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.399219990 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.399892092 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.400017977 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.400064945 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.400721073 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.400777102 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.400814056 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.401521921 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.401561975 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.401619911 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.402326107 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.402369976 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.402417898 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.403114080 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.403202057 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.403223991 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.403918028 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.403963089 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.403987885 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.404704094 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.404752016 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.404864073 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.405527115 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.405642986 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.405687094 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.406328917 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.406385899 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.406430006 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.407131910 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.407186985 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.407248020 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.407944918 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.408004999 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.408065081 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.408754110 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.408790112 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.408849001 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.409583092 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.409634113 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.409682989 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.410363913 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.410403013 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.410516977 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.411164999 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.411201000 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.411367893 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.411962032 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.412010908 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.412182093 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.513840914 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.513910055 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.513911963 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.514209032 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.514251947 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.514385939 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.514997005 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.515083075 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.515105009 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.515804052 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.515850067 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.564651012 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.564735889 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.564985991 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.565005064 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.565076113 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.565110922 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.565761089 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.565874100 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.565917015 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.648911953 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:06.769277096 CET	33102	49735	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:06.769346952 CET	49735	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:07.771522999 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:07.891505003 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:07.891577959 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:07.905862093 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:07.905953884 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.025727987 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.025774002 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.025876999 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.025886059 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.025914907 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.025944948 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.025983095 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.025990963 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.026032925 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.026060104 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.026067972 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.026102066 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.026130915 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.026139021 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.026154041 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.026170015 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.026199102 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.145881891 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.145977020 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.146013021 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.146081924 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.146100044 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.146143913 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.146151066 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.146189928 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.146246910 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.146267891 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.146294117 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.146308899 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.190087080 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.190187931 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.310115099 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.310170889 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.354034901 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.478118896 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.921076059 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:08.923127890 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:08.923206091 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.041208982 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.043044090 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.312096119 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.312356949 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432214975 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432471991 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432482004 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432507038 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432523966 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432554007 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432579994 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432591915 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432620049 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432629108 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432660103 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432677031 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432686090 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432718992 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432761908 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432795048 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432806015 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432873964 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432883024 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432892084 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.432913065 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.432930946 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.433005095 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.433027029 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.433043003 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.433053017 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.433068991 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553653002 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553667068 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553725958 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553735018 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553742886 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553759098 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553855896 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553864956 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553872108 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553989887 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.553997993 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554004908 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554168940 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554177999 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554287910 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554296970 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554305077 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554312944 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554434061 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554445028 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554573059 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554582119 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554589033 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554603100 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554712057 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554721117 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554738998 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554872990 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554882050 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.554891109 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555016041 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555023909 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555177927 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555187941 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555346012 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555387020 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555396080 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.555403948 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675204039 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675220013 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675229073 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675237894 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675257921 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675266981 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675385952 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675394058 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675539017 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675548077 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675555944 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675565004 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675678015 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675688028 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675695896 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675704956 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675822020 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675832033 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675839901 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675858974 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675947905 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.675960064 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.841738939 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:09.961869001 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:09.961930990 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:10.082057953 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:10.416058064 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:10.574584007 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:10.659327030 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:10.667192936 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:10.716829062 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:10.788198948 CET	33102	49737	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:10.788255930 CET	49737	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:10.837054968 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:10.837137938 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:10.860742092 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:10.980755091 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:10.980818987 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:11.100835085 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151462078 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151537895 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151578903 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.151717901 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151727915 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151772976 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.151885033 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151896000 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151907921 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151923895 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151932001 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.151942968 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151954889 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.151971102 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.151982069 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.271692038 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.271711111 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.271787882 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.275808096 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.275882006 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.275964022 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.342408895 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.342427015 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.342569113 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.346374035 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.347930908 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.347992897 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.348006964 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.356378078 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.356447935 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.356497049 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.364770889 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.364825010 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.364861012 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.373130083 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.373178959 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.373255014 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.381567955 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.381608963 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.381659985 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.389947891 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.389986992 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.390062094 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.398447990 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.398464918 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.398498058 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.406781912 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.406831980 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.406866074 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.415165901 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.415215015 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.415245056 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.422516108 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.422580004 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.482297897 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.482346058 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.482546091 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.485879898 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.527692080 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.534373999 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.534468889 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.534519911 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.536653996 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.536797047 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.536850929 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.541445971 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.543279886 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.543319941 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.543325901 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.547837973 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.547884941 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.547950983 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.552567959 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.552614927 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.552648067 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.557221889 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.557275057 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.557327986 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.561871052 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.561923981 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.561997890 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.566534042 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.566576958 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.566622972 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.571223974 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.571264982 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.571297884 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.575907946 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.575948954 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.576020002 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.580616951 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.580631018 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.580677032 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.585233927 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.585313082 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.585377932 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.589886904 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.589936972 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.589982033 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.594578028 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.594618082 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.594638109 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.599227905 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.599276066 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.599301100 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.603854895 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.603908062 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.604010105 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.608597040 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.608608961 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.608647108 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.674165964 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.674297094 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.674344063 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.676480055 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.676583052 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.676620960 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.681129932 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.726131916 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.726174116 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.726237059 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.727900982 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.727960110 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.728559971 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.728667974 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.728831053 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.732213020 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.732330084 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.732373953 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.735868931 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.735975027 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.736023903 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.739480019 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.739708900 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.739767075 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.742820024 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.742868900 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.743005037 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.746229887 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.746584892 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.746913910 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.749643087 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.749716997 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.749763966 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.753034115 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.753132105 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.753268003 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.756474972 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.756757021 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.756795883 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.759887934 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.760027885 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.760112047 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.763381958 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.763525009 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.763562918 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.766757965 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.766901016 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.767102003 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.770167112 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.770399094 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.770459890 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.773649931 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.773760080 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.773797035 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.777019024 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.777223110 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.777277946 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.780528069 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.780597925 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.780638933 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.784007072 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.784077883 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.784116983 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.787354946 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.787584066 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.787628889 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.790800095 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.791002035 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.791091919 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.794178963 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.794383049 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.794426918 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.797566891 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.797732115 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.797770977 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.801038980 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.801166058 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.801198006 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.804389000 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.804507017 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.804615021 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.807852030 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.807960987 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.808005095 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.867914915 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.868026018 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.868139982 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.869434118 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.869528055 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.869990110 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.871753931 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.871841908 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.873271942 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.874799967 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.874869108 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.876681089 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.877746105 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.877867937 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.880450964 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.918222904 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.918241024 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.918354034 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.918905020 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.919063091 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.919107914 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.921586037 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.921741009 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.921778917 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.924232006 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.924309015 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.924408913 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.926862001 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.926954031 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.926989079 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.929475069 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.929549932 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.929598093 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.932024002 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.932140112 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.932248116 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.933841944 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.934005022 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.934048891 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.935597897 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.935698986 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.935847998 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.937381983 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.937500000 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.937542915 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.939145088 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.939229965 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.939284086 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.940903902 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.940959930 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.941003084 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.942694902 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.942799091 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.942845106 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.944441080 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.944538116 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.944567919 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.946221113 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.946363926 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.946420908 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.947987080 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.948374033 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.948436022 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.949718952 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.949824095 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.949959993 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.951539993 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.951628923 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.951736927 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.953291893 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.953394890 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.953438044 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.955085993 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.955275059 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.955373049 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.956855059 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.957053900 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.957231045 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.958601952 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.958709002 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.958758116 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.960347891 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.960452080 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.960485935 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.962095022 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.962213039 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.962285042 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.963890076 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.963959932 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.965640068 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.965706110 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.967405081 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.967529058 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.969175100 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.969290018 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.970803022 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.970853090 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.970923901 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.971000910 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.971359015 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.972718000 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.972824097 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.972862959 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.974483967 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.974581003 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.974623919 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.976233959 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.976372957 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.976440907 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.978061914 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.978169918 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.978235960 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.979784012 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.979897022 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.979973078 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.981585026 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.981681108 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.981720924 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.983345032 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.983459949 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.983674049 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.985100985 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.985418081 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.986865044 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.986983061 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.987029076 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.988615990 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.988696098 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.988744020 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.990386009 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.990490913 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.992043018 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.992208958 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.992276907 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.992326975 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.993923903 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.994033098 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.994081020 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.995698929 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.995805025 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.996144056 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.997478962 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.997567892 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.997612000 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:12.999244928 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.999377012 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:12.999419928 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.001029015 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.001096964 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.001202106 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.002770901 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.002870083 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.002985954 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.004498005 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.058103085 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.058124065 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.058162928 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.058887005 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.058948994 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.059463978 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.059557915 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.059614897 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.061211109 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.061336994 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.061422110 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.063010931 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.063114882 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.063318968 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.064755917 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.105818033 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.110166073 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.110294104 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.110436916 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.110877991 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.111001015 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.111094952 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.112329006 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.112503052 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.112584114 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.113781929 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.113868952 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.113977909 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.115200043 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.115412951 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.115458012 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.116185904 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.116292953 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.116410971 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.117180109 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.117319107 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.117445946 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.118110895 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.118220091 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.118729115 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.119076967 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.119159937 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.119268894 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.120028973 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.120152950 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.120203018 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.121006012 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.121100903 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.121217966 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.121937990 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.122059107 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.122101068 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.122908115 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.122957945 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.123051882 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.123850107 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.123972893 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.124012947 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.124789953 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.124902010 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.125129938 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.125734091 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.125847101 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.125952959 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.126672029 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.126830101 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.126872063 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.127613068 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.127715111 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.127830982 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.128540039 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.128660917 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.128757000 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.129465103 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.129611969 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.129656076 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.130409956 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.130530119 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.130899906 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.131409883 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.131465912 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.131506920 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.132292032 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.132424116 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.132566929 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.133199930 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.133311987 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.133395910 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.134130955 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.134274006 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.134385109 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.135063887 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.135175943 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.135224104 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.136001110 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.136111021 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.136244059 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.136924028 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.137068033 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.137115002 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.137866974 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.137996912 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.138050079 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.138802052 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.138920069 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.138972044 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.139735937 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.139844894 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.140052080 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.140649080 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.140712976 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.140830994 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.141632080 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.141702890 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.142075062 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.142533064 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.142618895 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.142713070 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.143471956 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.143589020 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.143938065 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.144397020 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.144505978 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.144562960 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.145375967 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.145479918 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.145593882 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.146264076 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.146370888 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.146485090 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.147195101 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.147339106 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.148135900 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.148196936 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.148237944 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.148279905 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.149076939 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.149193048 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.149499893 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.150011063 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.150118113 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.150191069 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.150952101 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.151040077 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.151365995 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.151895046 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.151959896 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.152101994 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.152787924 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.152909994 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.152981043 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.153722048 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.153844118 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.154197931 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.154653072 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.199562073 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.255156040 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.255254984 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.255649090 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.255736113 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.255803108 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.256531000 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.256690025 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.256755114 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.257472038 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.257592916 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.257725954 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.258424997 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.258549929 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.258622885 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.259350061 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.259466887 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.259524107 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.260288000 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.260355949 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.260462999 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.312884092 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.312935114 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.312989950 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.313271046 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.313390017 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.313447952 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.314203978 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.314313889 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.314363956 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.315119982 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.315244913 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.315289021 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.316066027 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.316165924 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.316981077 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.317101955 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.317122936 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.317137957 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.317950010 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.318094969 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.318137884 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.318852901 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.318985939 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.319057941 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.319807053 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.319917917 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.319958925 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.320738077 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.320867062 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.320903063 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.321657896 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.321773052 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.321888924 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.322587967 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.322702885 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.322745085 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.323533058 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.323635101 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.323868036 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.324465990 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.324559927 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.324595928 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.325351000 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.371438980 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.404920101 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:13.525492907 CET	33102	49739	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:13.527391911 CET	49739	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.210352898 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.330734015 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.330827951 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.343549967 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.343657017 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.463507891 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.463571072 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.463608980 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.463654041 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.463666916 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.463713884 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.463762045 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.463779926 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.463810921 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.463830948 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.463891029 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.463908911 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.463944912 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.463962078 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.464025974 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.464041948 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.464072943 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.464087009 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.464116096 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.464168072 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.583775997 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.583789110 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.583839893 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.583846092 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.583864927 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.583916903 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.583950996 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.583960056 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.584003925 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.626157045 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.626260996 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.746052980 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.746135950 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:14.790049076 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:14.910123110 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.318165064 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.358640909 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.478657007 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.478734970 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.598669052 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.774189949 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.774456024 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.774518967 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.894330978 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.894737959 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.894748926 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.894810915 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.894886017 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.894932032 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.894937992 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.894984007 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895013094 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895030975 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895088911 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895186901 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895236969 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895255089 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895379066 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895406008 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895479918 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895538092 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895704985 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895766020 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895793915 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895837069 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895878077 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895936012 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.895937920 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.895977020 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:15.896055937 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896066904 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896159887 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896290064 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896330118 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896358967 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896605968 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896718979 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896728039 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896883011 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896892071 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.896899939 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897001982 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897042036 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897176027 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897186041 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897324085 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897372961 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897448063 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:15.897463083 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014518023 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014528990 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014537096 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014549017 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014641047 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014651060 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014841080 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014852047 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014930964 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014940023 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014972925 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.014988899 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015085936 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015095949 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015158892 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015168905 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015228033 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015244007 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015300989 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015311003 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015403032 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015413046 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015455008 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015489101 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015582085 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015599012 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015641928 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015692949 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015729904 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015774012 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015850067 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015858889 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.015954018 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.016375065 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.016392946 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017015934 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017060041 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017070055 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017108917 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017537117 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017584085 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017671108 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017682076 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017714977 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017724037 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.017772913 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.294512033 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:16.414588928 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.414719105 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:16.535469055 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.844386101 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:16.887125015 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:17.078228951 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:17.085371971 CET	49740	33102	192.168.2.4	193.34.212.17
Nov 29, 2024 08:56:17.205859900 CET	33102	49740	193.34.212.17	192.168.2.4
Nov 29, 2024 08:56:17.206052065 CET	49740	33102	192.168.2.4	193.34.212.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 08:56:07.266896009 CET	52779	53	192.168.2.4	1.1.1.1
Nov 29, 2024 08:56:07.408200026 CET	53	52779	1.1.1.1	192.168.2.4
Nov 29, 2024 08:56:13.853487968 CET	58048	53	192.168.2.4	1.1.1.1
Nov 29, 2024 08:56:13.996665955 CET	53	58048	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2024 08:56:07.266896009 CET	192.168.2.4	1.1.1.1	0xb18c	Standard query (0)	87.228.1.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 08:56:13.853487968 CET	192.168.2.4	1.1.1.1	0x5f54	Standard query (0)	87.228.1.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2024 08:56:07.408200026 CET	1.1.1.1	192.168.2.4	0xb18c	Name error (3)	87.228.1.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 08:56:13.996665955 CET	1.1.1.1	192.168.2.4	0x5f54	Name error (3)	87.228.1.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	02:55:59
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\Zam.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Zam.exe"
Imagebase:	0x240000
File size:	1'052'680 bytes
MD5 hash:	3AE2502B4152CB98314AC0B6833B2957
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1717030586.0000000007480000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1712662630.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1711032371.00000000027B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:56:01
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Zam.exe"
Imagebase:	0x610000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:56:01
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:56:01
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ymvnpo.exe"
Imagebase:	0x610000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:56:01
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:56:01
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp"
Imagebase:	0xb40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:56:01
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:56:02
Start date:	29/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xdd0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.1773823325.0000000005740000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.1762289733.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1762289733.0000000003189000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1762289733.0000000003350000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:56:04
Start date:	29/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:56:05
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Roaming\ymvnpo.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ymvnpo.exe
Imagebase:	0x4d0000
File size:	1'052'680 bytes
MD5 hash:	3AE2502B4152CB98314AC0B6833B2957
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:56:07
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ymvnpo" /XML "C:\Users\user\AppData\Local\Temp\tmpD037.tmp"
Imagebase:	0xb40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:56:07
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:56:07
Start date:	29/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x20000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1826323666.000000000264B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1826323666.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1826323666.00000000023D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.8%
Total number of Nodes:	204
Total number of Limit Nodes:	15

Executed Functions

Function 00B909A9 Relevance: 3.9, Strings: 3, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I(0, xrefs: 00B909BF
Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q$I(0
API String ID: 0-2446069806
Opcode ID: 9b02b0ce42921f73bd6f96f27a4e975add30b062108c4bb9c9c35c3aa8a86005
Instruction ID: 5a2858eac1e36a3843b95b5e14d25479f08409f980cfde29f5fe6b528789fe54
Opcode Fuzzy Hash: 9b02b0ce42921f73bd6f96f27a4e975add30b062108c4bb9c9c35c3aa8a86005
Instruction Fuzzy Hash: 0D614775B192858FCB05DB6888A466EFFF6AFA5304F1584AFD441DF392C6208D41CB92

Function 09562DD8 Relevance: 2.9, Strings: 2, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4|cq, xrefs: 09562E28
4|cq, xrefs: 09562E43

Memory Dump Source

Source File: 00000000.00000002.1718364313.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9560000_Zam.jbxd

Similarity

API ID:
String ID: 4|cq$4|cq
API String ID: 0-1798997883
Opcode ID: 8d3c392bde3cb358e7461627d2e08c7e59d4f557912df7fbdf937ab6f48d396a
Instruction ID: c94923f5526780bab32208e713d23335ad1a7b51efae82f176b211aee74bc742
Opcode Fuzzy Hash: 8d3c392bde3cb358e7461627d2e08c7e59d4f557912df7fbdf937ab6f48d396a
Instruction Fuzzy Hash: F0C1B435B002118FCB19DF2AC494A6EBBB2BF85340F2684A9E456DB375CB31DD85CB91

Function 00B909F5 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: d834a1dd17881da73adb3839e0aa08e4d6ca22d4d7053fca38cfb05de97f9ca0
Instruction ID: 4c0177c85933cec9832060c2e9ffa405caf3d9fcf2f6b2418c592d2e2b494284
Opcode Fuzzy Hash: d834a1dd17881da73adb3839e0aa08e4d6ca22d4d7053fca38cfb05de97f9ca0
Instruction Fuzzy Hash: F5A1ED75E152448FCB00DF69C5A8AAEFFF2AF99304B15C4AAE414AB762C731DC44CB91

Function 00B90BB5 Relevance: 2.7, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 943eee072ccc0b06e313195b1c705095c1072b09b31cc8df25262b47a3d6fd72
Instruction ID: d09679d338ae6a9ea2ec8d1204544c0cf08759ba87c38d1d320518338e44f458
Opcode Fuzzy Hash: 943eee072ccc0b06e313195b1c705095c1072b09b31cc8df25262b47a3d6fd72
Instruction Fuzzy Hash: 76713475E142458FCB04DF6888A8A6EFFF6BFA5304B1584EBD4419F3A2C6318D01CB92

Function 00B90DC1 Relevance: 2.7, Strings: 2, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: b01a0a827cc177b284f03bc4723d44886f4684168502d064f82b8430c1f38a5a
Instruction ID: cc7b1590eaa1a743eeb42c92712e74cf6ca974155d76d66eb7e1b7239d6ec1f4
Opcode Fuzzy Hash: b01a0a827cc177b284f03bc4723d44886f4684168502d064f82b8430c1f38a5a
Instruction Fuzzy Hash: BE714971A182858FCB05DF6888A466EFFF6BFA5304F1584AFD4419F392C6218D41CB92

Function 00B90D52 Relevance: 2.7, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 63fd5ea0a9b9187a44cc8c0d5b7aed5ecec033b29d882b0ace90f491474854ab
Instruction ID: 16c7b1d595deb618d9b15538abbbc1d9fb6ede5a74f2865dda4fb927e48a9b03
Opcode Fuzzy Hash: 63fd5ea0a9b9187a44cc8c0d5b7aed5ecec033b29d882b0ace90f491474854ab
Instruction Fuzzy Hash: 8B713471E152858FCB05DF6888A8A6EFFF2AF95304F15C4AFE4459F2A2C6308D01CB91

Function 00B908CF Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: ca52c914444d79cf21890def2871860237ad25d63111da7c0e59df23ece63cf6
Instruction ID: dafe132cb1b634196a15f26a9a6b2878feace7e17f35a9ef85d02a0acd41a934
Opcode Fuzzy Hash: ca52c914444d79cf21890def2871860237ad25d63111da7c0e59df23ece63cf6
Instruction Fuzzy Hash: C6713871F182818FCB05DB6888A466EFFF6AFA5304F1584AFD4459F392C6308D41CB92

Function 00B9093C Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 5d789d60a81230e475b75bbd25660d778d3b4106b9a44220e93ee89e32039a6d
Instruction ID: 62d95a0c89050115bf00cd658b38ecdbd63ba54bd886faedd1df601626ad2bcf
Opcode Fuzzy Hash: 5d789d60a81230e475b75bbd25660d778d3b4106b9a44220e93ee89e32039a6d
Instruction Fuzzy Hash: A1713671F182858FCB05DB6888A466EFFF6AFA5304F1584AFD4459B392C6318D01CB92

Function 00B90914 Relevance: 2.7, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 6472c4152c8e58a61e8d1fe49dbe0f1237e004e67b4f04e63a686fa49694200d
Instruction ID: a139deb1f964509ee0727691e7a843be456c1f1584cfdbf100b670ad6bffe860
Opcode Fuzzy Hash: 6472c4152c8e58a61e8d1fe49dbe0f1237e004e67b4f04e63a686fa49694200d
Instruction Fuzzy Hash: 14612671B192858FCB05DB6888A466EFFF6AFA5304F1584AFD441DF392CA308D41CB92

Function 00B90C1D Relevance: 2.7, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: ba787bb3bec5f36be637f9d2d829c8bcfb4fd3fd69f392331e4a3da13d3ef6f1
Instruction ID: d08d2bf331f3b3c940f840958133d86255ab9665e01b968ae63a60220d9d8f79
Opcode Fuzzy Hash: ba787bb3bec5f36be637f9d2d829c8bcfb4fd3fd69f392331e4a3da13d3ef6f1
Instruction Fuzzy Hash: 49611671F192858FCB05DB6888A466EFFF6AFA5304F1584AFD4459F3A2C6318D01CB92

Function 00B90E95 Relevance: 2.7, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: adc1aeafe262f556ab4cf7a9b571350cf3f7c6f8904db683f34942ffae3458aa
Instruction ID: 722658c7157293b0796b05f4967c74498c2e9d226c0c8496a5b03bf1deba27a1
Opcode Fuzzy Hash: adc1aeafe262f556ab4cf7a9b571350cf3f7c6f8904db683f34942ffae3458aa
Instruction Fuzzy Hash: 03614771F192858FCB05DB6888A866EFFF6AFA5314F1584AFD4459F392C6318D00CB92

Function 00B90AE9 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 2a1899e66ea9d756adb41826a09bcb59acb2a07e139e7b9703194b5f6fbc4192
Instruction ID: a76d8492775d71e4f929e2ec1032f15cce0ee75a3dde4f95828c897fbb314bdb
Opcode Fuzzy Hash: 2a1899e66ea9d756adb41826a09bcb59acb2a07e139e7b9703194b5f6fbc4192
Instruction Fuzzy Hash: D6614871F152858FCB05DB6888A866EFFF6AFA5304F1584AFD4459F3A2C6308D40CB92

Function 00B90B41 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 60e4e902c24626719dcce6828ff3f678835ae478eb76f5c0a1be00120ac754f3
Instruction ID: 3be02e1030b5bbe5879dbb1d037bf9e59105c75e0309b24a97c23a323f836045
Opcode Fuzzy Hash: 60e4e902c24626719dcce6828ff3f678835ae478eb76f5c0a1be00120ac754f3
Instruction Fuzzy Hash: AD614771F192858FCB05DB6888A466EFFF6AFA5304F1584AFD4459F3A2C6308D01CB92

Function 00B90E29 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 8d3e5c5128bae2141a48040ed90a99b08bf1a56d68852e9247694015e82a319d
Instruction ID: 317ae454261001c87bd55699a17f5df464354fcfe970ec78896d43c6d331b2f3
Opcode Fuzzy Hash: 8d3e5c5128bae2141a48040ed90a99b08bf1a56d68852e9247694015e82a319d
Instruction Fuzzy Hash: D8611671B192858FCB05DB6888A466EFFF6AFA5304F15849FE441DF392C6318D41CB92

Function 00B909C9 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: f7b7783ca9f30573a1b8b4d6520d740630bfaf084f01ad4b974917fa526e658c
Instruction ID: 147e0e3362d1a2d9ad9db9a7899104616eee1a8b5c19daac7ecc38df853869f2
Opcode Fuzzy Hash: f7b7783ca9f30573a1b8b4d6520d740630bfaf084f01ad4b974917fa526e658c
Instruction Fuzzy Hash: 7E615971B192858FCB05DB6888A466EFFF6AFA5304F15849FD441DF392C6208D41C792

Function 00B90CDC Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: a7556bf641df98b123d00262f8ba7d6483144c250920f97ae6be21048e8f074f
Instruction ID: 7f3534c498eabcdb6a3de9d934a2297b1944bccdd922600e59cc1106fc391062
Opcode Fuzzy Hash: a7556bf641df98b123d00262f8ba7d6483144c250920f97ae6be21048e8f074f
Instruction Fuzzy Hash: EC614975B192858FCB05DF6888A466EFFF6AFA5304F15849FE441DF392C6208D01CB92

Function 00B90D05 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 0eae9522383204756882928f19e8e06181d7fe0facd3d6271cfbf061b24d59d2
Instruction ID: 23ff83e16650ee7beaa9ad00f034d999889d2c764e5a1f230f53135ab1dcbc83
Opcode Fuzzy Hash: 0eae9522383204756882928f19e8e06181d7fe0facd3d6271cfbf061b24d59d2
Instruction Fuzzy Hash: 6F613671B192858FCB05DF6888A466EFFF6AFA5304F1584AFD441DF392CA208D41CB92

Function 00B90EF0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 7d15887c2851ded8e6452c942272b3e5fb4c51e87cf1cfda691c3e08fa9fa2f6
Instruction ID: d86aecb47180a622c3d0ab1536e25f3139866dd396433e72cb56f6bed4cba98b
Opcode Fuzzy Hash: 7d15887c2851ded8e6452c942272b3e5fb4c51e87cf1cfda691c3e08fa9fa2f6
Instruction Fuzzy Hash: D0515871B142818FCB04DF6888A467EFFF6AFA5304F1484AFE4459F392CA218D01CB92

Function 00B90F98 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

Te^q, xrefs: 00B90FB0
Te^q, xrefs: 00B910E2

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 6d1307dcfc245e661fde26096ae638f9f221a0383fb8eb71f377007f34618b73
Instruction ID: 7d35ba1409b7c360852caad41e3931c1e0ff0d0038868573677758a90071e4f2
Opcode Fuzzy Hash: 6d1307dcfc245e661fde26096ae638f9f221a0383fb8eb71f377007f34618b73
Instruction Fuzzy Hash: 9041D231B102058FCB14DFA9C995A7FBAE6FB88340F20846AE505EB364CA749E41CB91

Function 09562106 Relevance: 1.8, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

D, xrefs: 0956210B

Memory Dump Source

Source File: 00000000.00000002.1718364313.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9560000_Zam.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: eeb1437b0d234dbb0b614791266c3676b3b67974e2f92f2652ef8891cfaeca60
Instruction ID: 5fbf1da06eb6f0ab9d4e6d411e863ed8a0cf41a2786dc5d9c53cb55c7fcf6d55
Opcode Fuzzy Hash: eeb1437b0d234dbb0b614791266c3676b3b67974e2f92f2652ef8891cfaeca60
Instruction Fuzzy Hash: 7452C874A002189FCB64DF28D998A9EBBB6FF89300F1085D9D509A7365DB34AEC1CF51

Function 00B91B47 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

og!<, xrefs: 00B91B6D

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: og!<
API String ID: 0-2892598408
Opcode ID: 19baac42ed3f7165892da06d255a09b4ffd5c7a2a4df874cabf5f23cf6d163f1
Instruction ID: c99dcc904754df7192f7efa2c7c0154c770532f7db78f51ed5fc2af0e134d893
Opcode Fuzzy Hash: 19baac42ed3f7165892da06d255a09b4ffd5c7a2a4df874cabf5f23cf6d163f1
Instruction Fuzzy Hash: DFB13271A09245DFCF09CF28C8A04697BF2BFA5304B6784EAE4429B2A2D734ED45CB45

Function 0EAB21F0 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720560920.000000000EAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eab0000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02033402a479f337086e1a2b235891921f2f98c1e5a98ab5e5e04bf52a48c812
Instruction ID: 8b8411fc159830f050dab588a152e95ff44be715a40e555a9d7e3c2467a20ddc
Opcode Fuzzy Hash: 02033402a479f337086e1a2b235891921f2f98c1e5a98ab5e5e04bf52a48c812
Instruction Fuzzy Hash: 8B329E70B012049FDB19DBB9C560BAEB7FAAF89700F1444AAE105DB3A2DB35DD01CB65

Function 00B91D36 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8fd58a0d75553540cee60319a55f8a52db3372671e4a20fc80d4d07652818e
Instruction ID: 39b791b3a3b029037becf338f4f2736a3b316eca3d74c37b5f8c3236b40219f5
Opcode Fuzzy Hash: 3c8fd58a0d75553540cee60319a55f8a52db3372671e4a20fc80d4d07652818e
Instruction Fuzzy Hash: 18B12475A09245CFCF09CF28C8E04697FF2BFA5304B6744EAE4429B2A2D734E945CB46

Function 00B92310 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e99871721eb8363d8fafbcb25c8d39b4d999a9bf223352182b234c5e7cdf61f
Instruction ID: c0943acb3c52721f1e2000ed88b84b0916db28355a9f69e4f733fc15163f858c
Opcode Fuzzy Hash: 7e99871721eb8363d8fafbcb25c8d39b4d999a9bf223352182b234c5e7cdf61f
Instruction Fuzzy Hash: BFA1F371A08205DFDB18CF18C9D142A7BF6ABA5300B6684FBE456DF2A2C734E841CB49

Function 00B91F01 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d07b33b1d3382ee0fb51248681abb6d13441a4f56c38a2507c405c3987f061f
Instruction ID: f9eb2693c15e561532dcfbee97d551bba9d9f4ae93b50d7e2b4e54394f4ea258
Opcode Fuzzy Hash: 2d07b33b1d3382ee0fb51248681abb6d13441a4f56c38a2507c405c3987f061f
Instruction Fuzzy Hash: D6A14371A0D245DFCF09CF28C8A04697FF2BFA5304B6744EAE4429B2A2D730E945CB85

Function 00B92082 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9badeaa52b5df72c5ab54d3646492c9c03c0a34d18b53511a8372fda703a9437
Instruction ID: aa6ea6f1c972d0d5fd9a62a80103e7c0d42385b42ae338ba86359e4bf74d25c7
Opcode Fuzzy Hash: 9badeaa52b5df72c5ab54d3646492c9c03c0a34d18b53511a8372fda703a9437
Instruction Fuzzy Hash: DAA12375A0D244DFCF09CF28C8A44697BF2AFA5304B6744EAE4429B2A2D734E945C785

Function 00B91C59 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f4d22800be37a60295b702c141c7e296e9090f756a812d8a6b781999a3ef90
Instruction ID: e4616d2751ab18dc125cd2e59a06718e007e45fe4770f6f84acf2eaae1a19425
Opcode Fuzzy Hash: e2f4d22800be37a60295b702c141c7e296e9090f756a812d8a6b781999a3ef90
Instruction Fuzzy Hash: 6BA13475A09244DFCF09CF28C8A04697FF2BFA5304B6744EAE4429B2A2D734EC45CB85

Function 00B92015 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7000e7809c19f65648b64962d7d07efaf6edcd0c3cad8e084346b1d51c6fac8b
Instruction ID: 68f3c0edfa1e93a5204fbb08580549b27e4a2d2627595d1316d4717fbcf5351f
Opcode Fuzzy Hash: 7000e7809c19f65648b64962d7d07efaf6edcd0c3cad8e084346b1d51c6fac8b
Instruction Fuzzy Hash: BFA1F375A09244DFCF09CF28C8A44697BF2BFA6304B6744EAE4429B2A2D734ED45CB45

Function 00B91DAB Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a7ba7c8d562371721a3fc84506b719b906012963efe1e8352dde5e2ea9e149
Instruction ID: d80634cf53f9ec6c4df3133d475508a0a9d678c4f6f5e62d5e956429fe61969d
Opcode Fuzzy Hash: 51a7ba7c8d562371721a3fc84506b719b906012963efe1e8352dde5e2ea9e149
Instruction Fuzzy Hash: 28A12375A0D244DFCF09CF28C8A04697BF2BFA5304B6744EAE4429B2A2D734E945CB85

Function 00B92047 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b02f3f12df9763bcb44de33a2115bd484755244404c2bdd8260a420a9095c7
Instruction ID: 21303dfcf4a3d6ac46121c7fc9af72052a5be03f04afb0e54918eef4610ebfce
Opcode Fuzzy Hash: 87b02f3f12df9763bcb44de33a2115bd484755244404c2bdd8260a420a9095c7
Instruction Fuzzy Hash: D2A12375A09244DFCF09CF28C8A44697FF2BFA5304B6744EAE4429B2A2D734E945CB46

Function 0EAB0040 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720560920.000000000EAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eab0000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125c673286310f764bc5be26a949b35471247ac770e5e5b3e9c8794ebbbf55ea
Instruction ID: 147be240550cc55ebeaacf4570236e0fe320676aeede8ba50f51fb6dbf7ef8a1
Opcode Fuzzy Hash: 125c673286310f764bc5be26a949b35471247ac770e5e5b3e9c8794ebbbf55ea
Instruction Fuzzy Hash: 9CA10771D05218CFDB64CF66C8807EABBBAAF89300F14D1AAD409A7251EB705E85CF44

Function 00B921F7 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5707d139fdcfd716e6c0aa39695c1deb9eddc94b9f0962865ff44008e78fab
Instruction ID: 10a07d6cf94e9007ef5508dc297dead3f9bcb14798690a8c5acb19f0a405e75d
Opcode Fuzzy Hash: 1a5707d139fdcfd716e6c0aa39695c1deb9eddc94b9f0962865ff44008e78fab
Instruction Fuzzy Hash: 8A910475A0D244DFDF09CF28C8A04697BE6AFA5304B6344EAE4429B2A2D734E941CB85

Function 00B9A698 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7ee3edfdf720364e9b375eec17b0f545197bb9eb4773f6693b48bcf4946c79
Instruction ID: 915202fc2c4de181ad2e4109c17706ee953e53329c1e913b39f72001597d30ba
Opcode Fuzzy Hash: ad7ee3edfdf720364e9b375eec17b0f545197bb9eb4773f6693b48bcf4946c79
Instruction Fuzzy Hash: 12313D623143515FCB099B78486616F7FEF9FC52007158477E045CB366DE38CC0683A1

Function 00B9752C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9bab054c8cac711568b492b588a8468268ef36ee8f42fa9c2624160c2493c7
Instruction ID: 3d0fec4e0732ab3bc60c4655896683e9f8e9c4e8fe3cea13322db42ece73ccc4
Opcode Fuzzy Hash: cb9bab054c8cac711568b492b588a8468268ef36ee8f42fa9c2624160c2493c7
Instruction Fuzzy Hash: B0210DF17102155BCF08AAB8495A22F69DF9BD8740B24893AF007D77A5DE3DCC0243E6

Function 09856CF2 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051fd83ce9294e3807cfbb93fb746ca4e4ac8de06a95bd779fd7157c05b963a0
Instruction ID: de3b41443fffa90a22c4d41d111f9c6d56bdfdc83190ee727d03a94a5ab180d5
Opcode Fuzzy Hash: 051fd83ce9294e3807cfbb93fb746ca4e4ac8de06a95bd779fd7157c05b963a0
Instruction Fuzzy Hash: FC21D5B0D056589BEB18CFABD8457DEFEF6AFC9300F04C06AD409A6264EB7419498F90

Function 09856D00 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81017d2f7616bba67867c7e89046065bb526ebcc0a56489f603e58247696c9c8
Instruction ID: 50c9f7682c4f9271bd597096c0006239d2281fc6dbe449da7ca55dce4b297720
Opcode Fuzzy Hash: 81017d2f7616bba67867c7e89046065bb526ebcc0a56489f603e58247696c9c8
Instruction Fuzzy Hash: 6321B7B0D016189BEB18CFABC8457DEFAF7BFC8344F04C16AD809A6264EB7419458F90

Function 0EAB035E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720560920.000000000EAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eab0000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c94f271f983d2a26c08ae1af594fce50ea8e309ba84c4b9cb9130ce6513b96
Instruction ID: 81e55bd147d10be12a3d5aa954d0b82b75c9aaba480a53f3130808a13dc64057
Opcode Fuzzy Hash: 50c94f271f983d2a26c08ae1af594fce50ea8e309ba84c4b9cb9130ce6513b96
Instruction Fuzzy Hash: B6D0427494A248DBCB54DF55D4856FBBBBCAB0E210F506155880AA7212D7319C80CA19

Function 0985C964 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0985CBA6

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8a0a11c4544684bbb6daa2a53a1db11449df4e78e9469f103249e8d451505873
Instruction ID: 7ac6d5e02e4a642cb63d0cbdf3d9e36ea7573b3ae097554c9fe55849bd753852
Opcode Fuzzy Hash: 8a0a11c4544684bbb6daa2a53a1db11449df4e78e9469f103249e8d451505873
Instruction Fuzzy Hash: 5EA11971D003199FDB25DF68C841BEEBBB2AF44314F1481AAE849E7350D7749989CF92

Function 0985C970 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0985CBA6

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f149497f3b4762fce1ab08aa1f11b94ff35c994b9eca6e95156494811e1375e7
Instruction ID: 88edd771622f93b848ff3ee5741ade7a852d644cfd152659ce731e64d8600269
Opcode Fuzzy Hash: f149497f3b4762fce1ab08aa1f11b94ff35c994b9eca6e95156494811e1375e7
Instruction Fuzzy Hash: EE9129B1D003199FDB25DFA8C841BADBBB2AF48314F1481A9E849E7350DB749989CF91

Function 00B99034 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B990F1

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2cc2331adb4a083f8007100a15daa52d8405f93de6333ab4e8aa4665e3252cc5
Instruction ID: 640742971b0becc200508365165701f61c020c054348da150ed29e4ccbd88c71
Opcode Fuzzy Hash: 2cc2331adb4a083f8007100a15daa52d8405f93de6333ab4e8aa4665e3252cc5
Instruction Fuzzy Hash: 8641DFB1C00619DFDB24CFA9C884ADDBBF5BF49304F2480AAD408AB255DB756986CF91

Function 00B97BFC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B990F1

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f4c912630e546184d9d9dd24ad82bce30d1caaf65cf3498c52a019a5a46c791b
Instruction ID: eed369914bb39bb1f160271893dedb4664537667b49df064dd60f0373f5caa78
Opcode Fuzzy Hash: f4c912630e546184d9d9dd24ad82bce30d1caaf65cf3498c52a019a5a46c791b
Instruction Fuzzy Hash: 7541D1B0C00619DBDB24CFA9C848BDEBBF5FF49304F2081AAD418AB255DB756985CF90

Function 0956AE30 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0956AE1D,?,?), ref: 0956AECF

Memory Dump Source

Source File: 00000000.00000002.1718364313.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9560000_Zam.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 3b7c2c16a8d667f9abd197b9d7d07e4cdbd6da48ae47b931d325bf5ff63f9f2f
Instruction ID: 5d3557bfdd0294a8899b0c2344ad72a937a72b7b7d566eadc642fa375c3eae44
Opcode Fuzzy Hash: 3b7c2c16a8d667f9abd197b9d7d07e4cdbd6da48ae47b931d325bf5ff63f9f2f
Instruction Fuzzy Hash: A131E4B59002499FDB10CF9AD8846DEFBF5FF48320F14842AE858A7210D774A944CFA0

Function 0985C6E1 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0985C778

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: aaa9b0ab61096087db151fc0a71aad520b4220a1d2b021c066b48af58fd2e8b7
Instruction ID: f2b7f9cb1002ae2000cc8d0013e92033f62603094a48ac6ccea337738997b41a
Opcode Fuzzy Hash: aaa9b0ab61096087db151fc0a71aad520b4220a1d2b021c066b48af58fd2e8b7
Instruction Fuzzy Hash: 402157B59003499FDB10CFA9C881BEEBBF4FF48324F10842AE959A7250C7749944CFA5

Function 09569FB4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0956AE1D,?,?), ref: 0956AECF

Memory Dump Source

Source File: 00000000.00000002.1718364313.0000000009560000.00000040.00000800.00020000.00000000.sdmp, Offset: 09560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9560000_Zam.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 06dbc254438211f8f8e4cd1af5729d7a72c0e637cfd899a0e0f7307220977de3
Instruction ID: eaf4357d48b9fc6c1efa432d9e324c9bce1a0451336b52bf7bcedeab1307cb97
Opcode Fuzzy Hash: 06dbc254438211f8f8e4cd1af5729d7a72c0e637cfd899a0e0f7307220977de3
Instruction Fuzzy Hash: 4731C4B59012499FDB10CF9AD8846DEFBF5FF58320F14842AE959A7310D774A944CFA0

Function 0985C6E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0985C778

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: abd17532e2122761e1a557f81ee52c37130115c4d4b238849311d72de807f2db
Instruction ID: 263c9a02d802898ea20d357c893d513f30a2b20a1e00f48343845785efd6321e
Opcode Fuzzy Hash: abd17532e2122761e1a557f81ee52c37130115c4d4b238849311d72de807f2db
Instruction Fuzzy Hash: 9A2144B59003099FCB10CFAAC884BDEBBF5FF48320F10842AE959A7250D7789944CFA4

Function 0985C7D1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0985C858

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9e03ddf0cdbd19c520e7cc5a78f9a5e08d85594fa7d9d27919987d645139c198
Instruction ID: f1daac0c542517a0d411bf65a6325ae88af83ad269182318566d7506017cece1
Opcode Fuzzy Hash: 9e03ddf0cdbd19c520e7cc5a78f9a5e08d85594fa7d9d27919987d645139c198
Instruction Fuzzy Hash: EA2125B18003599FDB10CFAAC885AEEBBF5FF48320F10842EE959A7250C7349944CFA5

Function 0985C118 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0985C196

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0a577113e7260a34e3301976a02927470f6a8da3f7b1b7c1fb2687e45620bada
Instruction ID: cfc30281cfe994bb8a3e3b97c3d3f530bc28cdbf33fc245749a6f1d955d84b20
Opcode Fuzzy Hash: 0a577113e7260a34e3301976a02927470f6a8da3f7b1b7c1fb2687e45620bada
Instruction Fuzzy Hash: 3C2137B19003098FDB10DFAAC4857EEBBF4EF48364F148429D459A7240DB789948CFA5

Function 0985C7D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0985C858

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a81cb0259f0ca7f915d386089a91b2ac5b0da69c86b2791784646b975c31fdbb
Instruction ID: de7fa33e5464cf13d4f1a345d7b7cf29c993ad1f3a0c37cb5060eb7af829878a
Opcode Fuzzy Hash: a81cb0259f0ca7f915d386089a91b2ac5b0da69c86b2791784646b975c31fdbb
Instruction Fuzzy Hash: 3A2116B18003599FCB10DFAAC884AEEBBF5FF48320F108429E959A7250D7749944CBA5

Function 0985C620 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0985C696

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 96c2523aa0f6493f374f92e9e892efaef01b65de21b670a8ce299891b84dae46
Instruction ID: 21f8a24be2b2ff46596a4e6266405a8b30f204d0482a68b104ea60431ba377fd
Opcode Fuzzy Hash: 96c2523aa0f6493f374f92e9e892efaef01b65de21b670a8ce299891b84dae46
Instruction Fuzzy Hash: 7D1144B29002499FCB10DFA9D844AEFBFF5EF88320F20841EE559A7260C7359944CFA1

Function 0985C061 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0985C0CA

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b6580840160add8f6647a7e0d87747a4a5ccca516d97366be1d64320af7a42f6
Instruction ID: 71d88f47e3619308c75eed15875a10d80afddde9470ea1408556f7b9eb03bc99
Opcode Fuzzy Hash: b6580840160add8f6647a7e0d87747a4a5ccca516d97366be1d64320af7a42f6
Instruction Fuzzy Hash: DF1137B19003488BDB20DFAAD4457EEFBF4EF88324F20841DD559A7250CB75A944CFA5

Function 0985C628 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0985C696

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 673136bc65f5df8cb9566c5a8878913fe7025c70c9a0cc278eb85794c714e820
Instruction ID: 59715488d4cba7783253606c058a21a9aa130c95c420684761385012f14d6606
Opcode Fuzzy Hash: 673136bc65f5df8cb9566c5a8878913fe7025c70c9a0cc278eb85794c714e820
Instruction Fuzzy Hash: 341126B19002499FCB10DFAAC844BDEBFF5EF88320F148419E559A7250C775A944CFA5

Function 0985C068 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0985C0CA

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 850350c3b67e6ae2a1d721a033f7e06e1394227ec650ee751933f678848717b0
Instruction ID: 064f274186c95dca42b4bd1a7138ff8a977895ab3795eb80c77824f5d6866782
Opcode Fuzzy Hash: 850350c3b67e6ae2a1d721a033f7e06e1394227ec650ee751933f678848717b0
Instruction Fuzzy Hash: BA1125B19003498BDB20DFAAC4457DEFBF4EF88324F208429D559A7250CB75A944CFA5

Function 0EAB11B0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0EAB1215

Memory Dump Source

Source File: 00000000.00000002.1720560920.000000000EAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eab0000_Zam.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a93b81795f9922266c1ff48ed9555b6fa92079d194b882410d1d6831c01442c8
Instruction ID: d1a10449e0b8675784d7706bfc0e79a10f7613e929135e5f4dfc3c23433c404e
Opcode Fuzzy Hash: a93b81795f9922266c1ff48ed9555b6fa92079d194b882410d1d6831c01442c8
Instruction Fuzzy Hash: 851125B58003499FDB10DF99D449BDEBFF8EB58324F10842AD558A3210D375A980CFA5

Function 00B9E6A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B9E706

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e70f175e0da6e6cf550d5f24258ceac43cd7361e742ebdf8049614f7f9ff0fe6
Instruction ID: 234072b8bcc05cc0c779799ccdeb55ff949bec0e9eaff2e839bc1d91dce06e4d
Opcode Fuzzy Hash: e70f175e0da6e6cf550d5f24258ceac43cd7361e742ebdf8049614f7f9ff0fe6
Instruction Fuzzy Hash: 28110FB6C003498FDB10CF9AD444ADEFBF8EF88320F10846AD468A7210D379A945CFA1

Function 0EAB11B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0EAB1215

Memory Dump Source

Source File: 00000000.00000002.1720560920.000000000EAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eab0000_Zam.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6c7be3b2a4cc1c0b51105508642662f70712324d60b81c43468996071f8c96e2
Instruction ID: a8056887f32ce7d5179c23007cb2c9b4683004f8bb34999192b5ecfdcd3c7431
Opcode Fuzzy Hash: 6c7be3b2a4cc1c0b51105508642662f70712324d60b81c43468996071f8c96e2
Instruction Fuzzy Hash: B211D0B58003499FDB10DF9AD989BDEBBF8EB48324F10841AE558A7210D375A984CFA5

Function 00B1D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709600367.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e1c6288b9197ffd356c69bd9b19d5f265960746060d75470b2b931cf01848c
Instruction ID: 36ff866176b2cd9c7fa0829af2020bfdc20d552587656e8ac9427e558b919774
Opcode Fuzzy Hash: f0e1c6288b9197ffd356c69bd9b19d5f265960746060d75470b2b931cf01848c
Instruction Fuzzy Hash: 48213A71500204DFDB05DF14D9C0B57BFA5FB98314F60C5A9E9094B356C336E896C7A2

Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709654926.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668961aefed22b8d1a5eeb97d760e1fc9bfdc3912fc52cc258f1ec1f60b683a0
Instruction ID: a0677603087c8468413cfa77e3d49ab69c020dec91609f32ff5400c5017a9899
Opcode Fuzzy Hash: 668961aefed22b8d1a5eeb97d760e1fc9bfdc3912fc52cc258f1ec1f60b683a0
Instruction Fuzzy Hash: 0B212671604200EFDB05DF14E9C4B26BBE5FB88314F30CAADE80D4B296C33AD846CA61

Function 00B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709654926.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aac37bed2a54b84fb090d2422b70a0662a4acd9fc94686b3addd42011a50447
Instruction ID: 4a4f368cc8c923b414480a4da205a97561bbc74d0aa393485cfbbe216ff3d984
Opcode Fuzzy Hash: 3aac37bed2a54b84fb090d2422b70a0662a4acd9fc94686b3addd42011a50447
Instruction Fuzzy Hash: F921F271604240DFCB14DF14E9D4B27BBA5EB88314F20C6ADD94E4B2A6C33AD847CA61

Function 00B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709654926.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237d22cc1354dac667432c7e68c6af51ea7c616856e4ccb04d97cea2275550a
Instruction ID: 22407f998e189617e72028760317e4bb4ed8662aafefd3e07266fa17a96bb585
Opcode Fuzzy Hash: f237d22cc1354dac667432c7e68c6af51ea7c616856e4ccb04d97cea2275550a
Instruction Fuzzy Hash: AC21A4755083809FCB02CF14D994B12BFB1FB56314F28C5DAD8498F2A7C33A980ACB62

Function 00B1D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709600367.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: cc9f84b3c9cd667efd1569c503eb90ec334340ea0870d2cc3d28077b37a26688
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: AA110372504240CFCB16CF00D5C4B56BFB1FB94324F24C6A9D8090B356C33AE85ACBA1

Function 00B2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709654926.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ec06dfff73b3149921f8b3b16e2ed5fdadc9dd48790dfcee92b225b28e45a421
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: AE118B75504280DFDB16CF14D5C4B15BBA1FB84314F24C6AAD8494B696C33AD84ACB61

Function 00B1D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709600367.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736c675611ee33db88d9ce9282ae6face7310cbba69423d9cde79238915b6a5f
Instruction ID: 10339dda3cbaabf6860c6b0a4e5d19d27998a618ca3d153eab4f30b395e2eddd
Opcode Fuzzy Hash: 736c675611ee33db88d9ce9282ae6face7310cbba69423d9cde79238915b6a5f
Instruction Fuzzy Hash: C901A7711083409AE7145B29CDC4BA7BFD8DF41364F58C5AAED194A2C6D6799C80C6B1

Function 00B1D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709600367.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b1d000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b809ddd9d6f13fe55556360bdd55307b5bf2d93b0bbc1cb2af58c0682d12c1
Instruction ID: 2a55005b0f629d8e053fece97769860ead802446ed76259ec7131ecebba22e94
Opcode Fuzzy Hash: d8b809ddd9d6f13fe55556360bdd55307b5bf2d93b0bbc1cb2af58c0682d12c1
Instruction Fuzzy Hash: E3F062714083449AEB149F1AD888BA2FFE8EF51734F18C55AED084A286C2799C84CAB1

Non-executed Functions

Function 09850040 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON

Download Yara Rule

Strings

pbq, xrefs: 09850D13
TJcq, xrefs: 098501E6
4'^q, xrefs: 09850C3C
xbaq, xrefs: 09850171
Te^q, xrefs: 09850897

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$Te^q$pbq$xbaq
API String ID: 0-2576840827
Opcode ID: 498bb230bf47ac03f821c87438aae545910a40872659b62ac0bcbcbb2df01e32
Instruction ID: 82a6b14b4e1971c65c7ed54c9993d6919ad743985d87929cf73c078368ea4ce3
Opcode Fuzzy Hash: 498bb230bf47ac03f821c87438aae545910a40872659b62ac0bcbcbb2df01e32
Instruction Fuzzy Hash: 3AB2B475A00228DFDB64CF69C984AD9BBB2BF89304F1581E9D50DAB325DB319E85CF40

Function 09850012 Relevance: 4.0, Strings: 3, Instructions: 265COMMON

Download Yara Rule

Strings

TJcq, xrefs: 098501E6
xbaq, xrefs: 09850171
Te^q, xrefs: 09850897

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$xbaq
API String ID: 0-3225726259
Opcode ID: 4e315d765f5264d288dd5797910b3c32f2030ad8a43ff0696538bd3a4f8eca5a
Instruction ID: f667bc4cdb7189774cc23be08b0b7a601c2efd0da95d1ed003defe098ffdcab5
Opcode Fuzzy Hash: 4e315d765f5264d288dd5797910b3c32f2030ad8a43ff0696538bd3a4f8eca5a
Instruction Fuzzy Hash: 7DC19875E016588FDB19DF6AD9846D9BBF2BF89300F14C0EAD809AB325DB305A85CF50

Function 0985B840 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

DET, xrefs: 0985BA0B

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID: DET
API String ID: 0-3832053673
Opcode ID: 74bee507eef4005adc5f678f82c5584f9bc36efc37115e04d077ec5148d94281
Instruction ID: a3581580553c93ba0afd51b29c8940807480f191a86b1b1df10d328034ab0d1d
Opcode Fuzzy Hash: 74bee507eef4005adc5f678f82c5584f9bc36efc37115e04d077ec5148d94281
Instruction Fuzzy Hash: 17E109B4E001198FDB14DFA9C5909AEFBB2FF89304F248169E815AB35AD730AD45CF61

Function 0985C1F0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

IT, xrefs: 0985C3BB

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID: IT
API String ID: 0-1496770201
Opcode ID: cfe5aa5166e089b44f3f1e07fb1bf490ccb30505bb39c17f626f746b8b799988
Instruction ID: 704dc9cd3435cc78087d1778178c29028c7f060853c13c920128424b02afdca9
Opcode Fuzzy Hash: cfe5aa5166e089b44f3f1e07fb1bf490ccb30505bb39c17f626f746b8b799988
Instruction Fuzzy Hash: 6DE1F8B4E002198FDB14DFA9C5909AEFBF2BF89304F248169E855AB356D730A945CF60

Function 0985A5A0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

p8T, xrefs: 0985A76E

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID: p8T
API String ID: 0-3339250524
Opcode ID: 12c1bc281ca8ec0dc6aefab072a0d1e37d4dc81ebf4123ecf02d23c373e07e3c
Instruction ID: fc5b5a804341111e62505bd96bbe32313be5a1ca49f3bb9762d497eca4c544e1
Opcode Fuzzy Hash: 12c1bc281ca8ec0dc6aefab072a0d1e37d4dc81ebf4123ecf02d23c373e07e3c
Instruction Fuzzy Hash: 88E10D74E001198FDB14DF99C5909AEFBF2FF89304F248269E855A7359D730A945CF60

Function 00B93790 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

S6eF, xrefs: 00B93860

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID: S6eF
API String ID: 0-1596955957
Opcode ID: 596e916a25b1d063cfd083af179ddd75533e0379263909aa1a6c90694e322fd5
Instruction ID: 10a2bffcb78415a04cb4e78d2bf166c6c8064cb720972078d12b101b680c8afd
Opcode Fuzzy Hash: 596e916a25b1d063cfd083af179ddd75533e0379263909aa1a6c90694e322fd5
Instruction Fuzzy Hash: 0241A2B1F102198FCF44CBA9C8C596EB7F6EB88B00B258176E905E7355D338DE418B91

Function 09859D30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3dd0d00954e75d9c2b68c37755f3ce012f8ceb3125386cbcfba53bc26d679b
Instruction ID: 4921997128465218dcd77455302f15b7354c45e0f8d69b107ba2b6c6e1372c3a
Opcode Fuzzy Hash: fa3dd0d00954e75d9c2b68c37755f3ce012f8ceb3125386cbcfba53bc26d679b
Instruction Fuzzy Hash: 76E1F974E00219CFDB14DFA9C5909AEFBB2BF89304F248169E819EB356D731A945CF60

Function 0985A168 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540cd2eb819cdacaa6c2e86955ffb84ec4eb1d992fccd85939a15186dda0d953
Instruction ID: 9cc2c8af489c12e8619dfe1a2c34517d4e236db744b5c8f032251532766fb51d
Opcode Fuzzy Hash: 540cd2eb819cdacaa6c2e86955ffb84ec4eb1d992fccd85939a15186dda0d953
Instruction Fuzzy Hash: 9BE109B4E001198FDB14DFA9C5909AEFBB2FF89304F248269E815AB356D731AD45CF60

Function 098528D8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2bb2de78257c730d133a02f75e25c012e2163b3a91b7c7f8c67a311e012457
Instruction ID: 110e9eafe2edb53f782570d2f074141574437a0f160e048a69421dbb35fbb554
Opcode Fuzzy Hash: bf2bb2de78257c730d133a02f75e25c012e2163b3a91b7c7f8c67a311e012457
Instruction Fuzzy Hash: E6A1E174D05218CFDB14CFA9C844BEDBBF2BB89304F1490AAD81AA7355DB345A8ACF41

Function 098528E8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718968569.0000000009850000.00000040.00000800.00020000.00000000.sdmp, Offset: 09850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9850000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99351dc72be6992382d49c60b98c309843cddc81848b9a85d3b665be2cab3c62
Instruction ID: e0e4e1e86600f0b4836b0b69b88a9e78103fd45486520927cddd2d1ff589fa58
Opcode Fuzzy Hash: 99351dc72be6992382d49c60b98c309843cddc81848b9a85d3b665be2cab3c62
Instruction Fuzzy Hash: 9DA1E174D0522CCBDB14CFA9C844BEDBBF6BB89304F14916AD81AA7355DB345A8ACF40

Function 00B92B40 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5ce2df7fb5124053e6cedcac28088be7152685bce04e17bedea9fce085f2dc
Instruction ID: 9a7345495c245aff5e0cbcbf6745351334938aec7ca847d47d8cc42a1aa39b55
Opcode Fuzzy Hash: 1f5ce2df7fb5124053e6cedcac28088be7152685bce04e17bedea9fce085f2dc
Instruction Fuzzy Hash: 5E713532E042459FCB14CF28C981A6ABBF5FF85314B25C9FBE056CB662D634E845CB42

Function 00B916B8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871061a90cfedb212862a0056b583826e0a204da2c5ac51b97435f74790fdc04
Instruction ID: 86c45e6fc031ac6604026e57aca2e1de62b3069e33d573441bcebb2ed67109a3
Opcode Fuzzy Hash: 871061a90cfedb212862a0056b583826e0a204da2c5ac51b97435f74790fdc04
Instruction Fuzzy Hash: F2517B7AF052078FC708CA6CD8D45AAB7EABB84350B64C8B6D106DB741CB34DD15E7A1

Function 00B92C58 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3ed59ce289c54ae52b8081911540cbefbab4d51fd5e3976eb7839c6a6e8e68
Instruction ID: 80f68b87cad9fcbb3ea385d53fd4443d197b6c1ee3898ced62eca03d4f5c78df
Opcode Fuzzy Hash: 9e3ed59ce289c54ae52b8081911540cbefbab4d51fd5e3976eb7839c6a6e8e68
Instruction Fuzzy Hash: F041A171E10616CFCB54CB69C981A6AB7F6FF84350B20C8BAE05ACB674D634D941CB01

Function 00B916A8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2281fe70ddad1ba725f8bf651e31df1c6d1bd6f3243ca0a40c4ab6b6b150abc5
Instruction ID: f636ea4bfcc713fb506f919134059a0d286a8c8aa487716f88c698318aff2486
Opcode Fuzzy Hash: 2281fe70ddad1ba725f8bf651e31df1c6d1bd6f3243ca0a40c4ab6b6b150abc5
Instruction Fuzzy Hash: 99410E76F052079FCB04CEADC9C05AAB7E9FB80340BA4C9B6D516DB640D734EE14A7A1

Function 00B93780 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710677554.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225f11619e7a3cfb59e423d44ad5251c9d8598bd156593d9caac56243ca80aba
Instruction ID: e707545da4ef3909d31e695944cb8f38fce73b65e8a54f257dc767beeefa0227
Opcode Fuzzy Hash: 225f11619e7a3cfb59e423d44ad5251c9d8598bd156593d9caac56243ca80aba
Instruction Fuzzy Hash: 9541A2B1F142198FCF44CBA9C8C59AEBBF6EB88700B158176E905E7361D338DE458B91

Function 0EAB003E Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720560920.000000000EAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eab0000_Zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaf204c8a7d25946350792353b323a75fa3857389897ced75e6269b7a3da606
Instruction ID: c30803488b1cf70caae26490b4e85767e9da6f2ab57a8793fdf774ebfcddd16a
Opcode Fuzzy Hash: bbaf204c8a7d25946350792353b323a75fa3857389897ced75e6269b7a3da606
Instruction Fuzzy Hash: 7A316C71D05728CBEB28CF5798443DAFAF7AFC9301F14C1AA850C66255DB740A85CF55

Analysis Process: RegSvcs.exePID: 7744, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.7%
Total number of Nodes:	70
Total number of Limit Nodes:	8

Executed Functions

Function 05A87B3F Relevance: 16.1, Strings: 12, Instructions: 1141COMMON

Download Yara Rule

Strings

$^q, xrefs: 05A87F97
$^q, xrefs: 05A88047
$^q, xrefs: 05A87FA7
$^q, xrefs: 05A88057
$^q, xrefs: 05A87DD3
$^q, xrefs: 05A88431
$^q, xrefs: 05A8848A
4, xrefs: 05A88525
$^q, xrefs: 05A87DE3
$^q, xrefs: 05A8847A
,bq, xrefs: 05A8860A
$^q, xrefs: 05A88421

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312445597
Opcode ID: d932f681fb2ac38884e64e53e4b3ed87c8b8ecd92204e4ef5aaf71cccc620416
Instruction ID: d7be3d227f4c9ce10c1b3bbbaf11adba6ec6613d8b7f0f3cbd62acec4440ef23
Opcode Fuzzy Hash: d932f681fb2ac38884e64e53e4b3ed87c8b8ecd92204e4ef5aaf71cccc620416
Instruction Fuzzy Hash: 2CB20530A002198FDB14DFA8C884FADB7B6FB48700F5485A9E515AB3A4DB75EC85CF50

Function 05A87E77 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$^q, xrefs: 05A87F97
$^q, xrefs: 05A88047
4, xrefs: 05A88525
,bq, xrefs: 05A8860A
$^q, xrefs: 05A8847A
$^q, xrefs: 05A88421

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,bq$4$$^q$$^q$$^q$$^q
API String ID: 0-2546334966
Opcode ID: 86490218451aa721f98ff24b6a9a4ab8d1632be6fc184005cc1c3c39fbddc9ff
Instruction ID: 9b14d80719013a3880c7cab4933cb2c2787af63456769fa2608fec06f2912bfb
Opcode Fuzzy Hash: 86490218451aa721f98ff24b6a9a4ab8d1632be6fc184005cc1c3c39fbddc9ff
Instruction Fuzzy Hash: F022F734A00219CFDB24DFA4C984FA9B7B2FF88704F5485A9E509AB3A4DB359D81CF50

Function 0612C158 Relevance: 5.7, Strings: 4, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbaq, xrefs: 0612C1B9
Te^q, xrefs: 0612C48B
TJcq, xrefs: 0612C1E8
pbq, xrefs: 0612C784

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: 0e3fc3dad50cf05260dfbecda2c109b02fc942f80fdaaf65f948647d247a53dd
Instruction ID: e66103ba613254641c2fa01c2ed3ce242ad2a5bb8febc05ab8b6bbb830c6cc23
Opcode Fuzzy Hash: 0e3fc3dad50cf05260dfbecda2c109b02fc942f80fdaaf65f948647d247a53dd
Instruction Fuzzy Hash: 12522975A001259FDB95CF68C984E5DBBB2FF48314F1581A8E609AB276CB31EC91DF80

Function 0568DBE0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0568DC8F
4'^q, xrefs: 0568DCBA

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: d0799f39d9c7406fb9638c843136f8e590c8128a992e763d9bf8e4e5b76ae332
Instruction ID: b9d5799b22b927c4c893e4dcf8f805478f09fed13b3a8a46c5661671430b5689
Opcode Fuzzy Hash: d0799f39d9c7406fb9638c843136f8e590c8128a992e763d9bf8e4e5b76ae332
Instruction Fuzzy Hash: F2611470A106098FDB08DF6BF98169ABBE3FBC8304F14C52AD0089B269EF755C459F91

Function 0568DBF0 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0568DC8F
4'^q, xrefs: 0568DCBA

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 71c7e43edd2d0d4f6b5f5ec21a3cf4e2e8110a1f39995a1285bd57505a2fea07
Instruction ID: 56a67bc1c0118b30b23aec41a893e6dff9820e15d8a95b297e3c4945c17251ca
Opcode Fuzzy Hash: 71c7e43edd2d0d4f6b5f5ec21a3cf4e2e8110a1f39995a1285bd57505a2fea07
Instruction Fuzzy Hash: EA51F370A106098FDB08DF6BF99169ABBE3FBC8304F04C52AD0099B269EF755C459F91

Function 05685FF8 Relevance: 1.8, Strings: 1, Instructions: 553COMMON

Download Yara Rule

Strings

(bq, xrefs: 056860C8

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 2662cd98700e83ecc676b9e0fdb1154bcedc2c3591e2146c96ab2e11f0d829a0
Instruction ID: d97d61f31fbdd9f9bf6e3a7b3bebd048d22056a224608465e33236ca199f06a4
Opcode Fuzzy Hash: 2662cd98700e83ecc676b9e0fdb1154bcedc2c3591e2146c96ab2e11f0d829a0
Instruction Fuzzy Hash: B8224874B0061A8FCB18DF69C494A7EFBF2FB98304F248629D55A97781DB34E841CB85

Function 05C6C0A0 Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,05C6F03A), ref: 05C6C0AB

Memory Dump Source

Source File: 00000008.00000002.1776191510.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c60000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0566098D Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5d4496bcde76351cd4dbd3ab8ee7e91b946122d73c10783250837ceea95b4f
Instruction ID: 8d8b3f9a4adcf681b4b12172f26d8e46aec7401163f2a5e501bc5bc57088cc11
Opcode Fuzzy Hash: 5f5d4496bcde76351cd4dbd3ab8ee7e91b946122d73c10783250837ceea95b4f
Instruction Fuzzy Hash: 9A02F834A00219DFCB54DF68D884A99B7B6FB88310F15C5E9E90AAB365DB30ED85CF41

Function 05687D7B Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fd5965565b15731d036baf03ccee8c6d6849f885ede6f9c2dff7dd16be4f96
Instruction ID: 3793f24a18a0aaf9a0a759bcd184f6e33ea02918628dfd858bb0a112d0d33700
Opcode Fuzzy Hash: 30fd5965565b15731d036baf03ccee8c6d6849f885ede6f9c2dff7dd16be4f96
Instruction Fuzzy Hash: 3FB15B34A04105CFD718EF54E548BBAB7B3FB94314F648678D40A6BA84CBBD9C86CB85

Function 0566D5D8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471ab48eaa4480dfd5768f66d64f05ee0d040fd1912dccdf3f79f6659fca5258
Instruction ID: ca71359441a36606cbd3995bec5f858c0e0bd2544a524baa89fd5a5ceeb59d97
Opcode Fuzzy Hash: 471ab48eaa4480dfd5768f66d64f05ee0d040fd1912dccdf3f79f6659fca5258
Instruction Fuzzy Hash: E1A14C74B04109CFEB14CF55E548BAE7BB3FB88305F189179E406ABA94CB789D85CB42

Function 0566D5C8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685f94b17f7799e60cddbeac3e1c803a0aa1d4f0fac320e4b9fda00d3f7ae629
Instruction ID: c0acb364e0d3ea1954759821ae0bc1ee016f6e44be22036a4db31526b94df520
Opcode Fuzzy Hash: 685f94b17f7799e60cddbeac3e1c803a0aa1d4f0fac320e4b9fda00d3f7ae629
Instruction Fuzzy Hash: 9E915C74B04109CFEB14CF65D549BAD7BB3FB88305F189079D406ABA94CB789D86CB42

Function 0566D744 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bbb81122be2957bad6dd392c1bc557b7ac98192cb938d56c12cb5dd329e1e1
Instruction ID: 6b8e6526582ebb8f1fb48c59792dfdfda7579172726d70fb378b59161f82cba5
Opcode Fuzzy Hash: e0bbb81122be2957bad6dd392c1bc557b7ac98192cb938d56c12cb5dd329e1e1
Instruction Fuzzy Hash: 8E914B74B04109CFEB14CF55D648BAE7BB3FB84305F189079D406ABA94CB789986CB42

Function 055D2B47 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af793373a8f42d494c5243c37631855f5ec44a01f5ac7a59191f8b5cb9d1273d
Instruction ID: b5e0d56f468c3673fb49d888e35f2121829c8dd44d3d07fc25190cb7d882e0f5
Opcode Fuzzy Hash: af793373a8f42d494c5243c37631855f5ec44a01f5ac7a59191f8b5cb9d1273d
Instruction Fuzzy Hash: CC51383AB1470647D7393A7994A833EE9A7BFC5600F44853D9503D7381DEA9CC0787A6

Function 055D2B68 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068d3eb20b5bdff8d263766c9e2beb293287a97698b5611829ba27e13181217e
Instruction ID: fa41cd238e6550fea0edd6e400718c7d94ec4b980f19a1e34e7bfc4d6c1d3c36
Opcode Fuzzy Hash: 068d3eb20b5bdff8d263766c9e2beb293287a97698b5611829ba27e13181217e
Instruction Fuzzy Hash: F851E53AB1060647E7393A79D4A833EE4A7BFD9700F44453C9A0397385DEA9CC0796A6

Function 0568BB30 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba819423362637988aa39e37182d6cf1f01c8501fb5bbc1505aedcffef06ef85
Instruction ID: 29e6238c2e34df1ffd263adedb137296973de146dafb522af35cb99f5b8b8b23
Opcode Fuzzy Hash: ba819423362637988aa39e37182d6cf1f01c8501fb5bbc1505aedcffef06ef85
Instruction Fuzzy Hash: CD618D34B041049FD714AF64E559B7A7BA3FB88310F18C169E4069B7A9CFB89C46CB85

Function 0568BB4F Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a12aae7f4e4b1273acde2320a0180e646e538a6a7ffa8430b5d673db9d5ec8
Instruction ID: 1682d23bbf801180d5f4d45ce83b29e637fe1fb11edaab48341e441892dce1ec
Opcode Fuzzy Hash: 05a12aae7f4e4b1273acde2320a0180e646e538a6a7ffa8430b5d673db9d5ec8
Instruction Fuzzy Hash: C2518E34B001089FD714AF64E559B7E7BA3FB88310F188169E5029B7A9CFBC9C46CB85

Function 0568BB60 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c544f8f9ece2d0f59234cb72656a9f0171521153a93d5ee9e10870fb5986a26c
Instruction ID: bfaa040136599664e47b4cf2e989d6c51eee4352b090e360068c8b857b3ec255
Opcode Fuzzy Hash: c544f8f9ece2d0f59234cb72656a9f0171521153a93d5ee9e10870fb5986a26c
Instruction Fuzzy Hash: A9515C34B001048FD714EF64E559B7A77A3FB88715F288169E4029B7A9CFBC9C46CB85

Function 0568B5FF Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3673c923aee24f37eba5f4cfe11387717e5ca2a0ffed51d29b6153fed7dd838
Instruction ID: aa9e2d531a48cfef6d2ec631a5a876a72c994e630650f40aa03fab19d779ac06
Opcode Fuzzy Hash: c3673c923aee24f37eba5f4cfe11387717e5ca2a0ffed51d29b6153fed7dd838
Instruction Fuzzy Hash: A451B030B00608CFEB14EB69D584BBA77E3FB88300F288575D5169B7A5CB785C8ACB45

Function 05668F30 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e8ee8b5e6141aae0caaa5d9a04254dfd05a74a89a5b7c95edd6eab8aa24789
Instruction ID: 4a67933b62787ffefaca774ffe3ee256688b40a8555d8dedb93379bc2c69e287
Opcode Fuzzy Hash: 48e8ee8b5e6141aae0caaa5d9a04254dfd05a74a89a5b7c95edd6eab8aa24789
Instruction Fuzzy Hash: 10510774E00509CFDB44CFAAE554BADBBF2FB88304F508169E416AB395DB786985CF01

Function 0568B610 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58411cb6e8e284664ebb0ba406dcdffce357f83a2cc6946a1e63efe6eab0a743
Instruction ID: e83d3f1cd17e39edf8b1ccf2e8ff4fd46fb0849a145e5da5ed81f8245f910391
Opcode Fuzzy Hash: 58411cb6e8e284664ebb0ba406dcdffce357f83a2cc6946a1e63efe6eab0a743
Instruction Fuzzy Hash: F251AF34B00608CFE714EB69D584BBA77E3FB88300F288175D5169B7A5CBB85C8ACB55

Function 05668F40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256f9294499f2b76a003af60bd5f432665eb031ccea93148202df19ee049d0de
Instruction ID: c1033a067462b472459483a3cace9891aa08e3ea7710a7ba4c9cb4115a2f1c2e
Opcode Fuzzy Hash: 256f9294499f2b76a003af60bd5f432665eb031ccea93148202df19ee049d0de
Instruction Fuzzy Hash: 5D510674E00609CFCB44CFAAD554BADBBF2FB88304F508169E41AAB395DB786985CF01

Function 062AD378 Relevance: 7.7, APIs: 5, Instructions: 211
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 062AD3F6
GetCurrentThread.KERNEL32 ref: 062AD433
GetCurrentProcess.KERNEL32 ref: 062AD470
GetCurrentThreadId.KERNEL32 ref: 062AD4EE
DuplicateHandle.KERNELBASE(00000000,00000000,06288F9C,?,00000000,062A129C,00000000,?,?,?,?), ref: 062AD60F

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread$DuplicateHandle
String ID:
API String ID: 4285418203-0
Opcode ID: 016a31037169894e1f997f77e3580b07c16b6652465414e46c0f614d91bff8f8
Instruction ID: 1ceda1b3eedf34868fc7cbbd9ee4e52b0091aa18597b77cf00e1c57de1a9f2ec
Opcode Fuzzy Hash: 016a31037169894e1f997f77e3580b07c16b6652465414e46c0f614d91bff8f8
Instruction Fuzzy Hash: 089133B0D11349DFDB54CFAAD888A9EBBF5EF48314F10C41AE819A7260D778A844CF65

Function 05A8F5D0 Relevance: 7.7, Strings: 6, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 05A8F6A2
4'^q, xrefs: 05A8F684
4'^q, xrefs: 05A8F654
pbq, xrefs: 05A8F727
(bq, xrefs: 05A8F79A
4'^q, xrefs: 05A8F71A

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq$4'^q$4'^q$4'^q$4'^q$pbq
API String ID: 0-723292480
Opcode ID: 83463b9e3634fa55d15fbee28d0cd1cdeb3e4a90e30fe6f55ae3f4a82394dcb7
Instruction ID: dab085f399df51743b9255e324f4cd170c0299bb225769b9d4edc1f4d0d5907b
Opcode Fuzzy Hash: 83463b9e3634fa55d15fbee28d0cd1cdeb3e4a90e30fe6f55ae3f4a82394dcb7
Instruction Fuzzy Hash: 72518131A402098FC748EF7985506AEBBF7BFC8300F14896DC44A9B369DF359D468B91

Function 062AD347 Relevance: 6.2, APIs: 4, Instructions: 152
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 062AD3F6
GetCurrentThread.KERNEL32 ref: 062AD433
GetCurrentProcess.KERNEL32 ref: 062AD470
GetCurrentThreadId.KERNEL32 ref: 062AD4EE

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1d857d60cc22332af04851916120c7427caea0dfe03c17c6e1579a2438884a40
Instruction ID: e21fef21aeeb6e55e011a562b6494c2a1c60731b3112e6db6d9224152c56cf92
Opcode Fuzzy Hash: 1d857d60cc22332af04851916120c7427caea0dfe03c17c6e1579a2438884a40
Instruction Fuzzy Hash: 366156B0D113498FCB44DFAAD848A9EBBF1FF88304F10C559E859A72A1C774A885CF61

Function 056891F8 Relevance: 5.3, Strings: 4, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 056893DB
(bq, xrefs: 056894E0
(bq, xrefs: 056892A7
Hbq, xrefs: 056892D3

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$Hbq
API String ID: 0-2483291755
Opcode ID: 3bb574b412ba123f64d35cd421c74c25db5aca6006589e1234a12f03abe90ad9
Instruction ID: 4715a4a2a48f67b394679c25b06541174cc3d9728e074895e3d7138f3bb98a7f
Opcode Fuzzy Hash: 3bb574b412ba123f64d35cd421c74c25db5aca6006589e1234a12f03abe90ad9
Instruction Fuzzy Hash: 17B103317082518FC716AB789864A7EBBF6FFC5750B1486AAD40ACB391DE34CC06C796

Function 056895A0 Relevance: 4.3, Strings: 3, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 056896A5
(bq, xrefs: 05689B40
(bq, xrefs: 05689968

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 03b826b641ebdbdf5c3c830585009fb322433ae1b2cf9ee4711a760700fc3dc6
Instruction ID: 94a4a5080f2baec312f415e8520228c5492dc4d62d705909435e9f37e30c45f5
Opcode Fuzzy Hash: 03b826b641ebdbdf5c3c830585009fb322433ae1b2cf9ee4711a760700fc3dc6
Instruction Fuzzy Hash: E502CF71B006159FCB54EF69C594A6EBBF2FF88300B14866DD44ADB780DA34ED02CB95

Function 05A8E300 Relevance: 4.2, Strings: 3, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 05A8E7D5
Hbq, xrefs: 05A8E854
Hbq, xrefs: 05A8E804

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq
API String ID: 0-2297679979
Opcode ID: 6f771f8ba38e33de097968a7fce67dd26841777b3a5d40f9b5046b8b3db44749
Instruction ID: 763c723f63e9682ad5a16724f48d89befe3148971fe14c2538f8ce273b5c5b62
Opcode Fuzzy Hash: 6f771f8ba38e33de097968a7fce67dd26841777b3a5d40f9b5046b8b3db44749
Instruction Fuzzy Hash: DC122831A00609DFCB24EFA9D494A6EBBB6FF88310F148929E5169B350DB35EC46CB51

Function 0566E170 Relevance: 4.2, Strings: 3, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 0566E571
4'^q, xrefs: 0566E412
4'^q, xrefs: 0566E4F1

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: ce4646ba579a82a7576edf015592cb7bc41e743e17e5d534cbfbbca085c8f878
Instruction ID: 2affe8745e8ec6b70120c6512130751e7bc683e0ade0aedea49fbe60ee45cb6c
Opcode Fuzzy Hash: ce4646ba579a82a7576edf015592cb7bc41e743e17e5d534cbfbbca085c8f878
Instruction Fuzzy Hash: 3902EC34B50218CFDB14EFA4D598AADBBB6FF88300F518165E406AB3A5DB75EC42CB50

Function 055D0B28 Relevance: 3.9, Strings: 2, Instructions: 1383COMMON

Download Yara Rule

Strings

4'^q, xrefs: 055D1CEA
4'^q, xrefs: 055D1CDE

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 53eb10a07ff76f6d82a169a3395ccd953be915fe75fc4971239763d61e2a6989
Instruction ID: 6b13f55bf2df580a9b5b6b257a9f4b4693086d19f40bca8f8252dd9e456d88d6
Opcode Fuzzy Hash: 53eb10a07ff76f6d82a169a3395ccd953be915fe75fc4971239763d61e2a6989
Instruction Fuzzy Hash: 16A28332F44A268BCB349E6D945823EE9E7BBC4651F54446AD907D73A4EE30CC41CBB2

Function 062A1BA9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 062A1C3B

Strings

4'^q, xrefs: 062A1BF4

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'^q
API String ID: 2492992576-1614139903
Opcode ID: c6bb27facb98fe8e118a54e011b5bc08925b7e8efc89e84988262756d3e297bd
Instruction ID: a772a78fe35d65e3794596f81cfd35f6679e785451e8425feea6e641ca76df1f
Opcode Fuzzy Hash: c6bb27facb98fe8e118a54e011b5bc08925b7e8efc89e84988262756d3e297bd
Instruction Fuzzy Hash: 8D216BB0C0434A8FCB14CFA9D5486EEBBF4FB14320F14845AD895A7281C7786984CFA2

Function 062A1BB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 062A1C3B

Strings

4'^q, xrefs: 062A1BF4

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'^q
API String ID: 2492992576-1614139903
Opcode ID: 82e9717f344a137d223ff5be79f6e1873f224b0dc6343785b4719358bede8f10
Instruction ID: 048cf78b9788d30874ce3cbdd602cef81828b234800b5ec71d5460d69d6e8b7a
Opcode Fuzzy Hash: 82e9717f344a137d223ff5be79f6e1873f224b0dc6343785b4719358bede8f10
Instruction Fuzzy Hash: 0D2135B0D0435A8FCB14DFA9D8486EEBBB4FB08324F10845AD859B7380CB786944CFA5

Function 0612A7B0 Relevance: 3.3, Strings: 2, Instructions: 794
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 0612AFF7
$^q, xrefs: 0612AAF5

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: 2$$^q
API String ID: 0-1071376767
Opcode ID: 25355aaefd0b4aac4e780ad1f26a0e29614b61c0e63453632e24f19beffcf32b
Instruction ID: aed635c42f23e7625d35749aa26592c0d90fa91d2316b78aaae110e2c7343dba
Opcode Fuzzy Hash: 25355aaefd0b4aac4e780ad1f26a0e29614b61c0e63453632e24f19beffcf32b
Instruction Fuzzy Hash: 59721874A002298FDB54DF69E99469DBBF2FB88300F10C5A9E40AE7355EB349D95CF80

Function 05660040 Relevance: 3.1, Strings: 2, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 056602DF
2, xrefs: 056604B6

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: 2$$^q
API String ID: 0-1071376767
Opcode ID: ea2df585be93be2df6f33dad835d4398d01ed4c00c1ed51043d507557713c88d
Instruction ID: 22d05b727d1c7ce1b3d9a442c091dfb9206114788c725de68d0a9e78ac3daae7
Opcode Fuzzy Hash: ea2df585be93be2df6f33dad835d4398d01ed4c00c1ed51043d507557713c88d
Instruction Fuzzy Hash: 76422878A00219CFCB24DF69D594A6DBBF2FB88304F1085A9D40AEB755DB34AD86CF41

Function 07348060 Relevance: 3.0, Strings: 2, Instructions: 491COMMON

Download Yara Rule

Strings

@Udq, xrefs: 07348122
@Udq, xrefs: 0734815A

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID: @Udq$@Udq
API String ID: 0-2037091890
Opcode ID: 79cb12f0c9a72d542573a017239cf482dea220e905f89c346016a5fef0a58335
Instruction ID: b659a1f31b5488dee09c00832aaf9eb875ee94b603ef8c25013eae2673e288d7
Opcode Fuzzy Hash: 79cb12f0c9a72d542573a017239cf482dea220e905f89c346016a5fef0a58335
Instruction Fuzzy Hash: 1B220BB4A00105CFDB19DFA9C594A9DB7F2BF89304F248569D409AB361DB31ED42CF50

Function 05A8D9B0 Relevance: 2.8, Strings: 2, Instructions: 293COMMON

Download Yara Rule

Strings

(bq, xrefs: 05A8D9C4
d, xrefs: 05A8DC11

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: f2f9173a520ed9deda3805ce3c8bf607e43246c1f49c592c31fba0363cce2cd1
Instruction ID: 45c046468209f979a549c3fa07984f9535667614d0a2934a787b5ed4d0c3cde6
Opcode Fuzzy Hash: f2f9173a520ed9deda3805ce3c8bf607e43246c1f49c592c31fba0363cce2cd1
Instruction Fuzzy Hash: CCC138716006068FCB14DF29C584D6ABBF2FF88314B29C959D46A9B6A5DB30FC46CB90

Function 05683740 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05683A20
4'^q, xrefs: 056839F2

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: c400dfa8a15c05984fc398f815b93f3ceb6e69b0b3752d142417f71601e3958f
Instruction ID: 87da05e5f3554c856437941518a13d8252f7ac86d8f7b4ae6bed60e55b74a975
Opcode Fuzzy Hash: c400dfa8a15c05984fc398f815b93f3ceb6e69b0b3752d142417f71601e3958f
Instruction Fuzzy Hash: 26C1A774B40218DFCB04EFA4C998AADB7B6FF89700F504568E506AB3A5DB71ED42CB50

Function 055D4640 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

4'^q, xrefs: 055D49BD
4'^q, xrefs: 055D49C9

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 50c101247d7ee33917ada86e024498b83c8f92028b1c551696730d3ab643ccea
Instruction ID: cb78cc3e13f30bd9e8281be38c279cb9b8f2674594a1980644437377d47ee77f
Opcode Fuzzy Hash: 50c101247d7ee33917ada86e024498b83c8f92028b1c551696730d3ab643ccea
Instruction Fuzzy Hash: 6581A236B109258F8E39373D706953DA8D7BBD9991748852CE803EB348CFB58C0697E6

Function 05683730 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05683A20
4'^q, xrefs: 056839F2

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: f8c858d5906b50bbf2bfc0a3d75c0ebe22aee0bb9e7c900b1ffff430c411716e
Instruction ID: fdb373e65d26d1c48317c3068de861a02849f0ad2f4cd8a85a936ff11ed2ffce
Opcode Fuzzy Hash: f8c858d5906b50bbf2bfc0a3d75c0ebe22aee0bb9e7c900b1ffff430c411716e
Instruction Fuzzy Hash: AFC1F874B40218DFCB04EFA4C998AADB7B6FF89300F504568E506AB3A5DB71ED42CB50

Function 05A89240 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05A893D5
(bq, xrefs: 05A89346

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: c21ff5da55f7197b4ee6627085e751505cb6e19e6bc73e07850c6a5fc803d7d5
Instruction ID: 82421e138bf863b1aae92e9cd6f8c84212b8dc17d399b80390dfc8068fe3007b
Opcode Fuzzy Hash: c21ff5da55f7197b4ee6627085e751505cb6e19e6bc73e07850c6a5fc803d7d5
Instruction Fuzzy Hash: B051A9317002158FC719AF78D454A3EBBB6FF89740B64486CD5069B3A0CE35EC06CB92

Function 0568C2E1 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

(bq, xrefs: 0568C324
(bq, xrefs: 0568C3AF

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: aede2e4d37597465efce263d2e0b223d257f7fbf3281565e47ecab5cdc6a312a
Instruction ID: 824bbdd6c71fc3e0b451e2b6285d45408ba72464a8e4a9e51007db4889fe0b15
Opcode Fuzzy Hash: aede2e4d37597465efce263d2e0b223d257f7fbf3281565e47ecab5cdc6a312a
Instruction Fuzzy Hash: A2516831F086894FDB15AFB984141AEBFF2FF86250B1482AAD111FB351DE309C06CBA1

Function 06121AB9 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

`Q^q, xrefs: 06121B89
PH^q, xrefs: 06121D42

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q$`Q^q
API String ID: 0-3163867966
Opcode ID: abdb12a3f00fadbe55ab541f441128cb2d886b51fddc75b2760ce75f5885cbb4
Instruction ID: 7110aa680c98ce013914cc4527195b2245062a5852490fcb025528b5f638e6e5
Opcode Fuzzy Hash: abdb12a3f00fadbe55ab541f441128cb2d886b51fddc75b2760ce75f5885cbb4
Instruction Fuzzy Hash: 6B711774A0122ADFEBA4DF24D85D7ADBBB1FB44700F1084D9E50AA7290DB745E94CF41

Function 05A8F5B0 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05A8F654
pbq, xrefs: 05A8F727

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$pbq
API String ID: 0-3872760177
Opcode ID: 3ed999d476bf210e23081283f7be4abf90e70fdaad5b8be40e071eeaa4a457ec
Instruction ID: e13dad2322265bc73cd008e72b78858aa93c3fb2b37cbef10ed0bfcad5d816b3
Opcode Fuzzy Hash: 3ed999d476bf210e23081283f7be4abf90e70fdaad5b8be40e071eeaa4a457ec
Instruction Fuzzy Hash: 1441B231A406068FD704EF78D9407AEBBB6FF88304F148929C4499B369DB75ED468BA1

Function 055D2940 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

4'^q, xrefs: 055D2A93
4'^q, xrefs: 055D2A87

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: a1bbd4fc8f7fec20fd05c1d246ed5d0a60167eed73f143882eed0772ce7d3692
Instruction ID: 05a224dabe88db5fd44f454d6e245cce4ace1caff2b916b43fa88896fc050f59
Opcode Fuzzy Hash: a1bbd4fc8f7fec20fd05c1d246ed5d0a60167eed73f143882eed0772ce7d3692
Instruction Fuzzy Hash: 3B31C43BB40622078E39323C546813E91C7BBE5851F94491DC807EB794DE68CC87C3EA

Function 0566FEE8 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0566FF63
(bq, xrefs: 0566FF37

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 12c0ccdf821f2d4319c23380a53004ab422121f837b351358d1faeff348c5704
Instruction ID: 1068243d89dd6416052ac16826ff631a314b370b81e21a832e8274591e6955ac
Opcode Fuzzy Hash: 12c0ccdf821f2d4319c23380a53004ab422121f837b351358d1faeff348c5704
Instruction Fuzzy Hash: 571103313045654FC354AF6EE88066EBBEAFFC9350B508529E50ACB392DE34EC06C796

Function 055D8378 Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

4'^q, xrefs: 055D843C
4'^q, xrefs: 055D8430

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 3845821f5a8be483d1cae35ac05212f683ed3e47e87aa0a43522efee444a4bbd
Instruction ID: 7ba2ea6ad4460d20e4a421c58729cf8d67260bc97d75c1b83daae33904cf1c7e
Opcode Fuzzy Hash: 3845821f5a8be483d1cae35ac05212f683ed3e47e87aa0a43522efee444a4bbd
Instruction Fuzzy Hash: 7D11B236740E198B8F29766DA42803EE5A7FFD0555368442DD80BC7348DFB18C0743B6

Function 05A8A840 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_^q, xrefs: 05A8AAD0

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: 3f55a2fde518e6cecf21e7649470bb4f345aa47a267d440f9fd76dc96b32bb5f
Instruction ID: 5e9c97cfc9954e51ed67d35c36b7ec52be46685cc3ad02e8407b201177275337
Opcode Fuzzy Hash: 3f55a2fde518e6cecf21e7649470bb4f345aa47a267d440f9fd76dc96b32bb5f
Instruction Fuzzy Hash: 0E226E35B002149FDB14EFA9D494A6DBBF2FF88710F14846AE906AB3A1DB75EC41CB50

Function 062AD7E5 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 062AD878

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 3d5c8641ad144a1ce8d8a89fea2c75c7184d93f7adbbbef7066f1a071cfe4df3
Instruction ID: 922147563a3a225fce51b022b00b4454bc9e4b2219a2e71d1ff1948c844e3f18
Opcode Fuzzy Hash: 3d5c8641ad144a1ce8d8a89fea2c75c7184d93f7adbbbef7066f1a071cfe4df3
Instruction Fuzzy Hash: B53112B0D11309DFDB50CFA9C988BCEBBF5AF48304F208419E804AB290DBB4A945CF95

Function 062AD7F0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 062AD878

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 8e59a6639cacf818a507289455573a918deccfef5ec2606cffdafef74259f747
Instruction ID: d0b1f3359172ba62820dc4092bcbe0f08703a845cb6f2a03049e9b6593fd368d
Opcode Fuzzy Hash: 8e59a6639cacf818a507289455573a918deccfef5ec2606cffdafef74259f747
Instruction Fuzzy Hash: E43100B0D11309DFDB10DFA9C984BCEBBF5AF48304F208419E808AB290DBB4A945CF95

Function 062AD580 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,06288F9C,?,00000000,062A129C,00000000,?,?,?,?), ref: 062AD60F

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2ceb73398140c0f0bf720acd4a4d31cae7b5087e0d0ad3326d5043b3aba4c207
Instruction ID: ce68751aa96de08a995bc3e336e3181d430a0238df4962d0585fae1e0a98c9ec
Opcode Fuzzy Hash: 2ceb73398140c0f0bf720acd4a4d31cae7b5087e0d0ad3326d5043b3aba4c207
Instruction Fuzzy Hash: 4421D2B5D00209AFDB10CFAAD984ADEBBF4EB48314F14841AE958A3350D378A944CFA5

Function 062ABEB4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,06288F9C,?,00000000,062A129C,00000000,?,?,?,?), ref: 062AD60F

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 12f608bce3505ec9f185fec374290d19d3728b6bb89a1a567aa1560ce833a2ad
Instruction ID: f0e9c2cf4041cea69633f8c2a0ff23168ebb817b8c38455d3a94eb319d760037
Opcode Fuzzy Hash: 12f608bce3505ec9f185fec374290d19d3728b6bb89a1a567aa1560ce833a2ad
Instruction Fuzzy Hash: 0321D2B5910249AFDB10CF9AD984ADEBBF4EB48314F14841AE918A7350D378A954CFA4

Function 062A1AB9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 062A1B47

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: fc9d86a1de3ba7c05dff264225dbc0c9272fab86958b80c6e9578cd9124e82a2
Instruction ID: 91323b12b6de04b2d56055fcfcff7ec7ae93ec706948441ea2c2771054611127
Opcode Fuzzy Hash: fc9d86a1de3ba7c05dff264225dbc0c9272fab86958b80c6e9578cd9124e82a2
Instruction Fuzzy Hash: C7216975900349DFCB10DFA9D848BEEBFB0EB49320F14841AE995AB340D374A945CFA1

Function 062A1AC8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 062A1B47

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 6d73d194e77fdbac4a46c12e43ecc236be06d0b18bf1bd6f7a1a474882769dd0
Instruction ID: cd4dcb56e5a1d37e21f60a4934a1bc702edaccfdd81e5695a28e8cf72a204587
Opcode Fuzzy Hash: 6d73d194e77fdbac4a46c12e43ecc236be06d0b18bf1bd6f7a1a474882769dd0
Instruction Fuzzy Hash: F5217870A00349DFCB50DF99D808BAEFBB5EB88320F14C419E956AB780C774A945CFA1

Function 02F1D8C0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02F1D934

Memory Dump Source

Source File: 00000008.00000002.1762029555.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f10000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7ea89cadc6c2302c2dc58cd06b24a0103ad17da8166557c69e9ccede6f9e9700
Instruction ID: 94ec4ecf3353d7c1e0f2d646bd3238f42f33c36eba9b4a8abe2f226079344c74
Opcode Fuzzy Hash: 7ea89cadc6c2302c2dc58cd06b24a0103ad17da8166557c69e9ccede6f9e9700
Instruction Fuzzy Hash: 691124B1D002099FCB10DFAAC444ADEFBF4EF88324F50842AE459A7214C778A944CFA0

Function 062AD194 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 062AD6FD

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1cfb52577f6173000a2f878fa4c6c432a45ec466a7618fb5cc425a757727e467
Instruction ID: 1f9e9de58e4a60e1e66e5e38a809b671892d9a8dce7b7a3bd036499757d97655
Opcode Fuzzy Hash: 1cfb52577f6173000a2f878fa4c6c432a45ec466a7618fb5cc425a757727e467
Instruction Fuzzy Hash: 0B1133B18103498FCB20DF9AD444BDEBBF4EF48320F108419E918A7710C378A944CFA5

Function 062AD6A1 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 062AD6FD

Memory Dump Source

Source File: 00000008.00000002.1778953446.00000000062A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62a0000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 071912b4e9cdae1624b9af09d165b827d14d6fa41cb53114efa40420b070f2a0
Instruction ID: f350d2f1622aea52c92e2e39247cce89a84b123190699bd7855e02e9b00cb217
Opcode Fuzzy Hash: 071912b4e9cdae1624b9af09d165b827d14d6fa41cb53114efa40420b070f2a0
Instruction Fuzzy Hash: D31115B59003498FDB20DF9AD444BDEBBF4EB48324F108419E519A7650C375A544CFA5

Function 05669249 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

Deq, xrefs: 056692F3

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: bd5119ce49345b339c58c9e1827f081e6ffeaa23d3db4bcd5f390854b4a4f149
Instruction ID: 80b1df6e9c016df6c17bce146050ffd3d2c7ba075f50dcff8c3689e590ba2e31
Opcode Fuzzy Hash: bd5119ce49345b339c58c9e1827f081e6ffeaa23d3db4bcd5f390854b4a4f149
Instruction Fuzzy Hash: A0A1DF34A006049FC714DF69D594A6EBBF2FF88710F158569E806EB3A1DB74EC02CB91

Function 05A8AFC8 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

Pl^q, xrefs: 05A8B1B0

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: Pl^q
API String ID: 0-2831078282
Opcode ID: ff5c85c6dbdf595904d513171e4b34b44bb1bfa3d5f5ff5681a253427aa0327f
Instruction ID: bd3e05438fc17d93a14cf3a5a8e6998768b4b8b0fdbede42fed9ad1e6dbf14b7
Opcode Fuzzy Hash: ff5c85c6dbdf595904d513171e4b34b44bb1bfa3d5f5ff5681a253427aa0327f
Instruction Fuzzy Hash: 1B910430B405188FCB14EF69C884A6A7BF6BF89710F1540A9E516DB3B5DB71EC41CBA1

Function 07347098 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

bq, xrefs: 07347211

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID: bq
API String ID: 0-492960840
Opcode ID: 5c28dc59e31378293f98103695f71c852851227286d352488ac6f697f75e99c0
Instruction ID: 21d5e6b46f017f71b2f52365d2b05cc37b1fcac35f7b53c1f548d3a57fef223e
Opcode Fuzzy Hash: 5c28dc59e31378293f98103695f71c852851227286d352488ac6f697f75e99c0
Instruction Fuzzy Hash: 1E512B7670010A9FCF05CFA9D8409EEBBF6FF88254B14805AF909E7365D735E8119BA1

Function 05669258 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

Deq, xrefs: 056692F3

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: b666e550f61d140e77ec1bbc85634e309af49f05a6738dcf74262f0cc3aa7f75
Instruction ID: 0029e73c11a04606287c5b9cedb3d12bc3c1a13a498c575bf9816e8f716ae926
Opcode Fuzzy Hash: b666e550f61d140e77ec1bbc85634e309af49f05a6738dcf74262f0cc3aa7f75
Instruction Fuzzy Hash: F4617A74A00A01DFC714DF29D584A59BBF2FF88710B1582A9E816EB3A5DB74EC45CF90

Function 05A84C88 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

pbq, xrefs: 05A84D38

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: 782dcd5cab1df574f4dcae031f1a5985f9909a9b4614a86c797ce5c1173f5a97
Instruction ID: 1c36929bafaa6c5b5ee26ca8ceac5ee4b510bfdd3c9e4a10b57e2ca792a8a286
Opcode Fuzzy Hash: 782dcd5cab1df574f4dcae031f1a5985f9909a9b4614a86c797ce5c1173f5a97
Instruction Fuzzy Hash: 1B515F76600104AFCB499FA8C904D697BF7FF8C314B168098E2099F376DA36DC22EB51

Function 05A8D99D Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

(bq, xrefs: 05A8D9C4

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 74c5ec7cfa45140cd73ac8992c388aaed0691d999b49e124ee1b1accc8a601f2
Instruction ID: d248737de7382baab373b6346dd7b584d4cd8d3c0f132d075b0dde675b304e10
Opcode Fuzzy Hash: 74c5ec7cfa45140cd73ac8992c388aaed0691d999b49e124ee1b1accc8a601f2
Instruction Fuzzy Hash: B3514C70A00606CFCB14EF69C484EBAB7F2FF89314F158959D466AB791D734E841CB94

Function 0566DE31 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0566DF2D

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2953955a2e2e0060c9fed25b2725a14093723849e2af030c24227ca4fae0e40f
Instruction ID: e2a22ae0745eeef59a289b7b383e2bbe8ce5cb9b3806c1567917041594ab8c76
Opcode Fuzzy Hash: 2953955a2e2e0060c9fed25b2725a14093723849e2af030c24227ca4fae0e40f
Instruction Fuzzy Hash: DB515734B04406CFDB14DF58D508BAA77B3FB98301F289075E4069BBA4CBB89D46CB46

Function 0566DE71 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0566DF2D

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 5b5539cff154b3a46fefa47a30e2ac0b87ed6a4637cd08d07f03d23633713675
Instruction ID: 24ea100a269a41cbd5dce62bf45d84d350ea1d4a3600a31686102af24c83c9da
Opcode Fuzzy Hash: 5b5539cff154b3a46fefa47a30e2ac0b87ed6a4637cd08d07f03d23633713675
Instruction Fuzzy Hash: 36515A34B04406CFDB14DB58D518BAA77F3FB98311F289075E006ABBA4CBB89C46CB56

Function 05681430 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0568146A

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 3b4f526ac74119fa679be3d2bef4fc46dcccd83f22853fb8688a6c3d58077563
Instruction ID: 6805fa48313e87ab8b5ad2c6a1958d8db5e8976df1bd40629a5e19007f4a3fb8
Opcode Fuzzy Hash: 3b4f526ac74119fa679be3d2bef4fc46dcccd83f22853fb8688a6c3d58077563
Instruction Fuzzy Hash: 49412C34B106158FDB14BB68C498A7EBBABAFC9700F50452DD406AB394DF749C46CB91

Function 05A85CA8 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

(bq, xrefs: 05A85CBC

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: c32ac54eaf896f4bc0bdb6dee3b8141337b0c2bf79fd4e3912e411f44ecfc391
Instruction ID: c4cf5c22d7808613e4a36fb57861ec19243a3ea6e6a1c44a11a22e10ad25acac
Opcode Fuzzy Hash: c32ac54eaf896f4bc0bdb6dee3b8141337b0c2bf79fd4e3912e411f44ecfc391
Instruction Fuzzy Hash: E5416B35A006169FCB10DF59C488A7AFBB1FF89320F158696D925AB381D730F851CB91

Function 05684D59 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05684E06

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4ed78a0c9344a65e61226830e58f489cb7063bc82ef093293722836ecc7bd125
Instruction ID: 99b893f9d116861e9099724eb94def58347d3dcf978696a759fb6617968486db
Opcode Fuzzy Hash: 4ed78a0c9344a65e61226830e58f489cb7063bc82ef093293722836ecc7bd125
Instruction Fuzzy Hash: DB314D357806149FD308EB69C998F2A77E6AFC8714F104568E50A8F3A5CE72EC42C790

Function 05684D60 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05684E06

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e5bd012728c081ea33f6b6ab614abea2e4d9cc19fdc7b698304e8379398347f7
Instruction ID: 76127457884d9dabcc99445b8e4a3be0a60c4347e93056878c60e5a3ae51da3b
Opcode Fuzzy Hash: e5bd012728c081ea33f6b6ab614abea2e4d9cc19fdc7b698304e8379398347f7
Instruction Fuzzy Hash: 66312D357806149FD708EB69C998F2A77E6AFC8714F104568E60A8F3A5CE75EC42C790

Function 055D0AD7 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

4'^q, xrefs: 055D1CDE

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b339d35cb7308c8a6e96fe2bcb2ecdafbda354218a938e1c53fcd73b0207c331
Instruction ID: ee0a31a04f08df296caac22b3a95502e3d96e272b6bff7fdc10151527c0d3236
Opcode Fuzzy Hash: b339d35cb7308c8a6e96fe2bcb2ecdafbda354218a938e1c53fcd73b0207c331
Instruction Fuzzy Hash: DE312833A597588FD7318B68DC18BB9BBB1FF42315F05049AD4019B6E2E6349C44CBA1

Function 0566139F Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

TJcq, xrefs: 056613FE

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 541447720946f22ef262cb293e94abdf5da0169a2560a122c02970d7e49b8813
Instruction ID: 265e5fc51407e05a22b039dca568f8a1c29fb85d528a6d3d8cd97f2bfd644daa
Opcode Fuzzy Hash: 541447720946f22ef262cb293e94abdf5da0169a2560a122c02970d7e49b8813
Instruction Fuzzy Hash: 4E31E236B001108FD724AB74E558B2E7BE6FB89725F040178E90BD7790DA789C06CB92

Function 05A8F030 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05A8F079

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ca58ceda1986d27736412a63f4a8b2c4733055951ea1d5ecacf33a4df0be497b
Instruction ID: 3017a364b137a22b7bc93fe0949ebac6d16efbf364361e939b67e1f59ae187e9
Opcode Fuzzy Hash: ca58ceda1986d27736412a63f4a8b2c4733055951ea1d5ecacf33a4df0be497b
Instruction Fuzzy Hash: 70218E32A402089FDB15DF94D884D69BFB7FF88320F054069EA069B365CA31EC52CB90

Function 056613B0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

TJcq, xrefs: 056613FE

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: afdcd946413074be2cd0a8d4d1c3a7eb8671bbebbbb5897cbf840ef87aca61c1
Instruction ID: 1cac83036eb897f4ccb84a3dd78ef883c61f992f11a02faa4ddc454b33aa8d86
Opcode Fuzzy Hash: afdcd946413074be2cd0a8d4d1c3a7eb8671bbebbbb5897cbf840ef87aca61c1
Instruction Fuzzy Hash: 3031C135B002108FD724AB78E558B3E7EE6FB89715F040178E907DB794DA789C06CB92

Function 05681420 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0568146A

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4e7f63ad7f23a4183ad21b19388c84ae078c451c74e343a08ef84bedd69dc981
Instruction ID: 96f773c79fb74da2a453f32881dc2ff84fbf71de43b4f8651d800fa28d0f059b
Opcode Fuzzy Hash: 4e7f63ad7f23a4183ad21b19388c84ae078c451c74e343a08ef84bedd69dc981
Instruction Fuzzy Hash: 45217174B102198BDB18BB68C898A7EBBEBAF89700F54442DD007EB394CE748D47C755

Function 05A89BA0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05A89BDA

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: 6970a78f05f884d96469565c7de46472804a737c750d55cbea4ccf2c25495dd7
Instruction ID: 0ae61b0ec96ea7c6f75a3f28095d359607b7ddd712bedcdfc00e25b901e839d4
Opcode Fuzzy Hash: 6970a78f05f884d96469565c7de46472804a737c750d55cbea4ccf2c25495dd7
Instruction Fuzzy Hash: AF213A713041589FCB05DF2AC884EBA7FEABF8A251B1940A5FC59CB361DA75DC51CB20

Function 05A89B91 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

p<^q, xrefs: 05A89BDA

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: 7c0f5d0f55f84af14f6fee21c6be2e51d31c6362fd7420b8f2bb5f1f97c4e154
Instruction ID: bec3def851a9af99185e5f400d94073ed885399ccca96ff4667c604a189955b5
Opcode Fuzzy Hash: 7c0f5d0f55f84af14f6fee21c6be2e51d31c6362fd7420b8f2bb5f1f97c4e154
Instruction Fuzzy Hash: 99213B713441489FCB05DF2AC884EBA7BEAFF8A651F1940A5F819CB361DA75DC51CB20

Function 02F1DA90 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 02F1DAF2

Memory Dump Source

Source File: 00000008.00000002.1762029555.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f10000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fe89ba98e9b4b9e0eefffceb8b39911ad67fcf408145d820ddae60f71c9b9331
Instruction ID: 1cbe4ca626737ad5b8c6eb958dbd19c0adf951089f8f1204d589e8853168d770
Opcode Fuzzy Hash: fe89ba98e9b4b9e0eefffceb8b39911ad67fcf408145d820ddae60f71c9b9331
Instruction Fuzzy Hash: 211136B1D002498FDB20DFAAC4457DEFBF4EB88324F208429D559A7250CB79A944CFA4

Function 05687C51 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

a^q, xrefs: 05687CAC

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: a^q
API String ID: 0-3411664965
Opcode ID: e051f32919a9a046d06958f7318584fec171cb102a28e80e3c53964654c33d92
Instruction ID: ff267280753d7e0df1830fc61c3ba48bbb4d224d8ba633b2e0aa07a4872947c3
Opcode Fuzzy Hash: e051f32919a9a046d06958f7318584fec171cb102a28e80e3c53964654c33d92
Instruction Fuzzy Hash: 0D019670D006098FC705FF78D5555ADBB76FF41300F108A28E44666254EF715E4ACB45

Function 05683F20 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05683F34

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 77843f5d7b083fbe6090333938d761ea065fea32fb2388249859f3e5ed411d44
Instruction ID: 4648e085d0f6ad2ebf669d86dddca2e0460a9cd675f5cdab70fcb30473b11d87
Opcode Fuzzy Hash: 77843f5d7b083fbe6090333938d761ea065fea32fb2388249859f3e5ed411d44
Instruction Fuzzy Hash: 610169323442048FD704EF2DE884A99B7A2FF88B15B11457AE20ACB371DB71EC46CB90

Function 0566EC92 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

e, xrefs: 0566EC98

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 62bba0701c5eb67486daf4cb7140e58aaf2e595fc419970521b43c429ad18026
Instruction ID: d35d91f568c9a814ae392a93875671bab8c8731d84b6ea06acac4afa4f5be92e
Opcode Fuzzy Hash: 62bba0701c5eb67486daf4cb7140e58aaf2e595fc419970521b43c429ad18026
Instruction Fuzzy Hash: C5D097232082458FCB00C238EC023853F81EB8A340F0458A4D48A8260BE63080068600

Function 05A83B80 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

&, xrefs: 05A83B89

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: ed0ef0add8906af6e46a74232cd30332e92c6e964397b9e086bcf551afce9712
Instruction ID: 0463f0a733e4734e846fe70f24100dd4937524ae6f2e0302e426cad46f52b903
Opcode Fuzzy Hash: ed0ef0add8906af6e46a74232cd30332e92c6e964397b9e086bcf551afce9712
Instruction Fuzzy Hash: 79C02B770940B80ED302CEC0F58674137449319328F14043DC45CC30C3C22DD90AC610

Function 055D6B88 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4267f96d187027323cbf926cf075ec494beee34300853139d7b94987ebcc14e1
Instruction ID: ca28b179b91eca97b68b88538abfcc901249a4d0721cef66cc280621ee67cc21
Opcode Fuzzy Hash: 4267f96d187027323cbf926cf075ec494beee34300853139d7b94987ebcc14e1
Instruction Fuzzy Hash: EF024431B11219CBEF24DB64C864BAEF7B2FF44304F5445A9D806A7280EF719A46CFA1

Function 05681670 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fef05e832be7ad620af7ef44bb310ea553cc84a6313df27b4c2b567f2893833
Instruction ID: ee6a718956d5373ec762bb1f1dbfbd4864b6d55868daf9711ba700bc826072aa
Opcode Fuzzy Hash: 4fef05e832be7ad620af7ef44bb310ea553cc84a6313df27b4c2b567f2893833
Instruction Fuzzy Hash: 4A12FE34B002198FDB14EF64C994AADB7B2BF89300F5186A8D54AAB355DF70ED86CF50

Function 055D5DB8 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5635c56f31d35ab2726cda9aa293b1b521cf391f9579264fcfe174c3709b068e
Instruction ID: a34cb4d7e5b95c71aea8011253e36723292acc1320bb2af7d3d3e714154d8fa5
Opcode Fuzzy Hash: 5635c56f31d35ab2726cda9aa293b1b521cf391f9579264fcfe174c3709b068e
Instruction Fuzzy Hash: 8BC151313482054BDB2476EEC5A477BD1EBAFD5700F90453E1213DB299EDA2CD4A82BA

Function 055D22D0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397880b34d8a966a921d0ee37260ed3293f2fed367cf957bc8ddf368bd3dbbf5
Instruction ID: 5e1c5b4423bf6966cae90484ad2efbc393b9ed8ba6e21a8e75e30fcf692e118d
Opcode Fuzzy Hash: 397880b34d8a966a921d0ee37260ed3293f2fed367cf957bc8ddf368bd3dbbf5
Instruction Fuzzy Hash: B1D150317943458BD7249A9DC49862BEAFBBBD4700F90843DB707C72D8DEA1CD4587A1

Function 055D7771 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4450b63c8d086bd8a7ce75838b30cbf7e43e321f2d69a0514c34910b013d6ca7
Instruction ID: 16c2fd041845cb17a7ac7f09f164f64eb21cc770c7d160bde3dd7c2eecce14ed
Opcode Fuzzy Hash: 4450b63c8d086bd8a7ce75838b30cbf7e43e321f2d69a0514c34910b013d6ca7
Instruction Fuzzy Hash: 1EB1F3317203414BC72A7B69D4E873EE6E7AFDA300F44817D95029B391DFA98C09D7A6

Function 055D784F Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fa9415c671572f1247142fcdb64fbe7a97379a25557286117c0c3dfd864bc3
Instruction ID: 11a9abbc528e22bf21089eebcf793b143389aff8f2b61a393a87e5f20e4cb389
Opcode Fuzzy Hash: 97fa9415c671572f1247142fcdb64fbe7a97379a25557286117c0c3dfd864bc3
Instruction Fuzzy Hash: D691D4313202014BD72A7B69D4E867EE6D7BFD9300B84813C95039B390DFA9CD09D7AA

Function 055D7870 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9309e487a8ec6eb91c6894b4a88d36a6b229016d441554d988a9543eccb18825
Instruction ID: 99855a5a757ee91b777d2c0f7bfc210dc1a7eb3a44be1cc8f7a03f80caee7607
Opcode Fuzzy Hash: 9309e487a8ec6eb91c6894b4a88d36a6b229016d441554d988a9543eccb18825
Instruction Fuzzy Hash: AE91B5317202014BD7297B6AD4E867EE6D7BFD9300B94413C95039B384DFA6CD05D79A

Function 05683BB5 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345e70ab94fa505f29977d542ce9b06db935b088bb83a9d3eb609cc1d15bf52d
Instruction ID: 05dc2bbc17a4f6b81858ca013894e69057a589fec7e15e464b3defcf7915c3e7
Opcode Fuzzy Hash: 345e70ab94fa505f29977d542ce9b06db935b088bb83a9d3eb609cc1d15bf52d
Instruction Fuzzy Hash: 9DA17D357402049FC705EF28D994AAA7BB2FF89704F2085A9E9058F3B5DB76EC41CB90

Function 05687DF9 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9ccba74c5e1a023fa3be3a07e5428b299aed5d103e7b41e4de73f1691296cd
Instruction ID: 1439ca969dfe7c68b3eb14b3f39581a3ade5125f97b718036f880927c6a42387
Opcode Fuzzy Hash: cb9ccba74c5e1a023fa3be3a07e5428b299aed5d103e7b41e4de73f1691296cd
Instruction Fuzzy Hash: A9B16B34A04109CFD718EF54E148BBAB7B3FB94314F648679D40A6BA84CF799C46CB86

Function 05A8BCC8 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b746a7cf8e4aeddab51e7bf647d5d58d9a976ac8da901aab39c109768c80587a
Instruction ID: e63a9dd30a1082f33d89667573dae06d0f4b9162da022fd198d512e874118cff
Opcode Fuzzy Hash: b746a7cf8e4aeddab51e7bf647d5d58d9a976ac8da901aab39c109768c80587a
Instruction Fuzzy Hash: 3A910775A406188FCB14EF68C484E6EBBF6FF48310F1585A9E9169B361DB30ED42CB91

Function 05681F32 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437d67ccb46d47e162116b8b7a514e12c60d1db95e04deeb56831cb0d0bf14db
Instruction ID: 2bc1f4a6070e702e6e6728c24b03ada649eb9a878fd15282c0d772c3a2d20997
Opcode Fuzzy Hash: 437d67ccb46d47e162116b8b7a514e12c60d1db95e04deeb56831cb0d0bf14db
Instruction Fuzzy Hash: 6EA1AB38B01609DFDB14EFA4E5949ADBBB6FF89310F508569F9026B364DB30AD42CB50

Function 05687E86 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0e31bea7444e8ab5a59ee1ca0bf41c3ab1a66ccf3ecfb104f51e3ab95a8175
Instruction ID: 41ffdf1984ff63f1a085cc5969962a066e8ed75372074abd677a71210b4c4fc0
Opcode Fuzzy Hash: 5f0e31bea7444e8ab5a59ee1ca0bf41c3ab1a66ccf3ecfb104f51e3ab95a8175
Instruction Fuzzy Hash: F4917D34A04105CFD718EF54E148BBAB7B3FB94314F648679D40A6B784CBB9AC46CB86

Function 05682608 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d7b7ffaf5a7280afbef8626e669e3caf0d534d11204a7935da8accab8d57c7
Instruction ID: ad9d6ff592a8859bca201be8b3c7dc92e3dfbcd33746115ecf47f486e7da936b
Opcode Fuzzy Hash: 36d7b7ffaf5a7280afbef8626e669e3caf0d534d11204a7935da8accab8d57c7
Instruction Fuzzy Hash: DE814C387106148FDB14EF68D4A8A6DBBF6BF89710F148169E506DB3A5CB34EC46CB90

Function 05687E9E Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3432bd244adf4b85991103ac752c0e383b1cd116495f87cbe7b2790c7f9c8f94
Instruction ID: 575d2658bb3ef1452bee51163e32a8098606bbb6eeadbeda52a0173b8f89c178
Opcode Fuzzy Hash: 3432bd244adf4b85991103ac752c0e383b1cd116495f87cbe7b2790c7f9c8f94
Instruction Fuzzy Hash: 0C916D34A04105CFD718EF54E148BBAB7B3FB94314F648669D40A6B784CB799C46CB86

Function 05A863B8 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3875cf3f496a3f95b2f2d2edbd38a1bfb3ff7531ad1da7a62e9a5a76c09d6086
Instruction ID: 749ceff2bd04250f740dc8923768591175bd5e33002a000da23743d826fab3eb
Opcode Fuzzy Hash: 3875cf3f496a3f95b2f2d2edbd38a1bfb3ff7531ad1da7a62e9a5a76c09d6086
Instruction Fuzzy Hash: C5818A35B012089FDB19EFA8E559BADBBF2FF98311F148069E912A7390CB35D941CB50

Function 056843F0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5edc59ecf5481b122cea91dcc41a636d7799b5662abc7f19427204ca812497
Instruction ID: a8a043b3bf2bda23b357f99b80953396088fc21e9b607c18baf0a4d901eb8d7e
Opcode Fuzzy Hash: ad5edc59ecf5481b122cea91dcc41a636d7799b5662abc7f19427204ca812497
Instruction Fuzzy Hash: EE815C34B006098FDB14EF68C058AADBBF6FF89705F104269D4029B7A4DF759D86CB90

Function 055D6308 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726977ada01f2324109af2eaf13093f08c99fb539e473749d27d05ee7aab78c5
Instruction ID: 07cf66c38cba8800d246520eac0b1908a94224b39fc0816dc53221e27429adc2
Opcode Fuzzy Hash: 726977ada01f2324109af2eaf13093f08c99fb539e473749d27d05ee7aab78c5
Instruction Fuzzy Hash: 89715331E1061ACBCF29DFA8C4546AEFBB3BF85304F608529D816BB244EF719946CB51

Function 05688970 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94b9e8268081e9b79a797eb5c86608644fdadedb3454fe1b23adbc374fb094
Instruction ID: 0c877defb209b3d6300751d8b9c8eae8b8f5a6cece10ca50d94d49d73d87e54a
Opcode Fuzzy Hash: 4e94b9e8268081e9b79a797eb5c86608644fdadedb3454fe1b23adbc374fb094
Instruction Fuzzy Hash: C361683AB041808FCB01EF28E4106BA7BF2FB89314F5485BAD44197796DEBC5C06CB96

Function 056843E2 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c8b7ac4fd6cf40dd00917cd09c81e1623f8ae3763aaa569bf5e38ad345012d
Instruction ID: 1c927af925b9c144d5e45e393310f5c9c3ddbbb348bb8d5eae5a2b9dddcf0333
Opcode Fuzzy Hash: 29c8b7ac4fd6cf40dd00917cd09c81e1623f8ae3763aaa569bf5e38ad345012d
Instruction Fuzzy Hash: 56617D347006098FDB14EF68C458AADBBF6FF89305F108669D402977A5DF74AD86CB90

Function 05A86670 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3904da7f6116cd7100077de09a13686bca6976ca264783ae0d8ebbbe2a5702ef
Instruction ID: f37e901096c47284088140d5645f535ef0d4afa1e0b0d05e48f5dcd11ba42337
Opcode Fuzzy Hash: 3904da7f6116cd7100077de09a13686bca6976ca264783ae0d8ebbbe2a5702ef
Instruction Fuzzy Hash: 9851BF31B402059FDB15EF68D884F6ABBB6FB88314F148079E91ADB351DB31E841CB90

Function 056825FE Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b824047f42787f17905c058ff8a5819f33c5fef27834e6b61eae6b6460ea2c36
Instruction ID: 80e0a4a775f770e76cf550af8d3a20189c9133d77d5b5d3cb1e77a3730ab5587
Opcode Fuzzy Hash: b824047f42787f17905c058ff8a5819f33c5fef27834e6b61eae6b6460ea2c36
Instruction Fuzzy Hash: B6510B38B10614DFDB14EF68C4A8A6DB7B6BF88710F108169E5069B3A5DB70EC41CB90

Function 0568A717 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809bf4305d28134dd7e1081a565e92c2b46e4e9f1f1429115d4ab82ec5387c0b
Instruction ID: 5e769a9751e6b458a23aa20f70130017781519f77456b9c2126eec61a9c786fb
Opcode Fuzzy Hash: 809bf4305d28134dd7e1081a565e92c2b46e4e9f1f1429115d4ab82ec5387c0b
Instruction Fuzzy Hash: C3519D34A14608CFDB14DF94D544BBD7BB3FB88320F158266E915AB694CB7CAC86CB50

Function 0568C5B8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7787c49b84b8a5f88dada2b393ecfde44beebed4f59e675d241f285875b3b470
Instruction ID: 197b1c15cb729eba3af7fc6ce125bc71d36c35a280e4b7f31ad7935f0446b4a2
Opcode Fuzzy Hash: 7787c49b84b8a5f88dada2b393ecfde44beebed4f59e675d241f285875b3b470
Instruction Fuzzy Hash: CD41F6317082858FDB15DF69A8406AABFB5EFD222072486EBD458DF247D630DC86C7B1

Function 056889C0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80384c68bf34ff2355f3e79a1088d913fea511ad30e7b00898e0d1ee64c1f11a
Instruction ID: d12465b07667d5e8a74aa61116af8f3503629d9d7f2c8cb5e8cf0092264a9ff2
Opcode Fuzzy Hash: 80384c68bf34ff2355f3e79a1088d913fea511ad30e7b00898e0d1ee64c1f11a
Instruction Fuzzy Hash: FF51DD3AB041448FC700EF68E514AAA7BA2FB88315F5485B9D801A7785DFBC6C06CB96

Function 056843C0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1261c545195a66d317605e2373acddc0ad3ae5117a7921ad7411d9598c1befc5
Instruction ID: d606868a9474c692d02d85656556d8050f7f3211621934a8f11c1f43c53a1ca6
Opcode Fuzzy Hash: 1261c545195a66d317605e2373acddc0ad3ae5117a7921ad7411d9598c1befc5
Instruction Fuzzy Hash: 5E516D34B106098FDB14EF64C158AACBBB2FF89305F108669D4029B7A5DF74DD86CB90

Function 0568A728 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ef6742c00d9c3b76fef762ff4c6128b66900c8b393f2cb267880a0f8d6d1dc
Instruction ID: 8842bf829967fbc058b61274c2cdfd02c310defbf4e0f5f7db05c9df190514da
Opcode Fuzzy Hash: 73ef6742c00d9c3b76fef762ff4c6128b66900c8b393f2cb267880a0f8d6d1dc
Instruction Fuzzy Hash: C7518B34A14608CFEB14DF94D544BBD77B3FB88320F159266E915AB690CB7CAC86CB50

Function 05A8FB98 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422fb34e139c90297303ecefb5af7fb5ff9834bf969194e08a5042156c5d89bf
Instruction ID: ab5db9b254fc3afd961fad3229cbac58a898cd7a78e4fda49e0f2b2e4d3c75f1
Opcode Fuzzy Hash: 422fb34e139c90297303ecefb5af7fb5ff9834bf969194e08a5042156c5d89bf
Instruction Fuzzy Hash: AF515C34B506099FDB14EF64E498AADBBB6FF88701F008129F5029B3A4DF749D06CB81

Function 055D7DDA Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788dc8b0ccfacf932a1233c295ac40fca0bb96ffb732e4979d7d66640cf31b2d
Instruction ID: fc2203e712bff3e8d9ca9316d154ec5ed8fd6448d1c12fc924084a4fe95ad372
Opcode Fuzzy Hash: 788dc8b0ccfacf932a1233c295ac40fca0bb96ffb732e4979d7d66640cf31b2d
Instruction Fuzzy Hash: 6B412632B247020BCB39663D9854B3FFADBFFC9710F04817DA5069B385DE698C0692A5

Function 0566D217 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2317034938ad3a07133a3953f3495367da40d2d882912807cb70132adfeb03
Instruction ID: b6bcdb26330528d81a21d982bafc68d59715112efac86d64b85a9beb0eef9016
Opcode Fuzzy Hash: ad2317034938ad3a07133a3953f3495367da40d2d882912807cb70132adfeb03
Instruction Fuzzy Hash: 80519038B045018BD724DF68E00476A77B7FB98714F148578D906ABB88CB7CEC4ACB86

Function 0566D228 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5e41af55a690e7a0d1b20ea83f78785d98f51bc9062cb5cab0583f71c4a080
Instruction ID: 77720bdb56fdde9d246ed8773469e4ae8d6577021d33d7e13de1d38e99234e0d
Opcode Fuzzy Hash: ea5e41af55a690e7a0d1b20ea83f78785d98f51bc9062cb5cab0583f71c4a080
Instruction Fuzzy Hash: 1A516F38B045048BD724DF68E10476A77B7FB98715F248578D906AB788CB7CEC4ACB86

Function 0568AAB0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ffb9b76277409558a48043fec72cbf66bb4eba778a2ffe31b226f29dc8400a
Instruction ID: a387d4313575a54d413f234fb5ec603044ff489227dc77fec3788047ef6a3e21
Opcode Fuzzy Hash: 51ffb9b76277409558a48043fec72cbf66bb4eba778a2ffe31b226f29dc8400a
Instruction Fuzzy Hash: E7519234A04109DFDB14DF94E544BB9BBB3FB88320F189276D806A7754CBB85C86CB41

Function 0734A990 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d39c0506521c7119891ffb5a36a4ebe4e54474c9fdc5b8de30aecbc748ac6c
Instruction ID: eee319b8823fcdc76df76058e3b157791682796b960d3e385ca2d34828ed25d9
Opcode Fuzzy Hash: b1d39c0506521c7119891ffb5a36a4ebe4e54474c9fdc5b8de30aecbc748ac6c
Instruction Fuzzy Hash: 0541D0B2B54109CFFB1CCA55E9447AA73F7FB89311F28C025D50997695CB786C81CB90

Function 0568B338 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc46b23e90cd9dc7c5032a185e65d8b2f3b52371cd080053d7dc70066c352bcd
Instruction ID: 2c3ed60946392162e09b7e03890f528cbfad9925f878e99e5ed51a2936a92c56
Opcode Fuzzy Hash: cc46b23e90cd9dc7c5032a185e65d8b2f3b52371cd080053d7dc70066c352bcd
Instruction Fuzzy Hash: EC417D34A40105CFDB10EE69E159BBE77A3FB88310F28827AD416A77A5CBB89C45CB45

Function 0566D384 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8121f39f743761b220f35f4d74a4a52126f1b8a97860f3e64616082d92c41c2e
Instruction ID: 5cef5f7c4382054c15ed7523302c4d107889382442e40f5778aee45841755faf
Opcode Fuzzy Hash: 8121f39f743761b220f35f4d74a4a52126f1b8a97860f3e64616082d92c41c2e
Instruction Fuzzy Hash: FB514D38B045048BD724DF64E10476A73B7FB94715F258574D9069BB88CBBCAC4AC786

Function 056889F8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd506e98e6c6af1057005439ce3a1caaad369206590fe106be3b9c594e01b9a5
Instruction ID: 37906fa3ed95d9196635a87c5f19bf32bf0feced788817dd4527e82ee966907a
Opcode Fuzzy Hash: bd506e98e6c6af1057005439ce3a1caaad369206590fe106be3b9c594e01b9a5
Instruction Fuzzy Hash: B9416879B00404CBCB04EF68E144BAA77A3F788315F648578D902A7785CFBCAC16CB82

Function 0568AAC0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7926d750eec4debbb930915448ce8d4539084fed12259e4ca35d6a732655624
Instruction ID: 0f91a65b05ba471af0cd32a07842f25e56b9eebbf3ddd9b4732fbe4e60fecb00
Opcode Fuzzy Hash: f7926d750eec4debbb930915448ce8d4539084fed12259e4ca35d6a732655624
Instruction Fuzzy Hash: 54418E34A04109CFDB14EB94E558BBEB7B3FB88320F18917AD806A7744CBB85C86CB41

Function 05685988 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cb8160a673f6e55c895564f76d55c02f9b417fd832904555e8db1f7aa86716
Instruction ID: 57df2973750d400fa46d6e285f7e3b0b6b66878cd784cfa92efb53391de8e87b
Opcode Fuzzy Hash: 62cb8160a673f6e55c895564f76d55c02f9b417fd832904555e8db1f7aa86716
Instruction Fuzzy Hash: E8419C31B00B549FCB60EB68D5842AEB7F2FF84620F448A6ED45BD7B40DA30E941CB81

Function 0568B348 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7252f5ec6cdd1c3dfb6f7f170d716bac44a06b8df0988198a00095404d911f98
Instruction ID: 416010c879f0599400d14a9bf7291853579672019fde8a43ef87d72edd20461d
Opcode Fuzzy Hash: 7252f5ec6cdd1c3dfb6f7f170d716bac44a06b8df0988198a00095404d911f98
Instruction Fuzzy Hash: E7418134B00105CFDB14EE69E159BBE77A3FB88310F248276D416A77A4CBB85C49CB45

Function 05685DB8 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee79d79fa975f021533f546e2ce16b73726760c6b5a4b4fe38958638e60e7983
Instruction ID: a50d6efe90cce6ff5929f7d20d2d2a796bcae3a9c336b68982a5c16677cce261
Opcode Fuzzy Hash: ee79d79fa975f021533f546e2ce16b73726760c6b5a4b4fe38958638e60e7983
Instruction Fuzzy Hash: 69413975A00704AFCB25DF69C948A6ABBF2BF98300F148A5DE58697B51DB30E904CF51

Function 05685F00 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baed05d26931b836913ec8001fda01a474f5ff6d2ed747baad8912ca1453fc2d
Instruction ID: 1bab83f3f00dfacfe1fb10d0d05d377a4e3b1fb1d904ad797f01c642a1428f8d
Opcode Fuzzy Hash: baed05d26931b836913ec8001fda01a474f5ff6d2ed747baad8912ca1453fc2d
Instruction Fuzzy Hash: 3D41E431B00609AFCB24DF69D855BAEBBB6FF94710F104129F50AD7780DB31A905CB91

Function 05683C40 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f148d6a178bc7ab9e2975182a17adc806aa87152b5ad0bcb2a9620e792e0ba6f
Instruction ID: b25a920cdaa0d4b944c6d727c26835d2eb68c3deb3bdd19f05eb353965d40aed
Opcode Fuzzy Hash: f148d6a178bc7ab9e2975182a17adc806aa87152b5ad0bcb2a9620e792e0ba6f
Instruction Fuzzy Hash: CF41F1347405089FDB04EF29D994E6A77A2EF89B14F2085A8E9068F3B5DB75EC41CB90

Function 0566EB10 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c95bbc0aa09aab609381239d66e983e53d96c9a54cd7c7e4811194706a5a45
Instruction ID: f864413fed28d5ab8e3b9bff8eddc1c01fa750c9869a03c35f65f4a0e08f6a8b
Opcode Fuzzy Hash: 33c95bbc0aa09aab609381239d66e983e53d96c9a54cd7c7e4811194706a5a45
Instruction Fuzzy Hash: F431F6363082048FC724CB68E584A2ABFE9EF81321F1984BAE00ECB691CB31EC45C750

Function 07349420 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b089cc1fddcc59a956fcfb2e5d06d630cb62e2bf59bdc1c3cb01b2b9cc5c4df
Instruction ID: 88929bee167be7794ac2158c61323cb653d912e44e1b860f9af097c8320982ad
Opcode Fuzzy Hash: 3b089cc1fddcc59a956fcfb2e5d06d630cb62e2bf59bdc1c3cb01b2b9cc5c4df
Instruction Fuzzy Hash: BB41ADB5B00114CFEB08CB68D0547AEB7F6EB89705F55C069D90AA7B85CB39BC41CB91

Function 0568AD60 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c0d1de1bf5cd9f81db5396a63d35b8ac259df854282ff384df6676b5c605aa
Instruction ID: 9dc40d94d81212f33e3eb62e29d6037274936be29e3d161f37fb0e1cb4812aef
Opcode Fuzzy Hash: 36c0d1de1bf5cd9f81db5396a63d35b8ac259df854282ff384df6676b5c605aa
Instruction Fuzzy Hash: 9A31F37644D7C46FC3178BB49C5A8657FB4AD1322230B81DBE888CF1B3D6298919C722

Function 07349A98 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3231d780e31cb47bd02b0aae02da125949a05f116ed30734d7627a0763eddb0
Instruction ID: 49adcdde109f780ccb39fdafe669a0d0a6b95fbe8989882bf66eb94e03c63ea4
Opcode Fuzzy Hash: f3231d780e31cb47bd02b0aae02da125949a05f116ed30734d7627a0763eddb0
Instruction Fuzzy Hash: 17414DB0710105CFEB18DB69F959BAF77E7EB89300F548429D40A8B785DB74AC46CB81

Function 055D7E31 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cc1f9e83c0c8f39719aa1dbaf41115a4c97536124300f0f30b0882a06a4e89
Instruction ID: 4460f7badf1c736e52fb3b092ad02be826788164c042979ff9bf7615b72d7b59
Opcode Fuzzy Hash: 89cc1f9e83c0c8f39719aa1dbaf41115a4c97536124300f0f30b0882a06a4e89
Instruction Fuzzy Hash: 4E310732B247024BCB3D667D94A833FE6E7FFC9610B04857D95039B745DE298C0692A5

Function 05688FC0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e5a172baa6d5d0b043370b3fb6e9e0b77563f628459e921750bb94f6adcaca
Instruction ID: 9667178a4a99da7f59f36c56d503c28eded38ad573ee5224d66dda2ed8e6a600
Opcode Fuzzy Hash: 80e5a172baa6d5d0b043370b3fb6e9e0b77563f628459e921750bb94f6adcaca
Instruction Fuzzy Hash: 81312230A08208CFDB05EA58D548BFA7BB3FB88300F188279E101A7746CB7A5D85CB51

Function 0568A889 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621f977223fa7c5decad36219f63b23b2a054e4c5e09542acdb5ed69bfc5efb9
Instruction ID: 3888e101a7a0b8de4762e2c44c94c7fe5bb1caa62e39b80bceddfd9682e71647
Opcode Fuzzy Hash: 621f977223fa7c5decad36219f63b23b2a054e4c5e09542acdb5ed69bfc5efb9
Instruction Fuzzy Hash: D0417A74A14608CFEB50DF90D544FBD77B3FB88324F159266D9126B690CB789C86CB50

Function 05A86868 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5ce47b747faa7f7bf43624e3805cc64576edd2df8504b39b048a7d6287e49b
Instruction ID: 1741b86806cbe94fd53a1bd4cd6b3dc8c02ed0546ffc08eb60b6d79c7ab3c004
Opcode Fuzzy Hash: df5ce47b747faa7f7bf43624e3805cc64576edd2df8504b39b048a7d6287e49b
Instruction Fuzzy Hash: 2041BD31A002168FEB14DFA5C844ABEBBB2FF88354F008179D42AEB291D734D945CB91

Function 055D7E50 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85b9693f1f4c09fa9f7f98d3bd2964d1e3ba2cf88bbbbd75f6a8e9e88612bf5
Instruction ID: 7adda0ff1b94bfa51affc8070ded9956ad1c16970e27121a160423c23f08c998
Opcode Fuzzy Hash: a85b9693f1f4c09fa9f7f98d3bd2964d1e3ba2cf88bbbbd75f6a8e9e88612bf5
Instruction Fuzzy Hash: D921D622B24B0607DB3D767D94A873FE5D7FFC9A00F04853C95039B388EE658C0696A5

Function 055D6CB6 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c9328ce61ef9f35d2bdcd02be4a11277d90b5ec7aefa64753977c41997b50
Instruction ID: 3b3d9423700fc57bfa11a1648cd5cb28fb404551cc0b8fb86b7650b888f37b7e
Opcode Fuzzy Hash: 244c9328ce61ef9f35d2bdcd02be4a11277d90b5ec7aefa64753977c41997b50
Instruction Fuzzy Hash: 9F411A3162122ACBEB359B64D964F69FB72FB44205F5045E8D806A7290DB319D41CFA1

Function 0568291A Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f044aa48f178a29ddf128979a58ea0cb39ed27cad9c379c4e6c2bcd7c80f0
Instruction ID: b84cdf36a258d4b6a3eac68f5236f3effcc67ca3dec3e94096e65317ae1fae71
Opcode Fuzzy Hash: 5b6f044aa48f178a29ddf128979a58ea0cb39ed27cad9c379c4e6c2bcd7c80f0
Instruction Fuzzy Hash: 17315E39B001089BDF14EFA4D854AEEB7B6FF88310F108169E806BB390DB759D05CBA0

Function 055D6D3A Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055848cc9bc52ce2c3ed2bab7903aa7acab463c7925018155172f70742d921f2
Instruction ID: bfd7ae14bb401faae367d311d22d375bff38795bf45ac1324e877d772b4d6d48
Opcode Fuzzy Hash: 055848cc9bc52ce2c3ed2bab7903aa7acab463c7925018155172f70742d921f2
Instruction Fuzzy Hash: B1313B3162121ACBEB359B64D864F6DFB72FF44204F5045E8D806A7290DB319E41CFA1

Function 055D62EB Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7eedaec932bfbd097f8bd5fb18c1e639706092658a007f38a03a8df644faeb0
Instruction ID: f78e33474146a7e52c2ba47d94fc08ee688b9868cc054e4f90fd2434e496169b
Opcode Fuzzy Hash: b7eedaec932bfbd097f8bd5fb18c1e639706092658a007f38a03a8df644faeb0
Instruction Fuzzy Hash: 6631C731E1065A8FCF19CFA8C4506ADFBB2BF89300F148569D801BB644EF759947CB91

Function 05A89231 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed1824c4da234dde465c7e9594b59b30cda6ba58144147a223188e35070d364
Instruction ID: e2328ea87b06d73c1a820c1658835a4ebf39e08dcb761a1d4b039dd0036d7017
Opcode Fuzzy Hash: 3ed1824c4da234dde465c7e9594b59b30cda6ba58144147a223188e35070d364
Instruction Fuzzy Hash: 69317A317007059FC724EF25D488A7ABBB6FF85755B54482CE8228B3A0DF35E846CB50

Function 05669F86 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6479f9b59f0f4345950d0bf0522c85d1de426ea9066136b06ba2b91c91ab9f
Instruction ID: 3bf4db3f9cac962b0929a311724ec5fff5495b40213cfd30e372656346b628bd
Opcode Fuzzy Hash: fc6479f9b59f0f4345950d0bf0522c85d1de426ea9066136b06ba2b91c91ab9f
Instruction Fuzzy Hash: A2316F35E04219CFDB24DFA4D454BADB7B6BB44310F5A4069D80ABF3A4CB35AC82CB81

Function 056808E0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a31dd02f455f3b02466089aa39704087a405b73571305ddaf67b18177f61b36
Instruction ID: d3d07320ac46c2f873b589b740985827491dfe0f133b9258efd116ec86de99eb
Opcode Fuzzy Hash: 0a31dd02f455f3b02466089aa39704087a405b73571305ddaf67b18177f61b36
Instruction Fuzzy Hash: 9331C371B0460ACFCB01FF68C4549AEBBB1EF8A300F10466AD50597360EB34AD46CBA2

Function 0568FDF0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad5f66d47503848ed71f52a6b42ca1d1c51be46008b1cc67963d06db68680a4
Instruction ID: 564d15f9cf33d3f7fa04cb05686c092ca7cdb7569ea5c287e76f9c9a43096dd6
Opcode Fuzzy Hash: 9ad5f66d47503848ed71f52a6b42ca1d1c51be46008b1cc67963d06db68680a4
Instruction Fuzzy Hash: 20318F70A00249DFDB10EB55D448BBABBF3EB89310F289525E541A7786CBB85C82CB90

Function 055D6DC3 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576927b2529199dd053db2d70b7b833112efc99ab6bec086e4c91e88bcad79d6
Instruction ID: ff132fe4d32a0c363738d1b8a373a2e8e74dcac546c9197a35cf493332cd65b9
Opcode Fuzzy Hash: 576927b2529199dd053db2d70b7b833112efc99ab6bec086e4c91e88bcad79d6
Instruction Fuzzy Hash: FC311A32A2121ACBEB35DB64D864F6EFB72FB44304F5045E8D906A7290DB319E45CFA1

Function 0568FDEF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99425bf9d026ff3b8c71845267d7d64909b4e64b34d24b90c46b97f25120199e
Instruction ID: 0da79a00608964ad047cc45c8bf7b55504ddec2e74f1e9258c9c494ab7d81f7e
Opcode Fuzzy Hash: 99425bf9d026ff3b8c71845267d7d64909b4e64b34d24b90c46b97f25120199e
Instruction Fuzzy Hash: 9B319170A00249DFDB10EF55D549BBABBF3EB89310F289525D541A7786CB785C82CB90

Function 0568D7A1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b542b691e3ebae721db85dd3a3162c7eb8ec33a91537fae7aee0d633ff92d206
Instruction ID: d33621e3af5a5a4be82a447df01b040bbf420898edafe37355041dd7cc198a26
Opcode Fuzzy Hash: b542b691e3ebae721db85dd3a3162c7eb8ec33a91537fae7aee0d633ff92d206
Instruction Fuzzy Hash: 9C312230A04644CFCB54EF24E444BB93BB3FB41300F1982B9C4058B6C2D77AA807CBA2

Function 05A84370 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d07729739c198ebf6fc4c9c40d464514e020796a8c6de9d642a105af4f6e072
Instruction ID: 67db368d313499ff8268859a3e58823e74ada78a765bd08a7f5bd317ad9e7de6
Opcode Fuzzy Hash: 2d07729739c198ebf6fc4c9c40d464514e020796a8c6de9d642a105af4f6e072
Instruction Fuzzy Hash: 32318734A00106CBEF00EB98E649BB977B3FB88318F248175D211A7385EB791D86CB55

Function 055D7BEA Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cad04f5eddd745b5024b6df0bde1ab4f182f7d53fbd3ea75220368d5a8bd5f6
Instruction ID: 73bee9d15dd9f2deff6e85f6b2d1f921ace48bc484482555290c7cb7f7b21f24
Opcode Fuzzy Hash: 8cad04f5eddd745b5024b6df0bde1ab4f182f7d53fbd3ea75220368d5a8bd5f6
Instruction Fuzzy Hash: 6121F932B202194FCB296A7DD85973EFAA6FFC9611F04443DD512E7360FE34490193A5

Function 05687C10 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e2f80551972a47e6534f6e6c7d56c23fa369bced1d0c3a960135cefce39d23
Instruction ID: fdabb6d81fb931d8f0ec875c163c67e77e9240209176ad46913f2c51600f46ba
Opcode Fuzzy Hash: b5e2f80551972a47e6534f6e6c7d56c23fa369bced1d0c3a960135cefce39d23
Instruction Fuzzy Hash: CA31D0397000018BD705AF68E06877E77A3F7D4715F64C528D602AB789CE7D9C4ACB86

Function 05A84380 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fce56e477849c6d2aeb44d4d580fc8c6a8453caecda5c6d49c216afa6830d7e
Instruction ID: f05e1257254574288cb4f5dbc7fd6ad5e6a3a701d6e8118a733355fc541f8a4c
Opcode Fuzzy Hash: 5fce56e477849c6d2aeb44d4d580fc8c6a8453caecda5c6d49c216afa6830d7e
Instruction Fuzzy Hash: 76317634A1010ACBEB10EB94E609FBA77B3FB88308F248075D601A7785DBB91D86CB55

Function 055D7C00 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4a08cbb9a587015bbbbcef0cacb48a987e15b36ee45729aba86750bfc79f71
Instruction ID: b21dcce001bb3ab2f39485987c3a9573fdf77536ab915bd6f01584d051e9014f
Opcode Fuzzy Hash: 4e4a08cbb9a587015bbbbcef0cacb48a987e15b36ee45729aba86750bfc79f71
Instruction Fuzzy Hash: 8221D531B2011D4BCB29667DD859B3EF9EBFFC9601F04443CD902973A0EE35590193A5

Function 056808F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788262aa5b7b6d754a7cb8a383c335ea63696adb603fb97a250c5889a4c57951
Instruction ID: a895012dd2cced4f855f532e3aa2146c4ae355ff1d34c70cacce486f2f0a9241
Opcode Fuzzy Hash: 788262aa5b7b6d754a7cb8a383c335ea63696adb603fb97a250c5889a4c57951
Instruction Fuzzy Hash: 85213575B1060A8FCB04FF68C5548AEFBB5EF89700F10452AD506A7364EF74AA46CBA1

Function 05A88AB8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5159ac5b02d35c98331214228a3bed29b21cb79a2a12576323ea762551c8c56
Instruction ID: 23556c72a8497d95c3db8353e4932d11e9e5998b12abc07258f5f8b84c0d1a16
Opcode Fuzzy Hash: d5159ac5b02d35c98331214228a3bed29b21cb79a2a12576323ea762551c8c56
Instruction Fuzzy Hash: A0217572B1421A8B8B21EFA9E8858BEF7F6FBC4261B544876E425D7240DF35DC02C761

Function 055D6E4C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c3c85b40211c3d06361658f5b638596ea86d87d45a8e5245798dde885104c6
Instruction ID: 3d566ef835dff377eb0a268cafedf2576ca3413ff0fe47678e57969c0ebe5cf6
Opcode Fuzzy Hash: 94c3c85b40211c3d06361658f5b638596ea86d87d45a8e5245798dde885104c6
Instruction Fuzzy Hash: 67310D31A2121ACBEB35DB64C864F6EF772FB45304F5045E8D806A7690DB319E45CFA1

Function 0566DC89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487f3a567b4687a1ae37aada6b8ae8890cde1a957a64f76b34ffb1e6e756d419
Instruction ID: 251a149453b1c9681d28def279d228505e6882f361e93dba71cf06e290ad2407
Opcode Fuzzy Hash: 487f3a567b4687a1ae37aada6b8ae8890cde1a957a64f76b34ffb1e6e756d419
Instruction Fuzzy Hash: 683169B1A002099FDB28DF68C558BADBBF2FF88304F108069D406A73A0DB749D45CB90

Function 05687AE3 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f660991c2e2857d870ca1b7273530267bff10abe895e9262efc839e055b8125d
Instruction ID: 59859d611aab7a93d0ee0596682f53fcac26e6bd8bab24e178e8a0fa2e3e3e1b
Opcode Fuzzy Hash: f660991c2e2857d870ca1b7273530267bff10abe895e9262efc839e055b8125d
Instruction Fuzzy Hash: 6B21D0387001058BD718EF24E06873E73A3F794711F288628D5026B785CFBE5C46CB86

Function 05A890A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6521269ccf661f0d1e92addaf4064215e5a0617b7e297ddb13e38f2571b6f5
Instruction ID: 43e57a4c3e2a0b4a03a086a5c8340a58a34fe78d31d96bb85edfc2be9ab8d7a2
Opcode Fuzzy Hash: 3e6521269ccf661f0d1e92addaf4064215e5a0617b7e297ddb13e38f2571b6f5
Instruction Fuzzy Hash: 2D215C71E04209DFDB90EB78C808BBFBBF5AB44340F108066D519D7290E734DA51CB91

Function 061292F0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089a859a275298d16f2af2f151f89c5f4c2103cd0416191f84d95db2e11be646
Instruction ID: a59c0c101a718746d61fad489ad8e925b533e4c36c1f9c0a9a73fc89e59034dd
Opcode Fuzzy Hash: 089a859a275298d16f2af2f151f89c5f4c2103cd0416191f84d95db2e11be646
Instruction Fuzzy Hash: 50113A31E0816E8FCB85DBBFE4182AD7A65FB94651F054C69E50D8B2C1DF218C109386

Function 0566200D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fa330eb7620b2039bcd69f3126a8af7f8af65f7bcf31b2d10fd950c70c6e4c
Instruction ID: ce27af2aee44684cdfcd967e98cfda5742f6f9341248bc973ada4a22be9dbcfb
Opcode Fuzzy Hash: 24fa330eb7620b2039bcd69f3126a8af7f8af65f7bcf31b2d10fd950c70c6e4c
Instruction Fuzzy Hash: 8C113826508947FAC3286FFED851DACB361FEF5310708822BC42692E90DB70D45EC2E2

Function 05A85030 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d38b72ecd4505c3423f7bee85e393ee8af542f98f36e29e81e22e292622b1d
Instruction ID: 3b4851fb03300157760529086f87bc5e73c30a246521ea86be29eae1731cebe0
Opcode Fuzzy Hash: 95d38b72ecd4505c3423f7bee85e393ee8af542f98f36e29e81e22e292622b1d
Instruction Fuzzy Hash: B3215135A10218AFCB15DF68C495AEEBFB6FB8D320F145129E811A7390DE719941CF90

Function 055D6ED5 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca6bf6b1c776806ad532d483336b7a9350ea8ceffef4842b95a8325c2924e57
Instruction ID: 956a9af8ada4728b38e930c4ba05609bf8bd014c98b39881adc0f92d5dac5b49
Opcode Fuzzy Hash: 6ca6bf6b1c776806ad532d483336b7a9350ea8ceffef4842b95a8325c2924e57
Instruction Fuzzy Hash: D5210A31A2121ACBEB35DB64C864FAEF772FB44304F5046A8D806A7690DB319E45CFA1

Function 05689568 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75b7bd8bc65f34f4b4cb69cd0cac904d83e9f2bae1ba4a10f40a20e9fbe2ac3
Instruction ID: 0371bc6d610ba00460e7b2ea9a6978a52cb33fca889c798a95fbb7cf8d5e7ea2
Opcode Fuzzy Hash: e75b7bd8bc65f34f4b4cb69cd0cac904d83e9f2bae1ba4a10f40a20e9fbe2ac3
Instruction Fuzzy Hash: 5521077190D7849FC712DB78C4545A4BFF0EF16310B0A82DAC494DB6A2D238994ACB12

Function 05A8E1D0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f757717a650509911102de7e2acb31b23ef7a232f799415b53accd8374373f
Instruction ID: 69be68a7a2eda3a5881799dd465efd536a769de0cb61603cac2a0aca59efde76
Opcode Fuzzy Hash: 59f757717a650509911102de7e2acb31b23ef7a232f799415b53accd8374373f
Instruction Fuzzy Hash: 0021C375A402098FDB04EFA8C685EEDB7F2BB48300F2045A4E445AB361DB76AD45CBA0

Function 05689840 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd7d33985e23ff936cc225887b10ec5075794a0b1a3d92a3892e81b3c840613
Instruction ID: 076da710e4c391202dd917334089f43c31ac3ac4499dbffc41ba54c7e6986f10
Opcode Fuzzy Hash: 1dd7d33985e23ff936cc225887b10ec5075794a0b1a3d92a3892e81b3c840613
Instruction Fuzzy Hash: 6A213A75600B459FC764DF29CA80966FBF2FF887107598A59D48AC7B11EA30F841CF40

Function 05A849B8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f48f4eeadfc066a32324f73da8f707e4d9c20e03133adf65a9abc656139717
Instruction ID: e154be81f8b9c3a3b868cd334646d43ffdc2f2b35baf64d73131a7791b181310
Opcode Fuzzy Hash: 42f48f4eeadfc066a32324f73da8f707e4d9c20e03133adf65a9abc656139717
Instruction Fuzzy Hash: 9021C1316503069FC740DF6CE84979EBBE6EF88320F108538E40AD7695DEB4E9058B91

Function 05660022 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7249959378768c484f525969f18143d800d53ba33258022d3802a7131e0f90f
Instruction ID: ad0eba0881ad1bdb128d013254d01be0a7eab5ba9f0606b942871d4271aa2de2
Opcode Fuzzy Hash: c7249959378768c484f525969f18143d800d53ba33258022d3802a7131e0f90f
Instruction Fuzzy Hash: CC21F4349092499FDB11CF64E8947A9BFB6FB81310F1580BAD045E7395CB785D84CF91

Function 0568DEA8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5486f047c37f5f2f193ac3a1a533e58b161752fc069c52eea26ff9db5e1de7
Instruction ID: cb79e627d06e9475530c6e4a435e36868d57b89e95f6eadbd4ae3f9d21ba2766
Opcode Fuzzy Hash: 2e5486f047c37f5f2f193ac3a1a533e58b161752fc069c52eea26ff9db5e1de7
Instruction Fuzzy Hash: AE215C70E042489FCB11EF79D88C5ADBFB2BB5A310F1486A5E015DB2A1EB759942CF10

Function 05A85040 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a97dac56457c74930cdf2ff3e0c3f69599de1bcac908630415379f11668177
Instruction ID: 2001b2ef6fffe9802b4d824a31842b766dfb0486157844b83b5a7fa037593a20
Opcode Fuzzy Hash: 40a97dac56457c74930cdf2ff3e0c3f69599de1bcac908630415379f11668177
Instruction Fuzzy Hash: C4213D35A00209AFCB15DF68C4559EEBFB6FB8D320F149129E811A7390DE719841CFA0

Function 05A8EEC0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ffdc4ed12753341c3222f11cdf5f2b79572a2a2351733f3a08435e9d93fdc5
Instruction ID: 202e836ca3aca5f9abb2581a22e371d2937ec6891739277c39e02173ce836564
Opcode Fuzzy Hash: a4ffdc4ed12753341c3222f11cdf5f2b79572a2a2351733f3a08435e9d93fdc5
Instruction Fuzzy Hash: C921A431A00616EFCB14EF59C980ABAFBBAFB44304F05C169E81597644D731EC96CB84

Function 07348888 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781e837f89768032bb9758dd5e630636462acd815cb64c6500409a371f93bf51
Instruction ID: f382f90205eedf1e4698b1322661bc43bb99cd7c39b77be00553e422907207c1
Opcode Fuzzy Hash: 781e837f89768032bb9758dd5e630636462acd815cb64c6500409a371f93bf51
Instruction Fuzzy Hash: 19212770600A058FE328DF19E944A92F7E5FF84724F15CA69D49E8BBA1D770F885CB81

Function 05683FD7 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90d3ce4d3fc7e71b2594bb84f4b7be1574c210af3ffc8c3ea8f1ba20838509c
Instruction ID: d0aa971e41a90022330231a54ef3d4db6500df4c4e296bea2506ce32332c917e
Opcode Fuzzy Hash: e90d3ce4d3fc7e71b2594bb84f4b7be1574c210af3ffc8c3ea8f1ba20838509c
Instruction Fuzzy Hash: A911BF327042048FC701DF5DE880999FBF5EF89725B1581BAD109C7B21DB309C49C794

Function 055D6F5E Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7532d2b425dcc348fdef4fe6813e5debb1129b17cbd3ba4bc484e525e12b48
Instruction ID: b76a24d8ec7912bceea53f9bad4b49b9339d5d2e410249c5ec3cb45f1cf58dc6
Opcode Fuzzy Hash: eb7532d2b425dcc348fdef4fe6813e5debb1129b17cbd3ba4bc484e525e12b48
Instruction Fuzzy Hash: D2211B31A2121ACBEB35DB64C864FADF772FB44304F504698D806A7290DB319E45CFA1

Function 0568D7D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292e4fa8accf0f44a64f7a07a50c709772463e906aeeb5aba2515bd0fa3552a3
Instruction ID: 2d96d78add2a3c47b78e97f3e56ee831704ac9a09d194772144183b7a932140f
Opcode Fuzzy Hash: 292e4fa8accf0f44a64f7a07a50c709772463e906aeeb5aba2515bd0fa3552a3
Instruction Fuzzy Hash: 6F2177B0A04505CFDB94EF15E549B7A33B3FB84310F249279C41287A94DBBC9896CB62

Function 05A8E1C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7d123d6cc95b08dbdee80174202aeb8e7fcdc2d2188e1a19b72118c08f29b8
Instruction ID: a291bfefeda72160e3f228c44aa10ee63b0cf65369c5d1844a17f8518afeff2b
Opcode Fuzzy Hash: 0e7d123d6cc95b08dbdee80174202aeb8e7fcdc2d2188e1a19b72118c08f29b8
Instruction Fuzzy Hash: F821F675A40209CFDB09DFA4C685EADB7F2BF48300F2045A4E405BB3A1DB369D45CBA0

Function 07348958 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409a499d4ce7691eed18fee3b58497739180e1e0c60d398669dd883c02875d89
Instruction ID: da80833ba6a3d7d7089d42394ea93342078786b788f0d959400b8af0a68c2162
Opcode Fuzzy Hash: 409a499d4ce7691eed18fee3b58497739180e1e0c60d398669dd883c02875d89
Instruction Fuzzy Hash: A711B6B03006419FD724CB29D888E93BFE9EF89318B1485AAE04DC7262C731F806CB51

Function 0568DEB8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880be10ac7a2f10b67c02a7c43cfde929ba29e5a021b5846317da44d90da4812
Instruction ID: 13da66ad38abbd82fa6b8dac1e3ce62d222bc3f88ceab9d7dd5974ad7e72295d
Opcode Fuzzy Hash: 880be10ac7a2f10b67c02a7c43cfde929ba29e5a021b5846317da44d90da4812
Instruction Fuzzy Hash: D921F770E04249DFCB00EF69D84C5ADBFB2BB89300F14C9A6E016DB2A1EB749945CF11

Function 05A8412F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a1d50bf43a02140890906538c20c1fbde65f2c5921065ab4b6ad672dfc176b
Instruction ID: 9a776d3cc7ba682b3370d11799e6e9a4e6569bc04c4555e200ea8f42406c24c4
Opcode Fuzzy Hash: 22a1d50bf43a02140890906538c20c1fbde65f2c5921065ab4b6ad672dfc176b
Instruction Fuzzy Hash: 0C119E357049068FEB14DA49D844FB6F7E7FBD8319F258138E0298B758CB78AC468B44

Function 05687B43 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bd41d3cd9d70deb67f2059db4c9991ca98c79535e3cb78b2010b217ac5d28d
Instruction ID: 41a1400f263e5660c6c568c04da42b6693ed6a123e66d58b0d3e60626324bced
Opcode Fuzzy Hash: 58bd41d3cd9d70deb67f2059db4c9991ca98c79535e3cb78b2010b217ac5d28d
Instruction Fuzzy Hash: 8F11BE397005158BDB04AF68E06873E76A3F7D4715F24C628D502AB788CF7D9C0A8BC6

Function 055D6FE5 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7ad3d5995d0c07783a618472d1925794d3c5856e1cfc4799c57bc22efd54e5
Instruction ID: 0fc08297dbd949d7709e3c87e6705e2069e56a793823cbe7aaeb47bb7d1ac4e3
Opcode Fuzzy Hash: ec7ad3d5995d0c07783a618472d1925794d3c5856e1cfc4799c57bc22efd54e5
Instruction Fuzzy Hash: 43212C31A21229CBEB35DB64C864FADF672FB48304F504698D806A7290DF719E45CFA1

Function 07348F20 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb68f14f5d77393e4f4162b408f2b6927011538239cae185e57e59297620a59
Instruction ID: cffeab0cd0f847e11778eba0d87ade587fb6a16797e84d20343e692854135eb3
Opcode Fuzzy Hash: dbb68f14f5d77393e4f4162b408f2b6927011538239cae185e57e59297620a59
Instruction Fuzzy Hash: 01118E7060020A9FC704DB79D5559AEBBE6FF84718B54C42DD90A97350DB30ED4ACB81

Function 0568DAE8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0100a2c5cb778e9ae743c57f4c759d5e1d03b4354b268be9acee49b1654a25cb
Instruction ID: dfc7345f16ee21ab1d76583338f24453686d19cd5066be9a60976e3646ba1d7c
Opcode Fuzzy Hash: 0100a2c5cb778e9ae743c57f4c759d5e1d03b4354b268be9acee49b1654a25cb
Instruction Fuzzy Hash: BD2158B0A18248DFEB05EF68D0897ADBFF2EB02305F6481B9D4019B6C1DB744985DB51

Function 05A8E120 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a1430626a29536ae85c55a2611dce1d7a48db792c11855f22f30cfebf8718f
Instruction ID: 6db2dcb45c2ab9176ff983b4e6b34ec91acbfb5f6c955bfea9f3ae02ff4c8ada
Opcode Fuzzy Hash: 53a1430626a29536ae85c55a2611dce1d7a48db792c11855f22f30cfebf8718f
Instruction Fuzzy Hash: BD112A35350205DBCB296B68E41897D7BEBFBD8661B144469E80ACF390DF35DC12C791

Function 05A84001 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02142ccf5393548cdb980ef9fb9b63686bb273a45369406bf02844726874ac19
Instruction ID: b9882774e796f0b4ff440b39b874c23ab96df8b49a564662b78835fb5b1a9844
Opcode Fuzzy Hash: 02142ccf5393548cdb980ef9fb9b63686bb273a45369406bf02844726874ac19
Instruction Fuzzy Hash: D111A1717102184FD708EBBC98987AE6AEEFBC9715B14893DE009D3395CE788C0687A4

Function 05A84140 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993690536b8f8417cdf113369ee3cbc321b52bc41c52ccf0fc2ce9b8583e174a
Instruction ID: d35affc5d5250900e6205eed287bf2d245a32dd767e7567cf720d082411687c8
Opcode Fuzzy Hash: 993690536b8f8417cdf113369ee3cbc321b52bc41c52ccf0fc2ce9b8583e174a
Instruction Fuzzy Hash: 16118E35704A069BDB14DB46D844FB6F7E7FBD8719F218134E02987748DB78AC418B44

Function 05A85DF0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1932fc445f45cfc0d9da5be2844a8432a318c15bf91800108e751b99048f19a
Instruction ID: 0a6bd4fc22e913ac88acb1af93b0914e2d86c3d7067f946cbb95adbf91123ef4
Opcode Fuzzy Hash: d1932fc445f45cfc0d9da5be2844a8432a318c15bf91800108e751b99048f19a
Instruction Fuzzy Hash: 5B119134B40208AFCB20DF698805BBABBF6AB8C750F004029E916DB380DA31C901CB90

Function 05A85B61 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1c58bb06c0bd9f4abd9e51e812c987b8e0d55dbcc3673c5c92d3380f7ad046
Instruction ID: 26bba034e05cd070dbf291d31f4cffbf7741d069400f8e9b475eb7ff457027c1
Opcode Fuzzy Hash: 7b1c58bb06c0bd9f4abd9e51e812c987b8e0d55dbcc3673c5c92d3380f7ad046
Instruction Fuzzy Hash: BA215078A42659AFCB04DFA8D594EADBBF2BF49310F144094F802EB361DB34AD41CB50

Function 05A85DE1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae73bd0ed90bd2bb0b8b640517fe20c554b40e0fe566f702504d639159be7c0c
Instruction ID: bf17f311c3efb5b618350646ce96c4f23dd1e24b398c59fa5da2600bdd1e32c2
Opcode Fuzzy Hash: ae73bd0ed90bd2bb0b8b640517fe20c554b40e0fe566f702504d639159be7c0c
Instruction Fuzzy Hash: 2D115E75B50205AFCB21DFA88805BB9BBF2BB8C651F04452AE956DB380DA31C901CB90

Function 055D707C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c33717925c49e0f19bc5add98ee700b10f5aa7bbfa0512e200a4342a741de3
Instruction ID: 741c2add586416068a86e6826d0696968939a68f00076b8f9dbd05799cd5959d
Opcode Fuzzy Hash: 72c33717925c49e0f19bc5add98ee700b10f5aa7bbfa0512e200a4342a741de3
Instruction Fuzzy Hash: 6E113A31A21229CBEB35DB64CC24BAEF672FB48304F504694C806A7290EF719E44CFA1

Function 05A85A32 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4f9cd5efa3109ea3c1bb284e67a235404603299e9996cda5bec1d9b84f78d2
Instruction ID: 88de5aaa37ef323382944b29bdcb2a89bf6df98edbcee3d73851959aeddd8836
Opcode Fuzzy Hash: ba4f9cd5efa3109ea3c1bb284e67a235404603299e9996cda5bec1d9b84f78d2
Instruction Fuzzy Hash: 3E01B536340204AFDB10CF58ECC5FAABBA9FB88721F10806AFA15CB290CA71D810CB50

Function 0568DAF8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8c9a6c88b0f5013ea17ea5287c9137dee6fb45e94b3ea14abbf39f53664836
Instruction ID: f4d03185561548abe88312689f5ab98db1158a840fca00ef17d3a7b843af0812
Opcode Fuzzy Hash: ab8c9a6c88b0f5013ea17ea5287c9137dee6fb45e94b3ea14abbf39f53664836
Instruction Fuzzy Hash: FE110AB4A1420CDBEB04EF68D0897AD7AF6FB46305F6481B5D40597780DB744A85CB51

Function 05A8E111 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc395570f7bb8f3112202b36fd51066ced1390c4d21da050bd430b152874e230
Instruction ID: 0c7619bcb46d164667bcb38bebea5a387fa260550db44e1ca4d8e826ada292f3
Opcode Fuzzy Hash: cc395570f7bb8f3112202b36fd51066ced1390c4d21da050bd430b152874e230
Instruction Fuzzy Hash: ED012935354201CFDB29AB64D828A7D3BEAFB95765B184469E816CF390DF35EC02C750

Function 05689153 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc50e980a5bf6f9f8e370301fe610f458b9acf2cedd5e0a4973fa88b560e9a85
Instruction ID: f04b4e999c333410be6fef45752ffe6873fbcc6dba91d0dcc90f4a686e644167
Opcode Fuzzy Hash: dc50e980a5bf6f9f8e370301fe610f458b9acf2cedd5e0a4973fa88b560e9a85
Instruction Fuzzy Hash: 5B018435A042089BCB15AF64D45D6BEBFB6EB88711F104129E942A7390CF755E05CB91

Function 0568D88F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d14e3f63c08854967cbd7d0d2463260cd4a41e40e8cf9a192c38a36d045b394
Instruction ID: a8c051e5ecb9093c30bbd4b49171d5d809b9b30fb5b2f627178165ff43021add
Opcode Fuzzy Hash: 0d14e3f63c08854967cbd7d0d2463260cd4a41e40e8cf9a192c38a36d045b394
Instruction Fuzzy Hash: 671145B4A04405CBDB54EF01E649BB533B3F794305F189279D41247AD4CBBC9896CA66

Function 05A8434F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a430245319a441f5eb5148a028e0b21d96ac8dac7d794f6e403880ce2f6eb9c5
Instruction ID: c9161fa910913337ad6ad73de5f1c5b546edfb8539bfd0eeb3169ef27d49e655
Opcode Fuzzy Hash: a430245319a441f5eb5148a028e0b21d96ac8dac7d794f6e403880ce2f6eb9c5
Instruction Fuzzy Hash: 90116638A14106CBEF10EF50E289FB97BB3FB48308F648175D1219A796EB7D4886CA05

Function 07347E08 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9503f6b7404eb02c3bc4c627273a06a8667d10cb5299e301e8254f4e860a41e
Instruction ID: b0428390410e99ff372b6b4815849f71bb0f693a56cb7abd0f0d8b5e6d1a748b
Opcode Fuzzy Hash: b9503f6b7404eb02c3bc4c627273a06a8667d10cb5299e301e8254f4e860a41e
Instruction Fuzzy Hash: BA018B353002059FDB14CB69D88892ABBEAEBCC264B14446AE54ADB361DB31EC018B64

Function 055D5D96 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce5da56c674559523fa93d3e278f6a9215de95d0f5fa4eba85bfd59d5409a1e
Instruction ID: ca44425ea9f694091ae62ca516eff32f8dd3c25bc37bcedf6779a7b485b001f8
Opcode Fuzzy Hash: 2ce5da56c674559523fa93d3e278f6a9215de95d0f5fa4eba85bfd59d5409a1e
Instruction Fuzzy Hash: 0BF044737493460FC725664DE8546B7E7AABBD2220F18427F9009CB656E9268C0282B5

Function 013CD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1760462407.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db737511fcc95f9694fefe0ff4cb938817616a0f234a685dede47040cd7ced1f
Instruction ID: 9656f65a2a356ad2b9e72801a2654f23290c542b03b4b6c1438ce845e39860b0
Opcode Fuzzy Hash: db737511fcc95f9694fefe0ff4cb938817616a0f234a685dede47040cd7ced1f
Instruction Fuzzy Hash: 06018F31108384AAE7118E69DA84B67BFD8EF41B28F18C47EFD094A686C6799C44C7B1

Function 0566AB26 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc53f7391f459378652c4d79543e3500356bb2f729d89cf4e365d4e03f79227d
Instruction ID: 9a672788de6186b33f2fec34546abdb5061c51c587c12445e0208a89831d79e0
Opcode Fuzzy Hash: cc53f7391f459378652c4d79543e3500356bb2f729d89cf4e365d4e03f79227d
Instruction Fuzzy Hash: 41115734E04219CBDB20DF94D854BADBAB6FB44311F45416AC80ABB794CB396D86CF82

Function 05689160 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c75e1d89868479a5c59a5b0618db5dabaee1aeb71e5f72c295561803115fe9
Instruction ID: ce245c21341437660b0465d88bd2e48c2b1ab3d0926f0c1d756efe9d4c1bea8f
Opcode Fuzzy Hash: 39c75e1d89868479a5c59a5b0618db5dabaee1aeb71e5f72c295561803115fe9
Instruction Fuzzy Hash: E20171316042189BCB29AF64D8196BEBFB6EB88710F104129F902A7390CFB55E05CB91

Function 061291E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861a8bb78f76ae024290b3917327e894d00d8bd9a0f69434a2a1beafbb959ed7
Instruction ID: 083545f3b506ce69edc09ada2109713ef98f9c5df4b5e2091c159ede40c3f101
Opcode Fuzzy Hash: 861a8bb78f76ae024290b3917327e894d00d8bd9a0f69434a2a1beafbb959ed7
Instruction Fuzzy Hash: 5D01D2F0D1412ADFEB84DFBAD94D26DBEF5BB58304F11CCA6D815D2204EB3486618A41

Function 05680249 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4caad0afa2620be0b8ae194bf61bca5da7f737e90867476cef014cfc0884ed7e
Instruction ID: a76c5b70a8ad53c16c85782b3d0e016fb0629dd45021407074694f9b495412e7
Opcode Fuzzy Hash: 4caad0afa2620be0b8ae194bf61bca5da7f737e90867476cef014cfc0884ed7e
Instruction Fuzzy Hash: 5B018F35340B149FC319DB24D418A1EBFA2EF89711F108168E90A8B790DF35ED42CBD1

Function 07346668 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73cf7e625a026bf29dd5ae12005e2f48a866ec9ee6e5abfa044b04e43e458e9
Instruction ID: 10b4da1a997368fff5baf6c81cf65fde9624ac7ab5ea9652393a7a6dd8fe3b1d
Opcode Fuzzy Hash: b73cf7e625a026bf29dd5ae12005e2f48a866ec9ee6e5abfa044b04e43e458e9
Instruction Fuzzy Hash: AB0126327002025FC704AB6AE81546E7BA2FFC4618B84C82CD40697304EF31BC0A87D1

Function 05662A80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e94b48487606f94c66dc0bdc8c1b5837b720c7f4216dc57e02c800f9c8f641f
Instruction ID: db7ff897f54916aba075af3818f489b718152060dea6d0d3e06fd27c11bfb63f
Opcode Fuzzy Hash: 1e94b48487606f94c66dc0bdc8c1b5837b720c7f4216dc57e02c800f9c8f641f
Instruction Fuzzy Hash: 3E01863EA041108BD721CF66E8146ABBBA6EB84315F09C07AD505E7540DE745801CBD5

Function 05A842BD Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba979017bd1dad1b51686232b06f9449830cfe5ec86dd2fe4539905954c6e96
Instruction ID: 500ed9e8611ec3e0f06ec30080cc9eb58f8243e064a3caebdbafb97e725bc908
Opcode Fuzzy Hash: 5ba979017bd1dad1b51686232b06f9449830cfe5ec86dd2fe4539905954c6e96
Instruction Fuzzy Hash: 3D018C34B085168BEB14EB6A9544F397BE3FBC8219F18D065E609C7AA8EB388C118741

Function 05680258 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9461a291e3dc6bc433629de0b12a3649d05f35c813edebd9b26845cd33512859
Instruction ID: caf27cc6c6ba7368f1ea91d7971d6c5b70b85c12cffdbb0ccc05dfa5a14a9a77
Opcode Fuzzy Hash: 9461a291e3dc6bc433629de0b12a3649d05f35c813edebd9b26845cd33512859
Instruction Fuzzy Hash: 5C018C35340A189FC309EB24D46492EBBA2EBCDB11B108128E90A8B790CF35ED42CBD0

Function 05A8EF71 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ada7f26842ce38613ed936291580e19fa9fb20912bbbca60bf7d90a863df768
Instruction ID: de63d4095b7b383811b4996df6bb109150aa32e7867b2fbe95389bdc040dbe10
Opcode Fuzzy Hash: 8ada7f26842ce38613ed936291580e19fa9fb20912bbbca60bf7d90a863df768
Instruction Fuzzy Hash: 8BF05C2234E3515BC3111A3DAC90B27FDA9EBC2624F14407DFC46C3355C500EC05C7A2

Function 05662A90 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92d3152df465a58686008aaccb14b87b7fff66c53f9af47a49f7477ca1d5f49
Instruction ID: 32073e5b7f24b5546eb185631db2fb777bc1c0476eba5fbb223cf4097cf94f33
Opcode Fuzzy Hash: f92d3152df465a58686008aaccb14b87b7fff66c53f9af47a49f7477ca1d5f49
Instruction Fuzzy Hash: 4DF0443EA0412557C721DE67A81456BB7AAFB84715B058079D505A3540DE745801C7D5

Function 062EEF50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192fc18a6fe1302805033932f7445d309cbae37144000ffd1dfd88b19b733c0e
Instruction ID: 770efde00fd0ad7a61938a0e5108865d72c95579bf4668e78926a3b9ac156722
Opcode Fuzzy Hash: 192fc18a6fe1302805033932f7445d309cbae37144000ffd1dfd88b19b733c0e
Instruction Fuzzy Hash: 73011DB0D34209DFFB80DFB5A44965DBEF5AB49304F6184B6DC85D6200EBB98A809B45

Function 05A84EC8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78225b06a6b35a273cfa3531aa53e829c259de03b23fc932235625f2d5fb5934
Instruction ID: 6d90cceb1d42923c3c11ce42348f2128c85636e9777b156edc151356d90944ac
Opcode Fuzzy Hash: 78225b06a6b35a273cfa3531aa53e829c259de03b23fc932235625f2d5fb5934
Instruction Fuzzy Hash: 62F02B62B4D3818FD72257385820B75AFB1DBDA608F0440DBD0818F2E5DA569803C340

Function 05A84E6A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0636f7341c4314f3029bbfff2d554b79ffb5aedaf3563fa93c740d1ee883e6bc
Instruction ID: 1d385ccfee0da1905333f825097c8e4a044a4786dee1d522ac4f9b5cd9636430
Opcode Fuzzy Hash: 0636f7341c4314f3029bbfff2d554b79ffb5aedaf3563fa93c740d1ee883e6bc
Instruction Fuzzy Hash: 59F02432B086126FE7149A189800F6AFBB9EBCC710F04442AE505AB394CA66FC418784

Function 05A8FB88 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0050f1d305432ac1014e077a1fbd09caa91e49856489ff9653959acf98bac2
Instruction ID: f6b0a8c8404e59ef5e4cd0b0e35ed794ce1f90e323eb3a8a556897af02601357
Opcode Fuzzy Hash: 7d0050f1d305432ac1014e077a1fbd09caa91e49856489ff9653959acf98bac2
Instruction Fuzzy Hash: 7EF02B36B100055BDB14AB28D84897DB3AAEF88220F084036E91AD7360DA709D168790

Function 013CD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1760462407.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_13cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9546ccfedb99ec2f0703d0aa1c338a04e1c0a04d4bd21e438259b70b9085af2
Instruction ID: 62b4b2a764789caac513266a74a1ab433f8725a691ae06819d0f3a3f339b189e
Opcode Fuzzy Hash: e9546ccfedb99ec2f0703d0aa1c338a04e1c0a04d4bd21e438259b70b9085af2
Instruction Fuzzy Hash: C8F06271408384AEE7118E1AD984B66FFA8EB41728F18C46AFD484A286C2799C44CBB1

Function 056695A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4a5e8dae0d4cfb11ef62e8daf38500e4ff0ab3e8c23553b8f2d2142f78be8d
Instruction ID: ee82d393b5b69d108bb9cadc1913e2e2f3bc5d097104c784043611503db836e4
Opcode Fuzzy Hash: 6a4a5e8dae0d4cfb11ef62e8daf38500e4ff0ab3e8c23553b8f2d2142f78be8d
Instruction Fuzzy Hash: 97F0E5627002182BD308267E5C55B2BA98FFBD5B94F14883EE149CB395CC61CC4603E5

Function 0566E15F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcb46d55f3109564fd68264e70b49c2e0cd6661bdbe39f70548514a6d65a924
Instruction ID: c653b8158b31c4c2f144047d30176de998ebed959e6733e95785021ed6ac45a9
Opcode Fuzzy Hash: 5dcb46d55f3109564fd68264e70b49c2e0cd6661bdbe39f70548514a6d65a924
Instruction Fuzzy Hash: 78F0B43DA012149FC7348B54E514F63B7AEE781B64F068075D805DF745CB6AEC42DB91

Function 0568D951 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c15648519ce0a0ddfd70ca500ad5c7acebd4e08d29138b3bd103c78d5e9b56
Instruction ID: a370083ee3929a1bc20a847be5481496356abb81293140d28f20f4f578b0ce1c
Opcode Fuzzy Hash: 55c15648519ce0a0ddfd70ca500ad5c7acebd4e08d29138b3bd103c78d5e9b56
Instruction Fuzzy Hash: 4BF0ECA310C3C08FCB07A7789824A747F30DE6765974901C7E05ACF2B7E60AE906C762

Function 05A84A3A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d71f309a620b08e6f20a6e9e2b309dbe4a9d56cd10dd68a034e3b7add9fd06
Instruction ID: 620cf32ecb76d0e87a7ff9eb3b819e4de72a42573ba1cbc192fa6f3fe91f4de1
Opcode Fuzzy Hash: 52d71f309a620b08e6f20a6e9e2b309dbe4a9d56cd10dd68a034e3b7add9fd06
Instruction Fuzzy Hash: 6DF082353A02168FDB149764F81E7BDBB6BEBC8321F108035F416C6685CEB488028791

Function 0612E9D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237a1e08345bb9d80dbd2ecded526920fa89a808e73bf31d3d90427761bd448c
Instruction ID: 0c8982a52adcc7b07b12491262fc476fa969d57e4d2f021461747749e4279eaa
Opcode Fuzzy Hash: 237a1e08345bb9d80dbd2ecded526920fa89a808e73bf31d3d90427761bd448c
Instruction Fuzzy Hash: 38F0AE33E041399BDBD4DA66A40565EBBADEB88721F09C07BF90DD3100DB3448208FD1

Function 0566BF71 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b2bda4af0a496f12a2548f9cd57e950db6f59604662928926ecc12de7689a3
Instruction ID: a4a05205c8715711238395d488ac33d7501db6daf0304a4b42a12653a9e6a327
Opcode Fuzzy Hash: 81b2bda4af0a496f12a2548f9cd57e950db6f59604662928926ecc12de7689a3
Instruction Fuzzy Hash: FFF02B729082458FC741DBB4CD422487F70DF57210B9885EAC444DB3F1E936D901CB02

Function 0568A9E0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e878294097966b33f64c4789ac52715ac9454d14ac8c90b95717ad61dcd0155
Instruction ID: a0a5416f1eba111b04b734234d7559d6a7992b05c6787dcfc09ba7739528a44c
Opcode Fuzzy Hash: 9e878294097966b33f64c4789ac52715ac9454d14ac8c90b95717ad61dcd0155
Instruction Fuzzy Hash: 7CF0A03544DBC45FC7636BB8EC584A4BFB8AE0322030B42DBE4C8DB9A7D954B805C752

Function 056695B0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25521a1a3a4c7ac8656ec900ffa0f3da978affe503c58771d7659fff7c4d10e5
Instruction ID: 99b514acdf43ddc7330c1998686658a825267ce39cff2592acdff35fbaf386da
Opcode Fuzzy Hash: 25521a1a3a4c7ac8656ec900ffa0f3da978affe503c58771d7659fff7c4d10e5
Instruction Fuzzy Hash: 78E012217002185BD308267E5C54B6BA98FFBC5B94F14843EA509DB795CC628C4503E5

Function 05A894E1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3e95d277e415075e2556a8af547c9da1012e77fc4370664779dd6a24192c47
Instruction ID: f30d87fae74f1666da169ace9d14da3cc7c84cea4ad43ccb0d9b3b363c869f0b
Opcode Fuzzy Hash: ec3e95d277e415075e2556a8af547c9da1012e77fc4370664779dd6a24192c47
Instruction Fuzzy Hash: AAF03A329412199BDB18EF95C99AAEFBBB6AB89310F204429D401B7340DA755908CAA5

Function 05A8EFE0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b41ae1bcbf3494c3a00cc14a92fe24774c812612ce31f9c69c9c06ebd75d58
Instruction ID: 4ac9a0a476bf9f5dfa230b79ff49c424e00ba13d35b1e04113ba6731d035d18f
Opcode Fuzzy Hash: 08b41ae1bcbf3494c3a00cc14a92fe24774c812612ce31f9c69c9c06ebd75d58
Instruction Fuzzy Hash: 3AE065322413055FC7109A2AED85A4BFB9ADBD1325F14D535E01A87335DE70DD4A8790

Function 05A87A40 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f356982e5321cf6988cfb925bd5dc21a966ae913ee76d52b3a83263d482fcc
Instruction ID: a2bb5d177bc7c44ba55710ff676b1abff68d30b1c3437d20d74033f0d1609529
Opcode Fuzzy Hash: f4f356982e5321cf6988cfb925bd5dc21a966ae913ee76d52b3a83263d482fcc
Instruction Fuzzy Hash: 33F08271A04319AFDB59DF64D48D7DDFFB6EB44660F188099E44AD3380DB745680C784

Function 056668AF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cef2ed9c3a38c7c96ca6169fb586d698ad0ff584a487b7302e144c0b548cdb9
Instruction ID: 41c845048bd1fc8f57b7f3661f055d976caac81e324458c71a4e9a98a3a4b30f
Opcode Fuzzy Hash: 8cef2ed9c3a38c7c96ca6169fb586d698ad0ff584a487b7302e144c0b548cdb9
Instruction Fuzzy Hash: 76E02B33601528D7D3615B76F954756FB58BFC5621F10113EE90E83200CF21CC86C6D5

Function 056885C0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1579c5ec3614f3227630300417e7c9969b3c1d6a39663a986e7e769c04e890e4
Instruction ID: 785c1258dd6c9efa08411b20f190f5c4f7367334eba38e5f3ac7023dde6ac16c
Opcode Fuzzy Hash: 1579c5ec3614f3227630300417e7c9969b3c1d6a39663a986e7e769c04e890e4
Instruction Fuzzy Hash: 25F06D2120E3C04FE71397B45866495BFB4D96355038E80EBD0C9CF1A3D509E94BD323

Function 0568B288 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f4508286bcd3ecf5d7995bbcd6329dd367c7ffbedc0d7e44262355e4884420
Instruction ID: ca2f3700900aa33e37ba4647bcdc645fb95c591f4dd9afa2e98f4906b07816fb
Opcode Fuzzy Hash: 26f4508286bcd3ecf5d7995bbcd6329dd367c7ffbedc0d7e44262355e4884420
Instruction Fuzzy Hash: 4CF0E53500C3C49FCB231FB0B836DE97F256F1325474A41D6EC4C1AA23C126C9A0EB92

Function 055D6429 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcaa0690008954c6712f7453e8df80c33ed81adc75287cd887fcdda24fec560c
Instruction ID: 7a0f0df6b43b3998e3fc1156943caed94b22bc573222d6c5764ab0acd7b1379d
Opcode Fuzzy Hash: fcaa0690008954c6712f7453e8df80c33ed81adc75287cd887fcdda24fec560c
Instruction Fuzzy Hash: D3F01236E11626CBCB35CA28D454679B733FF80359F9084B9D90696208DF35CD82CBA1

Function 0568C701 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86537bd97d0262a05af64a2d1d381c8096af951f26d520ca7ea501dea47b495b
Instruction ID: 93bcd95ebebb079dc392c54fd33c0843d5bcb3e90db50e5601771a662edfa10f
Opcode Fuzzy Hash: 86537bd97d0262a05af64a2d1d381c8096af951f26d520ca7ea501dea47b495b
Instruction Fuzzy Hash: B3E0486150DEC59FF31266184C549303F64AB9664476611D3F0418F667F7459C45E731

Function 056879A1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453c3f417a0590dcac8cdd83b1d78bff9e0f2cc5c8b05033cfa97a795aab8b90
Instruction ID: c2ceb4336917d45878178692a41eab49104842ad5564c80941e48356e14a17be
Opcode Fuzzy Hash: 453c3f417a0590dcac8cdd83b1d78bff9e0f2cc5c8b05033cfa97a795aab8b90
Instruction Fuzzy Hash: 24E0223250C0048FC701EB94D8919987B75DFC220432481EBE41A8B362DA33DD02CB92

Function 062E6DAD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2650fec3503e7965e721258c642f499ca617f91281bc4a5db97f3cd8792cf48e
Instruction ID: 8f04d036881b74bdefb851fbaba9f5a3980b951906d08fc3986e4ce0c25d1c6e
Opcode Fuzzy Hash: 2650fec3503e7965e721258c642f499ca617f91281bc4a5db97f3cd8792cf48e
Instruction Fuzzy Hash: 19F0C4B4E112298FEB65DF18E954B9DBBB6FB49301F4040BAD849A3341DB709E82CF41

Function 05A87A50 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2913a181b81ca6aa5482611b141544df84951ee6358a160d232a591d1202c3bd
Instruction ID: 9faea274a7117d147958f0b2981cc478353c09869d96c3c5a561476be92bea6a
Opcode Fuzzy Hash: 2913a181b81ca6aa5482611b141544df84951ee6358a160d232a591d1202c3bd
Instruction Fuzzy Hash: 24F06531A04719AFDB09DF94D04D6EDFFF6EB44665F148099E00A97250DB705A81C784

Function 056668C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1b436c236e792b43a0d03ad5687d31e4f5e89b9f336102126c027bbd3f62a9
Instruction ID: c0d96d2834aecc170e3b860301cd4909f19b39e7fd1b5a817654546eec5dfa99
Opcode Fuzzy Hash: bc1b436c236e792b43a0d03ad5687d31e4f5e89b9f336102126c027bbd3f62a9
Instruction Fuzzy Hash: 76E02632A042349BD3200A76F44845BFB59BFC5660B10123EE80F83200CA218C02C1E5

Function 05A82280 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0daefa97ae32a802be423a7abfb3744bee7bf6e385a3a9fa445a02fbbe59f7
Instruction ID: 3b55375ef0b79a358933640a8bd6443e14d22f5c03f4562496d4972c2cf9b831
Opcode Fuzzy Hash: ac0daefa97ae32a802be423a7abfb3744bee7bf6e385a3a9fa445a02fbbe59f7
Instruction Fuzzy Hash: 32F03939B401188FC758EB38D068B2D37E3BB8D304B5544A8E40BEB390DE389C46CB02

Function 05A8EFF0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d331e20507766feb9472b646d4fdea42b61ab555b15cc5cba1801610ecd6d1db
Instruction ID: d17df8f102125ef2c364a8a133a3c91b7401ce4bc8621c3732856aec623b4493
Opcode Fuzzy Hash: d331e20507766feb9472b646d4fdea42b61ab555b15cc5cba1801610ecd6d1db
Instruction Fuzzy Hash: C7E012313417095FC7109A2AE984C4BFF9ADEC13647109639A11A87225DE70ED898794

Function 05C73DCD Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1776278634.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c49d2c7bc34657f1c329acd555c6f963d4097dcc85f322ef8f5764c33e6b2b
Instruction ID: 5174027fb305de52251ca18081d950dd6d9f53d652b61448d62c39ea74d0afb5
Opcode Fuzzy Hash: c6c49d2c7bc34657f1c329acd555c6f963d4097dcc85f322ef8f5764c33e6b2b
Instruction Fuzzy Hash: 16F0F835E112298FEB208F75D844BAABAB5BB44325F0044B9D84DA3382DA389E46CF41

Function 062E773B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97056bf5f3d240b698e493d433d485a49ff2392865e083b446a2d4b5220fc32d
Instruction ID: 99c1cec0047c51b1772726e409bf5b6aeb1e5f25217463baaf7c01a9979d08dc
Opcode Fuzzy Hash: 97056bf5f3d240b698e493d433d485a49ff2392865e083b446a2d4b5220fc32d
Instruction Fuzzy Hash: 31F09774A1036C8FCB54DF14D984B89BBB2FB4A305F1080E9D909A3B51DB349D81CF41

Function 05A844F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5309d4f32e57739e8e65df63f28f7122b28909f13469a573d641440377ed965
Instruction ID: c9788d5ea9e0ea22b4c6c66680c7a67c29afe40c172b9ea3be351aad37b2ce94
Opcode Fuzzy Hash: b5309d4f32e57739e8e65df63f28f7122b28909f13469a573d641440377ed965
Instruction Fuzzy Hash: FFE0867195010DEFCB00DFA8E94575DB7B5EB45324F5041B9D809D3304DA35EE05D751

Function 05A89430 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415f317dd868013a7f7085940b70f93f2ac2dac889a2fe933bbb655f2be27767
Instruction ID: df39f127e124de0f168d97b76a70cb03794eca2181422de86330577405d440fe
Opcode Fuzzy Hash: 415f317dd868013a7f7085940b70f93f2ac2dac889a2fe933bbb655f2be27767
Instruction Fuzzy Hash: 35E086B2B443056BEB117A609D45FB63351FB50751F594CA9D6195F380D571D4028350

Function 05A8030D Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9c786a518692a2797f2419bed1b68ce871c22b2f555b6cff321d0e92d51a0e
Instruction ID: 4ac28a52d9f96e6ea604b50c93bd4c8653d63d0fc4421034b178cc733823ec1c
Opcode Fuzzy Hash: 9c9c786a518692a2797f2419bed1b68ce871c22b2f555b6cff321d0e92d51a0e
Instruction Fuzzy Hash: 3CE02278E1421ACFCB24FF10E01CA397773FB80302B10C878D02217200DF78880E4A42

Function 05A84948 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ede92a4b06ea586387189dd6a7441fb510e31104f8a410b38a01c1b50e792e
Instruction ID: 1fdf920a1ec8c5be6bd1548d2251b2b81de396abc340a9103f5ded2321503116
Opcode Fuzzy Hash: 15ede92a4b06ea586387189dd6a7441fb510e31104f8a410b38a01c1b50e792e
Instruction Fuzzy Hash: 55E04F31A4020CEBDB40DFB8D986B9DB7B9EB84724F9085689804D7280EA759E0497C1

Function 055D64D1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf219fdfd36f8b4b8b9f1d8e9f7ea1c93b192dea97388c0c695c2cfc66406d2
Instruction ID: c8f5d51a4130554d93dbfa935497045ed88d710660666eb8755cace9b6c13a99
Opcode Fuzzy Hash: 2bf219fdfd36f8b4b8b9f1d8e9f7ea1c93b192dea97388c0c695c2cfc66406d2
Instruction Fuzzy Hash: C9E04836D11626CBCB35CA68D4042B9B733FF80355F9045A5D50656204DF31C982CBA1

Function 05667480 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29aab41ba89fb82033f9f2481eaa91f3c17003a91f6cdfe8fa27603e529d9c28
Instruction ID: e14e64802e5061ae97b613b4b1b6e07d572a34d609645fa563496f25ec037eb1
Opcode Fuzzy Hash: 29aab41ba89fb82033f9f2481eaa91f3c17003a91f6cdfe8fa27603e529d9c28
Instruction Fuzzy Hash: 87D05B3294010CABC701EFE0DD466DD77B9DB46251FD046A5D545E7210ED7ACB009B92

Function 0568D918 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844480013ceccb64a409d63960cad58c2eb0b05500a4f49f98eb53bd7a71a7ea
Instruction ID: 08867a3688e4a94be003858f2803a5c4fe64b572f6f58e1cd714886b8076847a
Opcode Fuzzy Hash: 844480013ceccb64a409d63960cad58c2eb0b05500a4f49f98eb53bd7a71a7ea
Instruction Fuzzy Hash: F6D0A7733102241BC7046A2CD801FD6739CDB59B18F1000A5F518C73A1C9D2ED0286D9

Function 05A89440 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01065a285161bae5e26b85c00a42ec9ebdf027228bf3819c679903b517fe994
Instruction ID: 48d28a2c1ed897082285f939e363e815b51846d7dc714070b1e46fe71281f1a1
Opcode Fuzzy Hash: f01065a285161bae5e26b85c00a42ec9ebdf027228bf3819c679903b517fe994
Instruction Fuzzy Hash: B9D02B3034430CBFDB207A604C40FB6339DAB01BA1F540865DB065F380C972E801C360

Function 0566DE40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d6b875fac1c6f2e3ea8760074169ecf33c566e84706e5782f40390f96aa5ef
Instruction ID: 5e9fb820f526f114742bbf84d87849bd7c4c00d91578fdff9cf9269d65b8a713
Opcode Fuzzy Hash: e3d6b875fac1c6f2e3ea8760074169ecf33c566e84706e5782f40390f96aa5ef
Instruction Fuzzy Hash: 26D01732A1520DABCB20DEB199014AAB7ACEB05105B1005E9AD0DD3600EE32DA11D791

Function 05689120 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145223ce8e5ca4c350545fd2eeb490047bc1dbbec22e3009ebbae66e2c9b6f89
Instruction ID: 8efbb99422aeb2de98fd0b230dc559683a71ec279c97710f3350925ff29c4b2e
Opcode Fuzzy Hash: 145223ce8e5ca4c350545fd2eeb490047bc1dbbec22e3009ebbae66e2c9b6f89
Instruction Fuzzy Hash: FBD0C229A0E7801AD303162474146B26F329B93610B455096D8C14E15ACB543C92E750

Function 0568AA60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a841cdb26af24a99a17e26f8de7fe4db6de59e8f0e2696634bd5b4ac95e6e519
Instruction ID: 75760a2722668f4414d119fc1cb5a33f177c36a772ae5e27a8c0bec8e75c1f53
Opcode Fuzzy Hash: a841cdb26af24a99a17e26f8de7fe4db6de59e8f0e2696634bd5b4ac95e6e519
Instruction Fuzzy Hash: A8D05E712087446FD342D6A8C951866BFB99B9A62030481DBE948C7B67ED62FD02C654

Function 056635D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ad4727698910529a4eda5f8b1325a24e10b6dd2989f62c5df2ffbb888eab27
Instruction ID: d6e1b89e9bff91abe50a3937ec2c4465db1a891c2776c1ecf903767e7f599641
Opcode Fuzzy Hash: 37ad4727698910529a4eda5f8b1325a24e10b6dd2989f62c5df2ffbb888eab27
Instruction Fuzzy Hash: E5D0C77A3106086FD344C589DC87FF3B799DB84550F54C069B809D7751E521FD42C595

Function 0566BEF0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027317f82714d64d5ed0931e1d19ae3394379d07992aa3e457c30c8c6d22e910
Instruction ID: 2e68be39da66e9b78b4ac60fd02b66eb15a80158dcb131adf77789b64cfd2492
Opcode Fuzzy Hash: 027317f82714d64d5ed0931e1d19ae3394379d07992aa3e457c30c8c6d22e910
Instruction Fuzzy Hash: ABD0A73625491813C6006988F8053DA729DE745639F148026E509D3B84CDAC5C4646D6

Function 05A8204D Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa328d65c95b934a336c6c8a8bf666dc2326c7146c77de4d4667bb6ec74718a
Instruction ID: 028a5f4126519aba35db863302d1543b3ead31d51358c4c36314643fe408c44b
Opcode Fuzzy Hash: 9fa328d65c95b934a336c6c8a8bf666dc2326c7146c77de4d4667bb6ec74718a
Instruction Fuzzy Hash: 3BE0867540D550DBD7459B5488586E4B371FF01212F4808B58D5A8B00BC768940A8A61

Function 05A84958 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a642d308d15840a02072c64f296ce034a6177110f9e87cc546160bcf849b617
Instruction ID: d7dfa6517a310faa7f24d87f4641fc81bf28a5854720faf1f1dad0dd84b82221
Opcode Fuzzy Hash: 8a642d308d15840a02072c64f296ce034a6177110f9e87cc546160bcf849b617
Instruction Fuzzy Hash: 4BE01230A4030CEFCB44DFB8E945A6DB7B9EB84314F5085A8D9059B240EA71AE409791

Function 05664260 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1677c59a85cab2dd02b83f922a173dd83632b8e1e848f5db74081ab784ba3bc
Instruction ID: f0877674c3981e867318b717eda975f204a6bf15904d22903be6f316636810dd
Opcode Fuzzy Hash: f1677c59a85cab2dd02b83f922a173dd83632b8e1e848f5db74081ab784ba3bc
Instruction Fuzzy Hash: 89E04F74E20219CFEB209F24D0947AD7A62FB45319F1044B5D94AA3345CB385C428B82

Function 05687B2B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7109996360f16344b32b295c2fa135aa2ce6c914df1f0dbae7025c29d3d4778
Instruction ID: da1eadbbb1180c5f973457b88275b810d812963b1b12dfaa1c6683265a3b8ca1
Opcode Fuzzy Hash: f7109996360f16344b32b295c2fa135aa2ce6c914df1f0dbae7025c29d3d4778
Instruction Fuzzy Hash: 8FE0C2302801148BD620BF24DA547792697E750300F24113191053F6A4DFEE8CC18782

Function 0568A230 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55fd8b6654243bce521ef4eb81acdbab103b15c8d52f787686493624daae0aad
Instruction ID: 95698a7aae8623dd5d27f0a5aeaa1291559ac8822c033dc0de2e6add66b7ad78
Opcode Fuzzy Hash: 55fd8b6654243bce521ef4eb81acdbab103b15c8d52f787686493624daae0aad
Instruction Fuzzy Hash: 2FD05E3210D6905FC71796E08CA4850BFA8AA5711430EC0DBE848DB263C622B842C791

Function 05A84508 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506b09dffc1b7ca9244bb9499aa3fb583719cbc28d6714f91296dcc188b9bd4e
Instruction ID: d7a757d1531c0e6121e8eaca35d023fa609886227df06207ff559ecde35d74ad
Opcode Fuzzy Hash: 506b09dffc1b7ca9244bb9499aa3fb583719cbc28d6714f91296dcc188b9bd4e
Instruction Fuzzy Hash: 91E01770A5020DEFCB00DFA8E94569DBBB9EB45314F1081A9D809E7304EA75AE049B92

Function 05A8079C Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce1d50973e383f8afea228972886fc4d4d6d4d97853a5d8f98baef62d4c76b
Instruction ID: 47e9e831c95d4560282c485fc02b2c172d40e9fa543c5a7ac8980fe50230d0a7
Opcode Fuzzy Hash: f5ce1d50973e383f8afea228972886fc4d4d6d4d97853a5d8f98baef62d4c76b
Instruction Fuzzy Hash: 1DE04F39C25A55CBDB20EB10E81CBBCB732FB00301F0585B4A56663280DB745C8ACB41

Function 05662B78 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2edccccb4b726fa094d5bf78b988c0890e85af6f40772a568390b1e41fac180d
Instruction ID: fb5502c4d9c41116a37ae7be85e3aba4d88f29806a39c0a2ac094d279aed66f1
Opcode Fuzzy Hash: 2edccccb4b726fa094d5bf78b988c0890e85af6f40772a568390b1e41fac180d
Instruction Fuzzy Hash: 9CD0C7762505045FD344C548E896BE2B3A5DB98520F24C429E818C7741F921EC438695

Function 0734EE80 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687f1d2b04868b3c3023e6ccaf096c283361f545141219a63591822ec3d9ed29
Instruction ID: 93c1377ed9cd3b5d44dfa17602fe4c23d2f28446eef02bfd733099c608da7e4a
Opcode Fuzzy Hash: 687f1d2b04868b3c3023e6ccaf096c283361f545141219a63591822ec3d9ed29
Instruction Fuzzy Hash: EED0A73630011C178604254EB40889FB69FDBF9631741C036AA0893340CD614C1283A4

Function 0568B311 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118a143afc04fde7cce2d298f2bbb0d1a2f8821527f4deed65165750bc5a6502
Instruction ID: f81648011db5457fb2eea3be2575314745a13362e6ffb7c350af47eeee3a57cf
Opcode Fuzzy Hash: 118a143afc04fde7cce2d298f2bbb0d1a2f8821527f4deed65165750bc5a6502
Instruction Fuzzy Hash: 07D017752083845FD302DB68DC51A11BFA48F9710470DC0EAA548CB2A3D926FC02C758

Function 05A840E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4548a977336b2e277a9e54ad5b9e9ecdd69fb4d8f8631f3652ae4b319a9282cd
Instruction ID: 4865755310fdb8410634e0ad660befe9b08a48650a43d4a5599b17b9f0ea60de
Opcode Fuzzy Hash: 4548a977336b2e277a9e54ad5b9e9ecdd69fb4d8f8631f3652ae4b319a9282cd
Instruction Fuzzy Hash: 3DD05E36288344AFC3038AA1CC02F40BF38AF16740F1A00D2F6408F2F2C261E950CB96

Function 05A8BC60 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1d7331de5c477ee8172a68011cecd0fceffe555b51c5b0554435d38cb5165d
Instruction ID: a1d34b52dd0b21dddb08b16822e8d9e5fed39d1f2763e9a4e7af20302682d68a
Opcode Fuzzy Hash: ce1d7331de5c477ee8172a68011cecd0fceffe555b51c5b0554435d38cb5165d
Instruction Fuzzy Hash: 36D0A73254132467CA3159545C01F527B1CDB01BE0F000061FF043F28081B17C0082D4

Function 05669F11 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b899ec4d5492b0d8de20a262308a640def1a21c027ec5db9310c5224af81aae
Instruction ID: 0d84cd1d4d2e0bc2985a26ed964261ae32df36aa9803fb3791605502320c2149
Opcode Fuzzy Hash: 6b899ec4d5492b0d8de20a262308a640def1a21c027ec5db9310c5224af81aae
Instruction Fuzzy Hash: 87D05E752487891FD301CB9CCC52A61BBB5AFC6608B18C0FAA849C7753D936E802C758

Function 05669219 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d97d673506e7bac42b5729a91bcd6232bf9e84b70b8803eb3424ab4a0f66776
Instruction ID: 344373d25ccfc74d117974fad2c26574c55bb41aa785b24dcee7ddc64f176b4c
Opcode Fuzzy Hash: 5d97d673506e7bac42b5729a91bcd6232bf9e84b70b8803eb3424ab4a0f66776
Instruction Fuzzy Hash: 02D0A73160C2144FCB061B9C70840E93BA5EF89725F1845EBE209C3682C6101C0543C7

Function 0568B550 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf58439db2a0012075271908b75566d440ee0a9ec058486059669228b9c4f1b5
Instruction ID: 106cf4c5a748ad84d73f69a25d2e8eff9733e2feddce012eebb6ba72554b68f0
Opcode Fuzzy Hash: cf58439db2a0012075271908b75566d440ee0a9ec058486059669228b9c4f1b5
Instruction Fuzzy Hash: C4D0A9735942089FCB04CF98C58339237E0EF06304B0000A2E408CB335D22AE8118A02

Function 0568B5E0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8bd37723aac68cabd1baa0a43858368559d563b710dafd418587676eac6376
Instruction ID: 15d4ee0911d8738cdf94230fac3eb53b262254a3a64c013e0dd7afbf47a841df
Opcode Fuzzy Hash: ed8bd37723aac68cabd1baa0a43858368559d563b710dafd418587676eac6376
Instruction Fuzzy Hash: 1BD0227100D3442FCB0396A0EC80425BF74898320434880EBE80CCB323E62AEC07C781

Function 0612C118 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0abd373791ff03b64aa66f7734b71a8bc90a62aa640b5e99fb9f0db7f91490
Instruction ID: ee52f2d260ab120decafa7afcbe829a62ce9f17370759fec6f9075da51c171c0
Opcode Fuzzy Hash: 9b0abd373791ff03b64aa66f7734b71a8bc90a62aa640b5e99fb9f0db7f91490
Instruction Fuzzy Hash: 32D09E7194110CEBCF40DFB4D90545E7BF9DB49201B1045E5A509D7210EE369E106B95

Function 0612D0E8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8314ee25367573b6087d51168e039a7e337019ba904b9ea9fd78f07ab193923c
Instruction ID: 2dc52bf514bbe1ea6e64661c8f9245e2910892675215694a9cd4e84622c01a8c
Opcode Fuzzy Hash: 8314ee25367573b6087d51168e039a7e337019ba904b9ea9fd78f07ab193923c
Instruction Fuzzy Hash: 88D0A97184120CEBCB80EFF0DE0088EBBF9DF89200B1005E6C508E7210EE328E206BC1

Function 05667490 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a92a58568f790bf75b013430cb774510eac47acf94a5b2c8e97805fd440880
Instruction ID: 43ef3c582189c0f730fd06565a56d4e77ac19aaec5bbe7034855255b81778915
Opcode Fuzzy Hash: c8a92a58568f790bf75b013430cb774510eac47acf94a5b2c8e97805fd440880
Instruction Fuzzy Hash: 7FD0C971D4120CAB8B00EFF49D4149EBBFADF86250BD046E69645AB210ED769A10AB92

Function 0566BFE0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea47f5b885f53d62cf99ba647ac5a9fcb8026410e761d9ee12eeb4e9ead9af2
Instruction ID: 166ea2e0e5cc79863c1f59ca959712850283295beb78191edab042db72d5f942
Opcode Fuzzy Hash: 0ea47f5b885f53d62cf99ba647ac5a9fcb8026410e761d9ee12eeb4e9ead9af2
Instruction Fuzzy Hash: F7D0C77194110CAB8B00EFF4994145D7BFADF462507D045E5D50597210ED369A109F92

Function 05666888 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4082f46db0fc5dd8f6a7ee221ab5a87ad3be50f6b1840bc707d63a237ba2a33
Instruction ID: 92179007d40c56425236c6ece6c6f0d8c63f20cf57dac08b51881063bb689dfd
Opcode Fuzzy Hash: c4082f46db0fc5dd8f6a7ee221ab5a87ad3be50f6b1840bc707d63a237ba2a33
Instruction Fuzzy Hash: 9DD0C9B66002085BD304D948CC52B92B7A9EBA8614F18C029A908CB342EA36ED43D990

Function 0566B328 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7697b5711ff3b5b7d98abb4e815b15781d1bfaec15eae850f7767d72c10155a8
Instruction ID: 8390ccef29d61ba01cb227d644321e63fdd7baa9075ef25e5977f96b1353c581
Opcode Fuzzy Hash: 7697b5711ff3b5b7d98abb4e815b15781d1bfaec15eae850f7767d72c10155a8
Instruction Fuzzy Hash: 19D05236289344AFC7119A65DC16F127F24AB12B05F890086F6009F2F3C6A2E828CB55

Function 05661380 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38719780f2ddf40a578c6c9322dfe0168e987f938e110610e9c86298ff1fabc
Instruction ID: 6d665195b5b5130c55e6c41406f25d8e957aa86a465eb94b9b0e6f40fbbb20e9
Opcode Fuzzy Hash: f38719780f2ddf40a578c6c9322dfe0168e987f938e110610e9c86298ff1fabc
Instruction Fuzzy Hash: E4C08C3B0411080BC100C5C4EC63700F398D740A38F288456A40CC3721C55BFE438840

Function 0734B1D0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction ID: 1b0a6f6d896694a697788613f5e5355b62e48349d74697ae87246d03dd23ea49
Opcode Fuzzy Hash: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction Fuzzy Hash: 05D0C936200118BF9B04DE88DC41CAABB6EEB89660714C05FFD1887311CAB3ED22DBD0

Function 0568C720 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98da95009d6c5bdb9a49f70f117297e6a2d683fb83ecbeb2cb8e28128d86adcb
Instruction ID: a6c0e930eff319e150ac04982cb3b994a7d6ab5187bfc01d3b5a7c2095b1b018
Opcode Fuzzy Hash: 98da95009d6c5bdb9a49f70f117297e6a2d683fb83ecbeb2cb8e28128d86adcb
Instruction Fuzzy Hash: A4D012B21587449FCB035719D8548603FB8AE1F61434910D2E444CB633D2A1FD149621

Function 0568A6D1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c3946e2b3a0ab26621d188a4329b9158542b1f4b0ec94ee26a091b656b59a4
Instruction ID: 9f12aa95164bea19bab8a9315ed267d8fa8922f46151ef02d2266fcfa3d0a2c8
Opcode Fuzzy Hash: 82c3946e2b3a0ab26621d188a4329b9158542b1f4b0ec94ee26a091b656b59a4
Instruction Fuzzy Hash: 5DD012325041149FC705CAA5DD45F55F795EB80718F19C079E41CC7201CB36F803CAC1

Function 062E817D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf300ee7f72332eb01ab944e6d89c7a5cf028eed90835a6126ed81cab1d5610
Instruction ID: 8bb8d3a420eeaf6dcf075bbab8fb1333ec789f98085b6a4306b77f15fb316ea3
Opcode Fuzzy Hash: caf300ee7f72332eb01ab944e6d89c7a5cf028eed90835a6126ed81cab1d5610
Instruction Fuzzy Hash: 1DE05AB8A102298FCB64CF18D884E99BBB1BF89210F1101E4E90AA7361C770AE80CE51

Function 0612FCC8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 05C7530C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1776278634.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5e7ed5e47be4ae2bd6900784862bfad573ccf07fe09c281cbedd9d46068a41
Instruction ID: 5b72fcc57260505dd35cfa5efe15d599bfe06d1a5b36f2da0f5de3fac07fcbc5
Opcode Fuzzy Hash: 2e5e7ed5e47be4ae2bd6900784862bfad573ccf07fe09c281cbedd9d46068a41
Instruction Fuzzy Hash: 82D022BBE01A098BCB00DB64E04A29A3BF1E74AB31F1058209806E7B01DDAC5C808F92

Function 055D6577 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772371085.00000000055D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_55d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb066c62563671e00040ebbfba8c92e412a0db4f77f2771e285d3727840fa3cc
Instruction ID: 1e51a7340d4055ff2b6a9221cfe40ba4b2edb89c7bab3417d54ba018b2a0ebd1
Opcode Fuzzy Hash: fb066c62563671e00040ebbfba8c92e412a0db4f77f2771e285d3727840fa3cc
Instruction Fuzzy Hash: 36D0C737911525CBCF31CA58E0153FDB772FF803A5F8005A5D50566104DB319AD5CBD2

Function 0566D580 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcca13755731b0fcb95e96aa211b3069a2f9eac816f1edd153d43eec039ec27
Instruction ID: 4b279df0ac1aa1b2cebbd95a19e06de81bff02de7b0e0c2724bac0ea9fe713f4
Opcode Fuzzy Hash: 9dcca13755731b0fcb95e96aa211b3069a2f9eac816f1edd153d43eec039ec27
Instruction Fuzzy Hash: 73C08C322880040FD200C5C4EC52B10B3A8D780638F68C46AE80CC7701CA6BE8038580

Function 05661610 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5669de8c8ecb316d8bf7bfa9748d8a0a4d717c8b222807073025fdf3788054e
Instruction ID: 302b8e9570adcce5f8bef6fd5d3ef77fe99886606ff2f911940a5e1459a4310b
Opcode Fuzzy Hash: d5669de8c8ecb316d8bf7bfa9748d8a0a4d717c8b222807073025fdf3788054e
Instruction Fuzzy Hash: 3FC0123A1440040BC2419584E862B80B39A9F84A24F68886EA808CB203CA6BE8C78490

Function 05662A60 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee296c25406745ddd64c9b86ff0a0d9b00480f3ed950a26efc5988192023cd8
Instruction ID: 02312361ec167c9904fbb8dd3f8d54be1e261bf4c0a01eac19f962cb5dc6ebcf
Opcode Fuzzy Hash: 4ee296c25406745ddd64c9b86ff0a0d9b00480f3ed950a26efc5988192023cd8
Instruction Fuzzy Hash: 3FC0123219440847C2408554EC827E17358C740215F84806AD8088BA01D522E4038695

Function 0734B320 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 0568B570 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ce2ba5004d211b2b8d0298e67b5f7abcee7dbcd46e081f6ad5318c896714ca
Instruction ID: 00b6d6431e3dca7eeb33bf6fe0c1db604066e1af1f6690ba1cf3dfa9b6133a37
Opcode Fuzzy Hash: a1ce2ba5004d211b2b8d0298e67b5f7abcee7dbcd46e081f6ad5318c896714ca
Instruction Fuzzy Hash: 81C012B7400208B7CF111E51EC02B877BA8EB26360F20C020F90498112E2729A22BB90

Function 05A813B3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779b6d0db85d58c426a7b676e92437d7e3910a9481e2642c4da35357684eea53
Instruction ID: d1cb9d3ab527271a77c9424ee61ea070a81eb7ba5fa846b20d865a69b515a981
Opcode Fuzzy Hash: 779b6d0db85d58c426a7b676e92437d7e3910a9481e2642c4da35357684eea53
Instruction Fuzzy Hash: E2D05B3A8197929FC7115F109425B7D7E717F01301F4544F6D45693041D7249D1DC651

Function 05A803CA Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b6ac7b77e538d689145b748a7372452434d836e4311dead68c334884011e6d
Instruction ID: fb2d190839d0284e84a0898fc9057f5dc8db3101a9694bf9336685b3e5d5706f
Opcode Fuzzy Hash: f3b6ac7b77e538d689145b748a7372452434d836e4311dead68c334884011e6d
Instruction Fuzzy Hash: 0BD01739825955CBDB20EB10E818ABDBB36FF00302F4589B4A56A63240DFB49C9A8B41

Function 0566BF00 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d125363cf7bdf9f01fedd539e39a87d04571067f3debba227b75071346786a
Instruction ID: 7c834ef6555e0659ac9f9a474135a41c446ef998248289b94f16825e986a30ea
Opcode Fuzzy Hash: 93d125363cf7bdf9f01fedd539e39a87d04571067f3debba227b75071346786a
Instruction Fuzzy Hash: F1C0803931451843C6042E4DF41059F775DE785635F104166E60957B45CE686C0907D6

Function 056872C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830b53af83c662f5c035b362394c6047617d9d8eb85ed692c2ee11b39a30b618
Instruction ID: 362447e9683b0a4306c9b0acb9f63e697167678333477ef7a5a976dcc5238647
Opcode Fuzzy Hash: 830b53af83c662f5c035b362394c6047617d9d8eb85ed692c2ee11b39a30b618
Instruction Fuzzy Hash: 0EC02BB39040040BC340D584EC82B88BB69D784294F4EC06DE40CC7307EB33E903C4C4

Function 05A84230 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323ea852f543978bc93cadd9350b4ad2631ad8d774f6fde86cb13450889fbbe9
Instruction ID: 7285160510c0b04a23546e833759076522c63cea72515633372c4780790e3e3c
Opcode Fuzzy Hash: 323ea852f543978bc93cadd9350b4ad2631ad8d774f6fde86cb13450889fbbe9
Instruction Fuzzy Hash: 6CD0C93A144004DFDB418F54D844A957BA1EB18364F048051F9998F732C232D951EB00

Function 05668D20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec26461da6ee38d2c320828a53810aa0e455d45bf685a7093e7e5aa3510dcbd5
Instruction ID: 5a27fa50b62a08e1820130c59173b8da6b4a5b00a5c771e4266cf90d78c8c1e9
Opcode Fuzzy Hash: ec26461da6ee38d2c320828a53810aa0e455d45bf685a7093e7e5aa3510dcbd5
Instruction Fuzzy Hash: 2DC08C3390C1142BD2088984DC82B80B398CBA8308F48C069F81CC7301EB32E903C886

Function 05662C9E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdca2f4e0b537c884d66b5672a9918f01efecc959b0ed44dca546dd533ad3a48
Instruction ID: d625f027d196c8016a75576167edf15c3fc35d0a8d64d96cdcffe519d41c8f5e
Opcode Fuzzy Hash: bdca2f4e0b537c884d66b5672a9918f01efecc959b0ed44dca546dd533ad3a48
Instruction Fuzzy Hash: 22D0C9787101458BCB41EFD8D874E6B7776FB84658F0085649602AB388DA249C5ACB51

Function 05665F60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f672d4b1e1071d979b19efe61503c79e6d51ca78f04f6a8748d0f01ecdd6e7
Instruction ID: b6cb939fa33b0d7cd481cc20a6221324398677f8fa63c06d474a1f2c041b30ed
Opcode Fuzzy Hash: 76f672d4b1e1071d979b19efe61503c79e6d51ca78f04f6a8748d0f01ecdd6e7
Instruction Fuzzy Hash: 7EC08CB25442085BC348A598E842F00B39AE790204F98C469F80CC7301DE26ED038488

Function 05669F20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Function 0566BED1 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5136aa5a61df31c25b6d581c2cc145349de84140d17495094877d7ce4695d3
Instruction ID: 39d5f20eab409e6c0885eca74ae195c3117b0c3d9048c585883dca08275a2405
Opcode Fuzzy Hash: ce5136aa5a61df31c25b6d581c2cc145349de84140d17495094877d7ce4695d3
Instruction Fuzzy Hash: 8AC08C321086086FC300D6A4DD42B04BBA8CB80318F88C0ADE80CCB393CA3AE903C680

Function 0566E13F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6de2363da2629a88fbe90ac67c407d223e93a4b8d1df0464fc39ffb27416a3
Instruction ID: 5db1e21d9721de530efd9080828af9619c214b250e19d74c9380dce7e88d733f
Opcode Fuzzy Hash: 9b6de2363da2629a88fbe90ac67c407d223e93a4b8d1df0464fc39ffb27416a3
Instruction Fuzzy Hash: 45C012360502048FC204AE58D986B803BA8EF06A0AFA50090A005CB622CA21E82A8AA2

Function 05666B71 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507dafd1c387a9355b93bd887e11ee8edd8e44c8fc6e7b5c13e022ca964e260c
Instruction ID: 18f1f28151c5744a8605c8899d85628686850c4eb6d6891a010a112ef9c3e8dd
Opcode Fuzzy Hash: 507dafd1c387a9355b93bd887e11ee8edd8e44c8fc6e7b5c13e022ca964e260c
Instruction Fuzzy Hash: 9FD0A7750052849FC741CF90E9D6C95BF30FB02254B0C44EFE8058B043C329C416DB11

Function 0734EBB0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cab4a454c5604e6782a671cd94f92c1e7839a68acbe59b1810628151681af6a
Instruction ID: 52738cfc7c5f3f19fa6fdfac170e6adb4478c93108f6b1e08500401452fc79bd
Opcode Fuzzy Hash: 2cab4a454c5604e6782a671cd94f92c1e7839a68acbe59b1810628151681af6a
Instruction Fuzzy Hash: FCC08C3160402C038A0422DCB00419F7A9EE785A29B85402AA60A93240CD411C0143D5

Function 05685950 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023d72de9252ad5af1c533bb2b79ea68d35928b5a405e4f052a31c02434c674b
Instruction ID: 8d776b4590534eb0439f5ddf2e34a59670de795e16be8c782be5fba7fef04de9
Opcode Fuzzy Hash: 023d72de9252ad5af1c533bb2b79ea68d35928b5a405e4f052a31c02434c674b
Instruction Fuzzy Hash: 86C002761450019BCB44CA44C991B15B7B2EBA5228F58C869E94A8B761DB37DD13DB01

Function 0568B320 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 05A840F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 05C7F9C0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1776278634.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 056635E8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 05666898 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 0566B338 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 05666B80 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 07349398 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 0734AC80 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Function 05A81273 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f20d5bb2e67e4b59d7c269665539e7e9a59fee65b35d3b7dc979cbfdd0e8c0
Instruction ID: 8107de8ac96e0eb9f1bb72a391e0b930aac05f8e7b233f7a8948ff36536afb84
Opcode Fuzzy Hash: a5f20d5bb2e67e4b59d7c269665539e7e9a59fee65b35d3b7dc979cbfdd0e8c0
Instruction Fuzzy Hash: 87D0C279E216188FCB649B24D9697A87BB2BB49301F4091A5A84AD3650DE345E84DF01

Function 0612FDC8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cfd784575cddf23e5df878335d6ec56d9de2ea826ec2be2cfe48bb31cb017b
Instruction ID: d2c6a4cefb27bfcb5a3844ff54e04ec0c3a45b016003aa16df98874ae983a461
Opcode Fuzzy Hash: e2cfd784575cddf23e5df878335d6ec56d9de2ea826ec2be2cfe48bb31cb017b
Instruction Fuzzy Hash: 15B022320003280BC22022A8E80288ABB8CC8022B03008A33F00883A20AEAAEC8803C0

Function 05C75367 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1776278634.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5c70000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba0195c44ab61b27eca08c8074b8f7d24993cbfac2e3cc5f169f01513cc6ef9
Instruction ID: 17c8fb8363a4ac3df8068d39f6fb7c65a1f3af9af013a8d9b57540655d4d10b0
Opcode Fuzzy Hash: fba0195c44ab61b27eca08c8074b8f7d24993cbfac2e3cc5f169f01513cc6ef9
Instruction Fuzzy Hash: 5CC012396001084BD7049EA4D00475A7A62E748735F1094249545B7785CDA85C44CF52

Function 0734AEA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dc65d3e38c52b4948fbe572bc364c6ebf8068ba90c27af8f843d2c7b1f087d
Instruction ID: 5fdfb1f675237ba4c9d644d448631406da118ef80069fe162c0a14e4f6d5cc60
Opcode Fuzzy Hash: 50dc65d3e38c52b4948fbe572bc364c6ebf8068ba90c27af8f843d2c7b1f087d
Instruction Fuzzy Hash: 86B092320603295FC62066A9F80588ABBDCEA41279B008A76F54D876155EA6EC4547D4

Function 0734F5E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6e8ab0bc78ca4dda69d6cc9f55e19761e557ab9d0b6b13b729f856a311e51a
Instruction ID: e354c3d23d08ce43e236a9aabbe94f4ce77d35ceac345187a1ce99ab05e976bd
Opcode Fuzzy Hash: 0c6e8ab0bc78ca4dda69d6cc9f55e19761e557ab9d0b6b13b729f856a311e51a
Instruction Fuzzy Hash: 57B0223200032A0BC2202AAAE80088ABBCCC8002303000A32F08C82220AFAAEC8203C0

Function 05687531 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ce25f45ce03168283de2b706732a2723a265b920db949a40db439ec3a6f6fe
Instruction ID: 789589208009a8d9915ffb683a09125bc72cc8fc6e6df4cbbcc5b2f47b89290f
Opcode Fuzzy Hash: d9ce25f45ce03168283de2b706732a2723a265b920db949a40db439ec3a6f6fe
Instruction Fuzzy Hash: 5AB0123705020D27D0903250F84338B714E47C0204FC70150B00CAA601DC59B05B00DB

Function 056825DA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b99ba00d5e0481d2390ab3a6c37b2ab7ab21177a6acc932a1a4eeb7bbdf657d
Instruction ID: b0188638cb44a44fcf95b597449d646651a8c8203a72d8749de23e253c3ed3fa
Opcode Fuzzy Hash: 1b99ba00d5e0481d2390ab3a6c37b2ab7ab21177a6acc932a1a4eeb7bbdf657d
Instruction Fuzzy Hash: A7C09B76180208EFC701DF55D845C457B78FF197717554191F9148B731C732F810DA54

Function 0568B298 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304fe006b687839e29d0c93c02fbc55375920b23f8fb5073624b3f82ddbb2b74
Instruction ID: cf89c6a4d37d21b5b92cfcaa19ab11ba290f7baffac9ece7f2bb64f67027b492
Opcode Fuzzy Hash: 304fe006b687839e29d0c93c02fbc55375920b23f8fb5073624b3f82ddbb2b74
Instruction Fuzzy Hash: 2AC0483204430CFBCF025FA1EC01C9E7B2AAF15261B808469FE5808520C737E5B0EBA5

Function 05A89070 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3785d73f0cb977e8738494c04dfbd823534e98a286b6d4358749cfe741f8fb53
Instruction ID: 4bd780fc5c293a7abfbfd885cdcb661362ff7049f19a888cc2bf7faf068485d8
Opcode Fuzzy Hash: 3785d73f0cb977e8738494c04dfbd823534e98a286b6d4358749cfe741f8fb53
Instruction Fuzzy Hash: F0C09B725585549FD7425710CD4FD5DFF71DB5130074540966442C7019DF744851D711

Function 05668F10 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2352b50439e65704e76c65e2b95863689fff6bf93d9bb256a08a2cf1cde5bd3
Instruction ID: b1dfd7e2a313218f4d593576812a34e429b50a22fc45e4e580f18dc30f6f0127
Opcode Fuzzy Hash: a2352b50439e65704e76c65e2b95863689fff6bf93d9bb256a08a2cf1cde5bd3
Instruction Fuzzy Hash: C9B012F3451A0C77DE401258FC4B3C13B4CD378215F845061F40C80600ED05B1821348

Function 056825E0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction ID: 2ad57114494cc740969b95bee8f444b209d5990da35e5c480c7824bf6c3857fe
Opcode Fuzzy Hash: af8e06a732ca707132f27ef7a83e288a845aad2dfe2584e40d54ff240b01922d
Instruction Fuzzy Hash: B7C09276140208EFC700DF69E844C45BBB8FF1976071180A1FA088B332C732E820DA94

Function 0568B5F0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05688FD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 056879B0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0568BB40 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0568A240 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 056872D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05A85DC0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b05694a4a925c593e56a9507d08ce986e0b82fa9c9eca51d606f2245bc24a3
Instruction ID: 4b4de5962171f1daf050768d574d3d998fff598a9e24e9020ac36cca8335e62b
Opcode Fuzzy Hash: 35b05694a4a925c593e56a9507d08ce986e0b82fa9c9eca51d606f2245bc24a3
Instruction Fuzzy Hash: A4C09272AEC3851FDB629AE04D1FB093F344B53B25F4940C7A6419E1D3D4AAC109CB63

Function 0612215C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a72778ea84955cad293171f5a76d2f74a202d720eceb3a5de600635aa4ec79
Instruction ID: e8177e829ffc8097cd45a8e53820b1f37ed967f6cb92d48a77c3d204a2c886bd
Opcode Fuzzy Hash: 42a72778ea84955cad293171f5a76d2f74a202d720eceb3a5de600635aa4ec79
Instruction Fuzzy Hash: B9C00274A22218CFEB845B78E56D65D7EA2EB49316B008569F81AC2381DE3489019A06

Function 06124DC8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15d70d31b70a20aeff207ef6bcfbb305ccb036a32585e2cdab4fd4cc0a7a3d1
Instruction ID: 1ed8b62b6e32bbc412c386769a64f6928b89676e3b9e4622bf5787f88de35462
Opcode Fuzzy Hash: b15d70d31b70a20aeff207ef6bcfbb305ccb036a32585e2cdab4fd4cc0a7a3d1
Instruction Fuzzy Hash: 82C04C30D5512ECFF7948A14E998B6D7B71AB44281F214661F416D2240CB2859928A4A

Function 05668D30 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05665F70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0566BEE0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05662A70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 0734AE80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 056885D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580

Function 062E762C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7104016e2384288bf87f95dda75adba985de9064612d6c3b009857fe5e4e106
Instruction ID: a55567808612c2d8d4a7da49e5677915347da8ccf77ae5127ab3be929965f708
Opcode Fuzzy Hash: d7104016e2384288bf87f95dda75adba985de9064612d6c3b009857fe5e4e106
Instruction Fuzzy Hash: 0DC09B759571548FD3014E90D5142D53F715B69310F495066DC0567781C5D44D41CF93

Function 062EF3D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction ID: 20159973dc6c4478fa717a34ac84a2881d4813b9dc5cbab7339b5de6a68ee492
Opcode Fuzzy Hash: 8ab4bbdd17a120ddc1ef3c4cf224515beb75f8373d4b4482147fda78e6e90976
Instruction Fuzzy Hash: 0DB01231250208CFC300DB6CE444C0033FCAF4DA1431000D0F10C8B331C721FC008A40

Function 05A83FC0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd9e7a5643bb66a73daf077c52b606d2bcaf63d4b226795886af3a105acfbc3
Instruction ID: 8af6b4182805520458efb12fefcadc12018262ce4758dbb70633f9d0b96a8da2
Opcode Fuzzy Hash: 4bd9e7a5643bb66a73daf077c52b606d2bcaf63d4b226795886af3a105acfbc3
Instruction Fuzzy Hash: D8B092E754928029EB00DEB4EA8278967A48307318F0804F7E51C8BA72E2388212CA00

Function 06127660 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
Instruction ID: 7de4840db72a739a7296ecabbd3d178890c8b70a70b6a7fce96b4b1d731f9c0f
Opcode Fuzzy Hash: d1cdb4f687ab12025e8389c2fb21792c812de654467923881419b2744bb53e71
Instruction Fuzzy Hash: 6AB092341502088F82409B59D449C00BBE8AF08A243454090E1088B632C621F8008A40

Function 0566DDEC Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2433723b1a0db0a1679e6e365ff15e0e55202c484991b020749c18fce95863
Instruction ID: e3035e1df7ffdbc822d593d919369507016f68dfc9301ef73b291b06a96b9eaf
Opcode Fuzzy Hash: 4c2433723b1a0db0a1679e6e365ff15e0e55202c484991b020749c18fce95863
Instruction Fuzzy Hash: 27B0123BB400199ACB00D6C8F4504ECFB30EBD4332F004033C300620008B31157AC760

Function 0566E150 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction ID: cfd3c94acb28e12ede7e7a80c62375d018fe088f1f186957f4485c32e65079b3
Opcode Fuzzy Hash: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction Fuzzy Hash: 6CB092301602088F82009A59E448C0137ACAF08A0434100D0E1088B632C621F8008A51

Function 0566A842 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af5b3084f9b5266c837eae744b167190227d6bd7876fc46bfb06a55329d5066
Instruction ID: 6f8232b3780fafd3fe48c4236f40230c78fce7594c91afc326dd60c99503c1c5
Opcode Fuzzy Hash: 0af5b3084f9b5266c837eae744b167190227d6bd7876fc46bfb06a55329d5066
Instruction Fuzzy Hash: D0C00274D00119CFCB00CB94D89459DBBB2BB48301F414126C90663354C7341902DB40

Function 05A83B90 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90500e4efdcd9f5b94cf6a8d341ec8708ef9210b6bbfb24de8adebe883eb24ab
Instruction ID: 14a1c8211ea6c81eb484eebb47d1cf67a9f6028181b76a24fd536fb05e2de22a
Opcode Fuzzy Hash: 90500e4efdcd9f5b94cf6a8d341ec8708ef9210b6bbfb24de8adebe883eb24ab
Instruction Fuzzy Hash: 46A02230002B0C82A30232B0280002033BC08002083C000B8A30C08A320833E8E08888

Function 061272D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baf98ac95dea0aee4c31acbddf3d49a19df181fd3ece759126680dbbcbb1b6d
Instruction ID: b6d89171dd8a6159c44f4aafa89a2bb02378b6bf9f30c66ed7500eb94f62f758
Opcode Fuzzy Hash: 7baf98ac95dea0aee4c31acbddf3d49a19df181fd3ece759126680dbbcbb1b6d
Instruction Fuzzy Hash: 9AA00231087B0C86861536B56901525739D59917597D004B9970C09A215977E4A1CDD9

Function 0566EC72 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b97b74ad626a0ce5d4eabb452288a0e20884b82c46d989ba0075a7997aba1a
Instruction ID: bc558740e44996f5ee0281f3a719abef2f9cf3a615242416cf2d930cc71f692b
Opcode Fuzzy Hash: 06b97b74ad626a0ce5d4eabb452288a0e20884b82c46d989ba0075a7997aba1a
Instruction Fuzzy Hash: 5BA002777415015AFE107AB4C95771559659755D59FC888708D00C5750C409D4054057

Function 05687540 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463240b795e55eeac392417ed0e57c4fdf2fbb980f5a2a43013bd8463dfbb8b1
Instruction ID: 7538a2db8ec49a678ece6798b2cabeab480b66bf9b58ce63f2a84a0b1f90bd19
Opcode Fuzzy Hash: 463240b795e55eeac392417ed0e57c4fdf2fbb980f5a2a43013bd8463dfbb8b1
Instruction Fuzzy Hash:

Function 0568A9F0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e3241ab52c14874a716b471ee6398472d2712c8546f91fe70322f8e674c6ec
Instruction ID: 4cb3b6a4945e018026307a16d773abea54e22fa84390a938b92b49b8b9b320de
Opcode Fuzzy Hash: 73e3241ab52c14874a716b471ee6398472d2712c8546f91fe70322f8e674c6ec
Instruction Fuzzy Hash: D790223000030C8B80202380380800CB38C8000200B800000F00C080028AA0B0020280

Function 062EC610 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ccf528ee27c6447ab3e7cf015e6b9db22defe695c8eff788ad03e0be939f9a
Instruction ID: fabbc939dc94ee661cae4e576b0c869370ba66dca28c1e1c01207b84c9d9b967
Opcode Fuzzy Hash: 81ccf528ee27c6447ab3e7cf015e6b9db22defe695c8eff788ad03e0be939f9a
Instruction Fuzzy Hash: 9590023205470DCF46512795740A5957B9CD6489367805091F50D415015F55685056D5

Function 062EEDA0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1779111337.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc3089cb91d79d08cfd10596f983133a8f7620742850395d78857bcb6982974
Instruction ID: 160821a50d70a4746f4c1b4ff3ebe72998bde2ce64b65243cae10d623e285437
Opcode Fuzzy Hash: 3bc3089cb91d79d08cfd10596f983133a8f7620742850395d78857bcb6982974
Instruction Fuzzy Hash: 8090023109460CCF45412795B50B5557B5CD648515BC040D1B50D419055F65682056D5

Function 05A83FD0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1775827113.0000000005A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5a80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afd84bd8e8c17acd66e4ed61c3a286ba7600dbd252b7590f6bd0c0ef10f1177
Instruction ID: ea21c65c5508f8c1265d107baaad18c9d68b10cdc9f944cdd639ef9385542efe
Opcode Fuzzy Hash: 1afd84bd8e8c17acd66e4ed61c3a286ba7600dbd252b7590f6bd0c0ef10f1177
Instruction Fuzzy Hash: 00902230000E0C8B328023A0300A000BBAC80083003800000B20C038020E2AA0000080

Function 06127B30 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb68bef3d67f10605d0f2c6f6e0e1b4eb1b2763fa7531b0052ca76fa42a690c8
Instruction ID: fbce569d8427b76de6b3c3c54849578f63e1731748f60feb3e5390697f718fea
Opcode Fuzzy Hash: fb68bef3d67f10605d0f2c6f6e0e1b4eb1b2763fa7531b0052ca76fa42a690c8
Instruction Fuzzy Hash: FF90023106461C8B49442795740A5A57B5CD9845267804071B50D415019E5565505695

Function 06127A40 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449fc630856e732c8a9de7382a137a46522158e58182e7f5a9a1203d086d3dec
Instruction ID: baba7798f156c1c03cee4c7f8122e5d421512dd09f3044c8b644fe4987cf161d
Opcode Fuzzy Hash: 449fc630856e732c8a9de7382a137a46522158e58182e7f5a9a1203d086d3dec
Instruction Fuzzy Hash: FD90023105470C9F4A4827A5780A565BB5CD5445157818051B50D416129EE568505695

Function 0612D980 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a52d22e9d744cb5f40f2fd65158c7035cabced6b678210eb258a4c725962d15
Instruction ID: 1f3a44e24e9ea507ab5c9b912a9b13b0224414b2be1dbbbe2dede11c20bef340
Opcode Fuzzy Hash: 8a52d22e9d744cb5f40f2fd65158c7035cabced6b678210eb258a4c725962d15
Instruction Fuzzy Hash: 30900231066E1C8B46402795740A9957B6CA5885157854061B60E519015E55A410D595

Function 0612D3C0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95daf6fe926be9b580e5f5ae4ba56bf04a5e3486c755601fe17dc66b11e18aa
Instruction ID: 77a6ecd228e34e134b602e12a23fb57f5b9f6516137c46fa358fb28c2546ab0c
Opcode Fuzzy Hash: c95daf6fe926be9b580e5f5ae4ba56bf04a5e3486c755601fe17dc66b11e18aa
Instruction Fuzzy Hash: 16900231096A0CCB46406799750A5557BAC95445157814451B60D519016E55641095A6

Function 05668F20 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1772759324.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5660000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b473924e405b3f116e520b151a0791fb0c360ada843e181679b29d1806b925
Instruction ID: 7a4c4dc503a803f9ae491ee2ae349ecd1c5f5cf8f868c6cdc46be4753ca6672b
Opcode Fuzzy Hash: 84b473924e405b3f116e520b151a0791fb0c360ada843e181679b29d1806b925
Instruction Fuzzy Hash: 5C900231064E0D8B46502795740A5957B5CD5445667805051B50D419119E5674505695

Function 0734A750 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1780357325.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7340000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9b57f09a0b79bee9506807fa2350d4ce58ee96bc6a9c751dc1ea2ea78a8714
Instruction ID: 6f7cbe538d01e01556df5378cdccf2e2309b6e8eab7ac4d759e8ade00a83bf4f
Opcode Fuzzy Hash: 0d9b57f09a0b79bee9506807fa2350d4ce58ee96bc6a9c751dc1ea2ea78a8714
Instruction Fuzzy Hash: B390023105460C8F8D4027F5750E6557F5CD54451E7804051B50D465039E65641045D5

Function 06123DAB Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1777932553.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6120000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187912c0339483e05a11fce2d53461f866b47700987734534a220ea7ab70811b
Instruction ID: b505246cce826ffe34f1758dc63166b2338d95bd8506a09e80ea0a30f9399eef
Opcode Fuzzy Hash: 187912c0339483e05a11fce2d53461f866b47700987734534a220ea7ab70811b
Instruction Fuzzy Hash: 68A01130A00008CFF3088A20F82CA283B22AB08282F008220B802822808B200A80CA0A

Non-executed Functions

Function 056809D0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

Strings

(_^q, xrefs: 0568108B
(_^q, xrefs: 056810DB
(_^q, xrefs: 05681095
(_^q, xrefs: 05681111

Memory Dump Source

Source File: 00000008.00000002.1772953001.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5680000_RegSvcs.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q
API String ID: 0-2697572114
Opcode ID: 551ebe9627f37bb0a330a59f0c2d8e4f5e128111285e17055ac676a9c981bdb3
Instruction ID: 9dcf6aa6578036e97b4cb4faa7f14e6e8ff003ca7a8f2aa5fe5bb728e48e3c74
Opcode Fuzzy Hash: 551ebe9627f37bb0a330a59f0c2d8e4f5e128111285e17055ac676a9c981bdb3
Instruction Fuzzy Hash: 1D619075B042088FC704EF78C85596EBBB2FF8A304B5586A9E4069B391DF31DC82CB91

Analysis Process: ymvnpo.exePID: 7952, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	130
Total number of Limit Nodes:	6

Executed Functions

Function 06F60778 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1773349754.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f60000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3adb8d722201890fb57798c75f8bc27b5f96740ed6cb01bee807bfecde9166e
Instruction ID: 7f6b14274d7d226348c5275fe118ba4d49c71972f98fad0ff2bea14baf10a174
Opcode Fuzzy Hash: f3adb8d722201890fb57798c75f8bc27b5f96740ed6cb01bee807bfecde9166e
Instruction Fuzzy Hash: BEC1CF71B056008FEBA9EB36C950BAE77F6AF89304F24846DE146DB291DF35E801C791

Function 0AB5CAE5 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AB5CD26

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3c07c268b75703cad0e0992c0d7bbe79c597e609e46bf71331b68e05d7f9eba7
Instruction ID: 1fdfcbaeafb08a8ce5f950049e17cce97acc9260fd70aa22134dbb189aa2e712
Opcode Fuzzy Hash: 3c07c268b75703cad0e0992c0d7bbe79c597e609e46bf71331b68e05d7f9eba7
Instruction Fuzzy Hash: F1A17971D003199FDB20CF69C840BEDBFB2EF4A304F1481AAE848A7290DB759995DF91

Function 0AB5CAF0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AB5CD26

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f6c37304ef44d93df699a1bf843d6a77e75fdbf81490b9f4b2d58508e61ed89e
Instruction ID: 3b1b6750b64be56da43b9fd054d63f3170f916d67aa8cb6b67bc2edc646bbeb9
Opcode Fuzzy Hash: f6c37304ef44d93df699a1bf843d6a77e75fdbf81490b9f4b2d58508e61ed89e
Instruction Fuzzy Hash: 34915871D003199FDB20CF69C840BEDBFB2EF49314F1481AAE848A7290DB759995DF92

Function 00E29034 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E290F1

Memory Dump Source

Source File: 0000000A.00000002.1760578110.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e20000_ymvnpo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 64e10d4587f1709db3dd144cab1eab171c3a4bb42f21bac514300c56769a46b9
Instruction ID: 689474bc96e839662095d4df7a049aeb8e85fe0335f13085ae1815cc6846d7f2
Opcode Fuzzy Hash: 64e10d4587f1709db3dd144cab1eab171c3a4bb42f21bac514300c56769a46b9
Instruction Fuzzy Hash: 3541E2B0C0062DDEDB24CFAAD844BCEBBB5BF45704F2090AAD408BB255DB756985CF91

Function 00E27BFC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E290F1

Memory Dump Source

Source File: 0000000A.00000002.1760578110.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e20000_ymvnpo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d5f71c36b51b07ac018ea166573dd1e5611eb00ac16c932e36192ad9a90ebdbb
Instruction ID: df1ee9966012c70c8550293e53a69388eda90060b31147844121dac5ec975db4
Opcode Fuzzy Hash: d5f71c36b51b07ac018ea166573dd1e5611eb00ac16c932e36192ad9a90ebdbb
Instruction Fuzzy Hash: C141D2B0C0061DDBDB24CFAAC848BDEBBB5BF45704F2080AAD408BB255DB756985CF90

Function 0AB5C861 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0AB5C8F8

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 24b85e62f6618232401b26b47713b2be08ee4f13f9ff88140e54c15b07f740e5
Instruction ID: d925955d660d08ef1067629649c42b03a998cc50fc2c2a8f9a445c4b9cc7d21d
Opcode Fuzzy Hash: 24b85e62f6618232401b26b47713b2be08ee4f13f9ff88140e54c15b07f740e5
Instruction Fuzzy Hash: 522123B19003499FCB10CFA9C981BEEBFF1FF48314F14842AE959A7251C7789954DBA4

Function 0910AE30 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0910AECF

Memory Dump Source

Source File: 0000000A.00000002.1776075174.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9100000_ymvnpo.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 2b4c92c3525c42a157033654b5682fc1012158ca6291b27036922a37a8dd3d65
Instruction ID: e424e78efbf64055e9d960ca45201ac50e8e6f87650f2f60d26a23416bc98a96
Opcode Fuzzy Hash: 2b4c92c3525c42a157033654b5682fc1012158ca6291b27036922a37a8dd3d65
Instruction Fuzzy Hash: B731DFB5D003099FDB10CF9AD984A9EBBF4FF48324F14842AE819A7250D375A944CFA0

Function 0AB5C868 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0AB5C8F8

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 852b0a6c02adf1787c88f6efd2d3a68cc5e0d29ff47a6bb15e6d4422deadae40
Instruction ID: efca4fcb13f792ecb1229e4b1a1b040173fe27d262794e8c1712529ca90d8d9f
Opcode Fuzzy Hash: 852b0a6c02adf1787c88f6efd2d3a68cc5e0d29ff47a6bb15e6d4422deadae40
Instruction Fuzzy Hash: 302135B19003499FCB10CFA9C880BEEBBF5FB48310F10842AE959A7240C7789944DBA4

Function 0910AE38 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0910AECF

Memory Dump Source

Source File: 0000000A.00000002.1776075174.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9100000_ymvnpo.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 5dadf3934adb53b9b1bc7b643675f1de44f648fb0e56507af2feb0913463bafd
Instruction ID: def6b3bb29ffb5794f9c2779bf4f3c91086cc1e52f9f12d5faa63b2edd6de10f
Opcode Fuzzy Hash: 5dadf3934adb53b9b1bc7b643675f1de44f648fb0e56507af2feb0913463bafd
Instruction Fuzzy Hash: 8A21CEB5D003099FDB10CF9AD984AAEFBF5FF48324F14842AE919A7250D775A944CFA0

Function 0AB5C950 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AB5C9D8

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 30bf5793e7ff7fdc59261ce221c4ff5c31d23c5728e2cf6fd6f50e1c1ed2fc5e
Instruction ID: aa0c7d79a4416e9c22c8deb1c05a3da9502c00dfa90f665b928a9f9b3dc1efb4
Opcode Fuzzy Hash: 30bf5793e7ff7fdc59261ce221c4ff5c31d23c5728e2cf6fd6f50e1c1ed2fc5e
Instruction Fuzzy Hash: CF2127B190034D9FCB10DFAAC840ADEBBF5FF48314F50842AE959A7250C7359945DBA5

Function 0AB5C958 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AB5C9D8

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 95f580de25238fa622b9013d3356811c626523904b106414633251c522e7519d
Instruction ID: bddc2003dab94e1e3d6c4574fd0f55cab3b168118e3a8abc6bf344098f41f1f2
Opcode Fuzzy Hash: 95f580de25238fa622b9013d3356811c626523904b106414633251c522e7519d
Instruction Fuzzy Hash: EE2116B18003599FCB10DFAAC841ADEBBF5FF48310F10842AE959A7250C739A944DBA5

Function 0AB5C298 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0AB5C316

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3da4095906a6e919c1a779be566f2cc816f5554578a9699760f724563c4b93c2
Instruction ID: d91d9ca31338e19de4458e1bffa37b932ec9621052e208495fcf6c193ebc58fd
Opcode Fuzzy Hash: 3da4095906a6e919c1a779be566f2cc816f5554578a9699760f724563c4b93c2
Instruction Fuzzy Hash: 302137B19003098FDB10DFAAC4857EEBBF5EB49324F14842AD459A7241C778A984CFA5

Function 0AB5C7A1 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AB5C816

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 36c58b859918ee30fba8779b7d6e971b3aa9e9b151af1f1621531ffe7e4228a5
Instruction ID: 8649a0b9ee26ab59d30e7102c1c24180968bba3f0144f66ce37caf522bc9401a
Opcode Fuzzy Hash: 36c58b859918ee30fba8779b7d6e971b3aa9e9b151af1f1621531ffe7e4228a5
Instruction Fuzzy Hash: DB1189728002498FCB14CFA9C844BEEBFF5EF88324F208429E459A7210C736A540CFA0

Function 0AB5C7A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AB5C816

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e0aa64d0bfebb6e27b84302e81b7413727d5e95091e1db29726ae7876d0e8e72
Instruction ID: c7adb35f0853c4cfd1c45291576defd8568cd0597dd0e7e42c2445d83934b6ab
Opcode Fuzzy Hash: e0aa64d0bfebb6e27b84302e81b7413727d5e95091e1db29726ae7876d0e8e72
Instruction Fuzzy Hash: 9F1167728003488FCB10DFAAC844BEEBFF5EF88324F108419E519A7250C735A544CFA5

Function 0AB5C1E0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0AB5C24A

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: add7733d75f5be45738dfa8355b7b1eaf1cc68eb2d0215f9944ead5cad6e0b71
Instruction ID: dac26bf55d0896030e4448c3c612c0856164f752fadfcddb3b6543f5d6d24f8b
Opcode Fuzzy Hash: add7733d75f5be45738dfa8355b7b1eaf1cc68eb2d0215f9944ead5cad6e0b71
Instruction Fuzzy Hash: F91149B19003888FCB20DFAAC4457EEFFF5AF89324F248419C459A7250CB75A544CF95

Function 0AB5FCD8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0AB5FD3D

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 04ebf69016c45693b404d1526d9a78a71d3ac169973e02433ce5cbeabc79f0d4
Instruction ID: d0cee8ab964b0609396f4b4d998223d1f2d7720026fa483b2155f761f43b6bf1
Opcode Fuzzy Hash: 04ebf69016c45693b404d1526d9a78a71d3ac169973e02433ce5cbeabc79f0d4
Instruction Fuzzy Hash: 9B1155B58007889FCB20CFAAD488BEEFFF4EB48314F20845AD854A3241C375A544CFA5

Function 0AB5C1E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0AB5C24A

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2ffda005a465bb18e4c837bf37f4fc5327299cb1404e885edbf4d077dc007790
Instruction ID: 51f4097e7c9e73ab3e5dc9d9aca43b860d64f8e151b986ab629ff0adf3442d04
Opcode Fuzzy Hash: 2ffda005a465bb18e4c837bf37f4fc5327299cb1404e885edbf4d077dc007790
Instruction Fuzzy Hash: 76113AB19003488FCB20DFAAC4457DEFFF5EB88324F248419D459A7250CB75A544CFA5

Function 00E2E6A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E2E706

Memory Dump Source

Source File: 0000000A.00000002.1760578110.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e20000_ymvnpo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a5c00f7beb852dd1f2e306b9d1703b86175b66b79bbbc95cd17b4c211de7e701
Instruction ID: 52916459a47a6e6167b9ef4b3ac14178c8bba5882c4ad52ee4bb44b829e830e0
Opcode Fuzzy Hash: a5c00f7beb852dd1f2e306b9d1703b86175b66b79bbbc95cd17b4c211de7e701
Instruction Fuzzy Hash: F31110B5C003598FDB10CF9AD444ADEFBF4AB88324F14842AD429B7310C375A545CFA1

Function 0AB59478 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0AB5FD3D

Memory Dump Source

Source File: 0000000A.00000002.1777750174.000000000AB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab50000_ymvnpo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9eaa383a15b6e19526d4ecaf431e5dca13c2ed25ea9d011f25770952e5d37529
Instruction ID: 0e9f3a17f7951d526923804ebd0881b8320804ce154278e13be4f11427fc994b
Opcode Fuzzy Hash: 9eaa383a15b6e19526d4ecaf431e5dca13c2ed25ea9d011f25770952e5d37529
Instruction Fuzzy Hash: F41125B58003489FDB10DF9AC449BEEFBF8EB48314F108459E914A7250C375A944CFA5

Function 06F60B90 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1773349754.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6f60000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9ce974e126b1857b3190b690dac959f33d5336862c0ff778906cd16968e944
Instruction ID: c2f3fcf474d1c2cf71dee4db8ee9aafe41c228eaf982b7158548d33e68bfb8b8
Opcode Fuzzy Hash: 9d9ce974e126b1857b3190b690dac959f33d5336862c0ff778906cd16968e944
Instruction Fuzzy Hash: F8A17B30B012449FDB55DF69D694A9EBBF6AF89300F2440A8F505AB3A5CF71ED01CB50

Function 00DAD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1760235469.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dad000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25f50a5a09f7aa7654641db92e0ead4c2b12137009356420d699e84d807c304
Instruction ID: dfa744bac518c51a94471ae764ab8a72ca66bd338f8d59a25f4fce35f2715e06
Opcode Fuzzy Hash: f25f50a5a09f7aa7654641db92e0ead4c2b12137009356420d699e84d807c304
Instruction Fuzzy Hash: 80214571100200DFDB00DF04C9C0B2ABF66FB98324F24C169E80A0B65AC37AE846CAB2

Function 00DBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1760299808.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dbd000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6117f0fe69a799ac673574c56359dec3854e56041103a8660258a662c20054
Instruction ID: f622e8a7daf2e85d9ed5e480d27859bf6741b29bb283dc310117fd2d4664c491
Opcode Fuzzy Hash: 3e6117f0fe69a799ac673574c56359dec3854e56041103a8660258a662c20054
Instruction Fuzzy Hash: 51210175604200DFCB14EF24D9C4B66BFA6FB88314F24C5ADE84A4B296D33AD847CA71

Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1760299808.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dbd000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68fa5c12aa2a0b34c5406cf6437c6462a355507e69ac1ad3e1069bd27b5ba0e
Instruction ID: 1f9b21dc3929d889f88e52444935c2ad0ede3a2ac69de3cdc29286a91f4ca807
Opcode Fuzzy Hash: e68fa5c12aa2a0b34c5406cf6437c6462a355507e69ac1ad3e1069bd27b5ba0e
Instruction Fuzzy Hash: A8212671504280EFDB05DF14D9C0B6ABBA6FB84314F34C66DE84A4B296D336D846CB75

Function 00DBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1760299808.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dbd000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30246c6f65bcdd634d4387cb98388f21d3719828c6562086599f08fbe51c99db
Instruction ID: 089825fabc3bdf17c44ff4cb98607be7dda1ed5de88c7c4867a74ac193d0f159
Opcode Fuzzy Hash: 30246c6f65bcdd634d4387cb98388f21d3719828c6562086599f08fbe51c99db
Instruction Fuzzy Hash: E7218E75509380CFCB02DF24D994755BF72EB46314F28C5EAD8498F2A7C33A980ACB62

Function 00DAD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1760235469.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dad000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 44dcdaa7fbeafbd55e6a9e55978eedcfe11dd050ec64594c3ab5a880387003e5
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E5112676404240CFDB02CF00D5C4B16BF72FB98324F28C6A9DC0A0B656C33AE85ACBA1

Function 00DBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1760299808.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_dbd000_ymvnpo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 890aa4e09605a84a2a454bedd5681d47c6b1928bc61b0c11a4bde4a5690e7e10
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F311BB75504280DFCB02CF10C5C4B55BFA2FB84314F28C6AAD84A4B296C33AD80ACB61

Analysis Process: RegSvcs.exePID: 8144, Parent PID: 7952COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	114
Total number of Limit Nodes:	16

Executed Functions

Function 05AC7787 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

fcq, xrefs: 05AC77E7

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: fcq
API String ID: 0-2768158334
Opcode ID: d841921c0b44c1bb2d5152f1142e52c3a2b0d5b1c983ead0ca6533300522b920
Instruction ID: ca98757033ff8799f230c6aee141d3d4cd2657b26bfbe272e85dafa1b8fb4e4a
Opcode Fuzzy Hash: d841921c0b44c1bb2d5152f1142e52c3a2b0d5b1c983ead0ca6533300522b920
Instruction Fuzzy Hash: 5FB13D30B042198BDB14EF65D455A9EBBF2FF89300F518199E90ABB385DF30AD868F51

Function 05AC77A0 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

fcq, xrefs: 05AC77E7

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: fcq
API String ID: 0-2768158334
Opcode ID: 279123debed1649fe145bace7ee08635ebeeac39fe35970b7bed8e008bd8dd74
Instruction ID: 336b814db39651f854ba15fbc35d9afa0d01b20eab9829b34b4df4b85eaf3806
Opcode Fuzzy Hash: 279123debed1649fe145bace7ee08635ebeeac39fe35970b7bed8e008bd8dd74
Instruction Fuzzy Hash: 11B14D30B002198BDB14EF65C455A9EB7F2FF89300F518199E90AAB385DF30AD868F51

Function 05AC7771 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

fcq, xrefs: 05AC77E7

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: fcq
API String ID: 0-2768158334
Opcode ID: dc2cc452ead517cc851f5acb55075ccc512f0b6f7659b3af4837a41f92bec610
Instruction ID: f973fe70038068cb46281c6eca3abdb69a956773fa4934d39ea9ae67c911c218
Opcode Fuzzy Hash: dc2cc452ead517cc851f5acb55075ccc512f0b6f7659b3af4837a41f92bec610
Instruction Fuzzy Hash: C0B14F30B042198FDB15EF65D455A9EBBF2FF89300F118199E90AAB385DF30AD868F51

Function 05AC2BB1 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e16b172511c8561a8a9162a681084db0577a86fed58d7c7a9312f72eaeb8708
Instruction ID: c5ffa5dc540edb8a3e6b19e1ffb8522fc7d740a9a472895f46735b74304e7336
Opcode Fuzzy Hash: 3e16b172511c8561a8a9162a681084db0577a86fed58d7c7a9312f72eaeb8708
Instruction Fuzzy Hash: E0D13D38714104CFDB04EB66E559FAA7BF3FB89300F5584A9E406AB399DB305C42DB91

Function 05AC2BC0 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2715bb8b5b8a11b957ecf7a4718a84e33cdf2b0023f3f14669a72fa8fd28883f
Instruction ID: e1a1b421896824d148f880c3767234b11da48d317733c5fb06f1459be0dd6aab
Opcode Fuzzy Hash: 2715bb8b5b8a11b957ecf7a4718a84e33cdf2b0023f3f14669a72fa8fd28883f
Instruction Fuzzy Hash: 57C12A38714104CFDB04EB66E559BAA7BF3FB89300F558069E406AF399DB309C42DB91

Function 05AC1988 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cee39a3389189bd624c7879cb6e3284e4ee427d690322844a3fd71390b8ec7d
Instruction ID: 6484783923881071088e5df651edd4438ef1a837cae094496d0235a5dda471b5
Opcode Fuzzy Hash: 4cee39a3389189bd624c7879cb6e3284e4ee427d690322844a3fd71390b8ec7d
Instruction Fuzzy Hash: ED51A1347101009FD704EB6AE559E697BE3FB8A310F5580AAD50ADF396DF31AC82CB81

Function 05AC1998 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70f65b4dc66854183a2f30b6df0489a406077027a0e8ca49be1d58e78a572a3
Instruction ID: 7f93444f94c26b7971d1dc7b877f32bf461a7e39f26bcabd8b1ee261cfb774d0
Opcode Fuzzy Hash: d70f65b4dc66854183a2f30b6df0489a406077027a0e8ca49be1d58e78a572a3
Instruction Fuzzy Hash: 79516134710100DFD704EB6AE559B6A77E3FB8A310F5580AAD406DF396DE31AC86CB81

Function 05ACDEB7 Relevance: 7.7, Strings: 6, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05ACDE83
$^q, xrefs: 05ACDE8D
$^q, xrefs: 05ACDE22
$^q, xrefs: 05ACDDBF
$^q, xrefs: 05ACDDB5
$^q, xrefs: 05ACDE18

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 258a7008ed1b997747d8f04a348bc382235e57a87cd99ef5aca7fa0d8e2f1077
Instruction ID: 1e6c7c18bc9ce35e1375762d13283399d661f51835473813a058a0f22632cb9a
Opcode Fuzzy Hash: 258a7008ed1b997747d8f04a348bc382235e57a87cd99ef5aca7fa0d8e2f1077
Instruction Fuzzy Hash: 87913330A01248CFDB29CF59C948F69BBB2BB86300F59C5EAD0195F269DB319881CF91

Function 05AC05E0 Relevance: 5.5, Strings: 4, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bq, xrefs: 05AC0B80
Hdq, xrefs: 05AC0794
PH^q, xrefs: 05AC0A84
PH^q, xrefs: 05AC0A72

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hdq$PH^q$PH^q$bq
API String ID: 0-283478574
Opcode ID: 19dc3c36a0f495de8938d218746054aace5781c0764ba391c6f4362baf8676a5
Instruction ID: 5895db640b9ebf637f7b680ff1d9a214350a4ce40ba573372f7aba9fffde6808
Opcode Fuzzy Hash: 19dc3c36a0f495de8938d218746054aace5781c0764ba391c6f4362baf8676a5
Instruction Fuzzy Hash: A3123830A00605CFCB25DF79C554A9EBBB2FF84310F248A6DD416AB7A5DB74E985CB80

Function 05AC0040 Relevance: 3.9, Strings: 3, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05AC008C
$^q, xrefs: 05AC0137
$^q, xrefs: 05AC007E

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: a4122708354b509eef3bdf52c4bdd50bedc802401ad7fb1b5323d26d8c4ff012
Instruction ID: 707a4c9186a6353fbffae307fe00df36b96de75cf10165de88693c5dc43e71c4
Opcode Fuzzy Hash: a4122708354b509eef3bdf52c4bdd50bedc802401ad7fb1b5323d26d8c4ff012
Instruction Fuzzy Hash: 4C418D30708200CFE714DB56E448FAA77E7F785310F5285BADA059F74AEB7598418791

Function 05AC0EB8 Relevance: 3.0, Strings: 2, Instructions: 491
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@Udq, xrefs: 05AC0FB2
@Udq, xrefs: 05AC0F7A

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @Udq$@Udq
API String ID: 0-2037091890
Opcode ID: 3a61de2629ec6d35a0f5e49b1a558ec95d9e94aa037b383666cc8a91c8a093db
Instruction ID: 83aeac873f268fd0a956d2c7245a5843e363f4f49244408b13e330d2104b9659
Opcode Fuzzy Hash: 3a61de2629ec6d35a0f5e49b1a558ec95d9e94aa037b383666cc8a91c8a093db
Instruction Fuzzy Hash: D222C474A00204CFCB14DFA9C594EADBBB2BB88314F2585ADE415AB366DB35ED42CF50

Function 05AC0570 Relevance: 2.8, Strings: 2, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hdq, xrefs: 05AC0794
PH^q, xrefs: 05AC0A72

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hdq$PH^q
API String ID: 0-2750976681
Opcode ID: 7108d67f8728508522d3edd9866678d0d5495e06c0f08648100a1cd09d5a5117
Instruction ID: cc5c88498d0b7a2a75bbb4507cd438d0f711205833fa56e8b6ee0fa83c279e48
Opcode Fuzzy Hash: 7108d67f8728508522d3edd9866678d0d5495e06c0f08648100a1cd09d5a5117
Instruction Fuzzy Hash: 29D15A30A00606CFDB25DF79C544B9EBBB2FF84314F248A6DD4169B6A5DB70E885CB80

Function 05AC05CF Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

Hdq, xrefs: 05AC0794
PH^q, xrefs: 05AC0A72

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hdq$PH^q
API String ID: 0-2750976681
Opcode ID: 188a5ba8b310a56b767aed0c45d2dc64dd427fed24bb9c905c769d2e5d3fbd2b
Instruction ID: 2cc76aa1f5d34058b57bc18e969dd0feaeb83b76eedc85e0e005b7155b572465
Opcode Fuzzy Hash: 188a5ba8b310a56b767aed0c45d2dc64dd427fed24bb9c905c769d2e5d3fbd2b
Instruction Fuzzy Hash: 4BD14A30A00605CFDB25DF79C544B9EBBB2FF84314F248A6DD4169B6A5DB70E985CB80

Function 05AC8EB8 Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

(bq, xrefs: 05AC9092
(&^q, xrefs: 05AC8FD3

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 86882a5cc6fc14c1de98381934b8bbbd686725877e4bb52e1ba0e2cb4d60fac0
Instruction ID: 1012df676052f874f18484205c1283119edeb8a5c6a471ea5d126451d06856a8
Opcode Fuzzy Hash: 86882a5cc6fc14c1de98381934b8bbbd686725877e4bb52e1ba0e2cb4d60fac0
Instruction Fuzzy Hash: 0E719131F002199FCB15DFB9C850AAEBBF6BF84700F148569E416AB381DF34AD068796

Function 05AC0006 Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

$^q, xrefs: 05AC008C
$^q, xrefs: 05AC0137

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: a0aa0829180b3c6dfab9753a613cd6161489244563911c577bd72d068a9ec46c
Instruction ID: 1c5d191c48b398aa0f47dfb76c3465f16cdd62498f5f14d6c68ac4a38d288942
Opcode Fuzzy Hash: a0aa0829180b3c6dfab9753a613cd6161489244563911c577bd72d068a9ec46c
Instruction Fuzzy Hash: F5410034708200CFD315DB66D848FAA7BF3FB86300F0684BAD9059F296EA759C428792

Function 05AC0EA8 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

@Udq, xrefs: 05AC0F7A

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: @Udq
API String ID: 0-4139025523
Opcode ID: d0e69033e3dd7d74002a8e405d3a8dfc1fa7c466356beed9a6a1a2984a8b76eb
Instruction ID: 5e741231f906c66feaf9b5350dcab5a1e7e108209cd449c9db7260e31c3ef452
Opcode Fuzzy Hash: d0e69033e3dd7d74002a8e405d3a8dfc1fa7c466356beed9a6a1a2984a8b76eb
Instruction Fuzzy Hash: 88B1F574A00204CFDB25CBA9C594AADBBF2BF88314F2585ADE405AB362DB35D941CF50

Function 05AC67B0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05AC6931

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c88202d503236cac3084be7189cb2d1f066d11d1437aacb6818c590748f3be88
Instruction ID: d7cacd917c8bfd9082c76c6cfdd258642adf700914cd9999cec440718d2d906e
Opcode Fuzzy Hash: c88202d503236cac3084be7189cb2d1f066d11d1437aacb6818c590748f3be88
Instruction Fuzzy Hash: C1415C34B081018BE754EB69D044FAA7BE3FBC5304F65C168D802AF789CF349D829B92

Function 05ACC33B Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

$^q, xrefs: 05ACC34A

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 5dcc93fbcc4fc6d4783df403293dc448ed623286b29773748974ce51c6e56f0b
Instruction ID: 0d103c809f92c92ff1728d31738cfe36143616a8e7c28d5383c4e117a0080a35
Opcode Fuzzy Hash: 5dcc93fbcc4fc6d4783df403293dc448ed623286b29773748974ce51c6e56f0b
Instruction Fuzzy Hash: E6214F34B04114CFDB48FB69D064A3E37E3FBC9210B518569D906AF39ADE349C429B86

Function 05AC38D8 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfd63f835d1858e839a8db1aa78664406bbc09d1484db2e19a7a1008b8b9021
Instruction ID: ecb04e8436c3e867ed59fdce31141a91423ca4ee4946daac94f959a0222c0929
Opcode Fuzzy Hash: 5dfd63f835d1858e839a8db1aa78664406bbc09d1484db2e19a7a1008b8b9021
Instruction Fuzzy Hash: EBA1F738B00114CFCB04EB69D559AAEBBF3FB89311B55C059E806AB795CF34AD42CB91

Function 05AC5945 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b492bc74f86cebd3c80c91239312d3986535a5320fdff827a807133512b18
Instruction ID: cfe8a054947e46cb54f3eb1015e4283bacce885a5084bb006b09ead33628de64
Opcode Fuzzy Hash: 1e3b492bc74f86cebd3c80c91239312d3986535a5320fdff827a807133512b18
Instruction Fuzzy Hash: 20A15734A04109CFDB64DB15D598FA97BF2FB49314F2445EAE006AF386CB75A982CF81

Function 05AC99E0 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17151a4ad8935225d72043b8e3595c9cc51b243a96f81bf70aa01ab1734b3466
Instruction ID: fa7276c356e85b2ec5a318d5659c2e58487629afa587d852664b58cd63a65406
Opcode Fuzzy Hash: 17151a4ad8935225d72043b8e3595c9cc51b243a96f81bf70aa01ab1734b3466
Instruction Fuzzy Hash: 48615C34B005159FCB48EB79D558AAE7BF2FFC96017514069E406EB384EF34AC428B96

Function 05AC99D1 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c722c815f0f8caf98deef1f378269d65b0bc8d734a9ade3233612cfcbb04fbac
Instruction ID: bd9c8f1dc78c920a598dd1374162a64676ff6159df1bccd6b9c6452e935633fa
Opcode Fuzzy Hash: c722c815f0f8caf98deef1f378269d65b0bc8d734a9ade3233612cfcbb04fbac
Instruction Fuzzy Hash: BA514B34B042159FDB08EB79D558AAE7BF2FFCD601B514069E806EB394EF34AC428B51

Function 05AC9960 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5b03ea96b64a95854ad8522cd3f4b51ac0e0a4fefba85ac70a1ff45b7860ad
Instruction ID: 6151a4bd09697e2de3cca6e77d99c30cc7316118f1cec3e6358f40311ca2e636
Opcode Fuzzy Hash: 5b5b03ea96b64a95854ad8522cd3f4b51ac0e0a4fefba85ac70a1ff45b7860ad
Instruction Fuzzy Hash: 3E513B34B042159FCB04EB75D558AAE7BF2FF89201B554069E406EB394EF35AC42CF51

Function 05AC6E23 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74282b2617fbaf550261b009658ea328ab8a5581bd39bfd71c530d1dca78f8ac
Instruction ID: 3ad7bb15cf364c572016aeb8fc66c6fa8b60ad692ef39835768be81fa795ce11
Opcode Fuzzy Hash: 74282b2617fbaf550261b009658ea328ab8a5581bd39bfd71c530d1dca78f8ac
Instruction Fuzzy Hash: 49518130B08204CFEB14DB6ED545FBE7FB3FB86310F1980AED105AB695CA7498468B91

Function 05AC29F3 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ec74912ac0a70c2267d09007cd7f164141e67dcfd5e44d109fb982ac52e8c2
Instruction ID: ea64f02ef15db20ec7f5795241861cbff9471068401394dde203a1b6ebb9bcb4
Opcode Fuzzy Hash: 90ec74912ac0a70c2267d09007cd7f164141e67dcfd5e44d109fb982ac52e8c2
Instruction Fuzzy Hash: 9F519034B042449FCB04EB6AD549BADBFE2FF89210F4180AED449EF356DA319945C792

Function 05ACB040 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aadc353355e20a151e014181bac858bed6d978ec142695374c1d563cdae5687
Instruction ID: 493929c66c081129ba587bc2e32fd1e15c815e699711034ffa29307376e318b1
Opcode Fuzzy Hash: 9aadc353355e20a151e014181bac858bed6d978ec142695374c1d563cdae5687
Instruction Fuzzy Hash: 9A51B430204208CFD714DB66D856F6A7BE3FB85304F8085BDD0169F7A6DF71A8498BA1

Function 05AC3C12 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5365038dd51e566119fd5145f4597a053e50d4fb6eeb3c7fd4fe441a834251c
Instruction ID: 2fe1f033c30d600156ff124e0f5e3049bc3d15f78227f7f267afd09171c9c917
Opcode Fuzzy Hash: c5365038dd51e566119fd5145f4597a053e50d4fb6eeb3c7fd4fe441a834251c
Instruction Fuzzy Hash: 85519D30B04114CFDB04EB29D055BAE7BE3FB89310F55C4AAD506AB789CF34AC468B92

Function 05ACBFBB Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b0a5f888db7078ed2e03cf777f1f3ad246fa950f150c25de3d1efd4d1c5625
Instruction ID: 52a10ec12def9368ebc47169d80b65b1e4f4f83940f0a3b7172b7dbf97d873c0
Opcode Fuzzy Hash: e8b0a5f888db7078ed2e03cf777f1f3ad246fa950f150c25de3d1efd4d1c5625
Instruction Fuzzy Hash: 1841BD31B04248CFCB10CB59D452FBEBBB7EB84310F5081AAE4299B745D776A9458FE1

Function 05AC6E50 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9147f4d8ece4b4916449c3e26afc773c3573a526ab773e6319c0ff740719a2cd
Instruction ID: c66e8416d619f2c1bdc9cd61055949c0ab16d9f4af8c0c4f3c7bd5c5c661de23
Opcode Fuzzy Hash: 9147f4d8ece4b4916449c3e26afc773c3573a526ab773e6319c0ff740719a2cd
Instruction Fuzzy Hash: BC416D30A04105CBEB14DB5AD545FAE7BF3FB85310F1880AEE116AB799CB74A8818B91

Function 05ACBFC8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3714ef70f7bb7ae8cd8c89516960e4ad6b358df3ff2a5d4158f37c68edaa8907
Instruction ID: 772602f9b45c3cec01df6b70b0117b189f6a1f844dca6d7126ecef34d802e69e
Opcode Fuzzy Hash: 3714ef70f7bb7ae8cd8c89516960e4ad6b358df3ff2a5d4158f37c68edaa8907
Instruction Fuzzy Hash: BA419C31B04208CFDB10CB59D451FBEBBB7EB84310F5081AAE4299B745DB76A9468FE1

Function 05AC8EA9 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10322ccef2a2ad54b1f24b0dac01ff4b6128252d8d7b6de3a576a600116e754
Instruction ID: cba8b1b9d9f8d95619e6f948481c60ed897fcc74f3c02d146f4e31ca280238cb
Opcode Fuzzy Hash: b10322ccef2a2ad54b1f24b0dac01ff4b6128252d8d7b6de3a576a600116e754
Instruction Fuzzy Hash: 13413F31E0021A9BDB14DFA5C880EEEBBB6BF88700F148169E415B7350EB74A946CB95

Function 05AC3C46 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528b8a73c1096950b30eda865b9da0de10f5a3e9a42a1949e0040772a01bea3f
Instruction ID: 91a4c6bee8c928327365b8f70874c5bd0a3e2a01a1bf2944027460ae00b6dc03
Opcode Fuzzy Hash: 528b8a73c1096950b30eda865b9da0de10f5a3e9a42a1949e0040772a01bea3f
Instruction Fuzzy Hash: 47416C34B00104CFDB04DB29D055BAE7BE3FB89315F55C4AAE50AAB749CF34AC468B92

Function 05AC7003 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f900eda6d877016da69e07597efac35767f61d828bf50e09c91405cefbc63d01
Instruction ID: 63f8359cdaca6f739f375b4739a28856bd5432b3581179d2e8c71efa019e75d7
Opcode Fuzzy Hash: f900eda6d877016da69e07597efac35767f61d828bf50e09c91405cefbc63d01
Instruction Fuzzy Hash: FB415C30A04105CBEB14DB5AD545FBD7BF3FB85311F1880AED106AB699CB7498818B91

Function 05AC3E38 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f6284cc75baf219fcb010fb579b09e03aa44c3e035015652394e259b77cde3
Instruction ID: be1c275f0a879d3eacfdbc7fcb3b8d6a1d880db4714541182eeccee5b0d20bae
Opcode Fuzzy Hash: 72f6284cc75baf219fcb010fb579b09e03aa44c3e035015652394e259b77cde3
Instruction Fuzzy Hash: 3341A1347042018FDB04EB69D944EAB7BF3FB86300F05846AE1169F78ADB349D46CB81

Function 05AC7020 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab96296677a897157177909ca7cbfe6e014f2115226ccc4c1024c5bd696f133
Instruction ID: 87266202d24a497d919d308648b7a589ddf03db0c00073ab4db861d011422187
Opcode Fuzzy Hash: 1ab96296677a897157177909ca7cbfe6e014f2115226ccc4c1024c5bd696f133
Instruction Fuzzy Hash: E9418030B04105CBEB14DB5AD545FBD7BF3FB85314F1880AED116AB699CB74A882CB81

Function 05AC37C3 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ffbe7f38a43b5977db4ea79a50645c9c02ebd4cad0812e76baaaf9608acbd8
Instruction ID: 38fc3c5a64348297ef5214c04e3224dfb23ce3421bf3a0d1e4eafbdf15749046
Opcode Fuzzy Hash: 15ffbe7f38a43b5977db4ea79a50645c9c02ebd4cad0812e76baaaf9608acbd8
Instruction Fuzzy Hash: DE418930B04114CFDB04DB69D405BAE7BE3FB89310F55C4AED90AAB789CB759C468B92

Function 05AC37D0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862d5ea19e0eb92573972b0a188065b901ecf8148657d9a706346d93ee646cdd
Instruction ID: 3b8d0a9e4a1d6f89206433765f8dfd42418dffd528f70afcab76618eab9e9434
Opcode Fuzzy Hash: 862d5ea19e0eb92573972b0a188065b901ecf8148657d9a706346d93ee646cdd
Instruction Fuzzy Hash: DA418B34B04114CBDB04DB29D005BAE7BF3FB89311F55C4AED90AAB745CB759C468B92

Function 05AC3860 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a76334d79271ca53ee7c8f5d00bfbe0e267e1f40795d8642197e13ecf0708e7
Instruction ID: 70524e59d10a29acd51a626392e78ae3cf596619d3cc675a3938b512af0359a2
Opcode Fuzzy Hash: 1a76334d79271ca53ee7c8f5d00bfbe0e267e1f40795d8642197e13ecf0708e7
Instruction Fuzzy Hash: 48414734B00104CFDB04DB29D059BAD7BF3FB89311F55C4AAD50AAB745CB74AC468B81

Function 05AC3839 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92335cded650bc9e7fec1bfa24da46d927ea80cecbcd54143ec3dad9ae28c72d
Instruction ID: 9cb3c1c2689f367fddc793392a3b8189a9ea4df7ec25210baab7b5d8fe52314f
Opcode Fuzzy Hash: 92335cded650bc9e7fec1bfa24da46d927ea80cecbcd54143ec3dad9ae28c72d
Instruction Fuzzy Hash: 15418B34B00114CFDB04DB29D005BAE7BE3FB89311F65C4AAD50AAB745CB34AC468B96

Function 05AC3E48 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba86ebf064bb57483ad5f06d8148b680c5d559b62fdd6cc0f6bf2c5b9c19be5f
Instruction ID: ba4ee68e809a98ed64d8f0850d0b6f0be6333a000a528d8371b5e2b0acee1e96
Opcode Fuzzy Hash: ba86ebf064bb57483ad5f06d8148b680c5d559b62fdd6cc0f6bf2c5b9c19be5f
Instruction Fuzzy Hash: 52417C347041058FDB04EB69E948BAB7BF3FB85300F51886AE1169F789DB74AD468B81

Function 05AC4030 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c659a640f2aba87eb218a8bf6d14f497a98964b95c0aa2710ccf67a22b511a6
Instruction ID: 3116f1aa56289d027be98f0cc1c1aaf419234b1f94c8f8499dfcfd7434d73301
Opcode Fuzzy Hash: 2c659a640f2aba87eb218a8bf6d14f497a98964b95c0aa2710ccf67a22b511a6
Instruction Fuzzy Hash: 6E31C730304205CFCB00DB69D844AAE7BF3FB86300F5089AAE5069F395DF349D469B82

Function 05ACC7D2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3f0c6592302d4e2d03b596610d06d4de38b19722e904fcda03f57566391321
Instruction ID: 929e431c84590455df3a17f5fb045ff3bf9723e5e7188c62f4f72cae37fbe1d3
Opcode Fuzzy Hash: 6a3f0c6592302d4e2d03b596610d06d4de38b19722e904fcda03f57566391321
Instruction Fuzzy Hash: BB31F13490C380AFDB01CB7898A9AAA3FB1AF03220F0440EFD068EB153DA354D499792

Function 05ACFE40 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb133f3af7000c2b0e171baabee0d61cbfcda34064a3385fe912f23f8be0b1f
Instruction ID: 89101a742dd12c2d93536064b29736452392b7cb83bf08bbea660f14904dda3c
Opcode Fuzzy Hash: afb133f3af7000c2b0e171baabee0d61cbfcda34064a3385fe912f23f8be0b1f
Instruction Fuzzy Hash: 5E2137312056459FCB01DB689880CA6BFAAEF47310319D0E6F819CF117DA31E847C7A0

Function 05AC2A80 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6a7e3ee7175356c3c1a40dde334a82dca12a165316c210e589c9d96ccbad00
Instruction ID: eb22bbcb69dffa154ef461705fb91edff10841d6f17cc224cdd3f10710411043
Opcode Fuzzy Hash: df6a7e3ee7175356c3c1a40dde334a82dca12a165316c210e589c9d96ccbad00
Instruction Fuzzy Hash: 72318F34B001158FCB04EF6AD9999AEBBF2FFC9210B51806DC809EB355EE319D459B91

Function 05ACC1F0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a1d68b7e77ee1edb3129eabd8c9954f51f0ac805b6c02600dff789977fd654
Instruction ID: 37f9e66002cddffcaf2a49a513cca4e9fb2ea68f90c2c325cb0de6a7165fe47a
Opcode Fuzzy Hash: 71a1d68b7e77ee1edb3129eabd8c9954f51f0ac805b6c02600dff789977fd654
Instruction Fuzzy Hash: FE219334B10114DFDB08BB79D068A6E37E3FBC9310F518469E907AB395DE355C428B86

Function 05AC93F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2997392dea1043c450968c3e891d9c8c3d8acaa479c6ac9e16e21b40ab434523
Instruction ID: a8e32a4b087cae526be1024cdbd3712b337a76281893679fd6c032d32abd2409
Opcode Fuzzy Hash: 2997392dea1043c450968c3e891d9c8c3d8acaa479c6ac9e16e21b40ab434523
Instruction Fuzzy Hash: 7121AF397041008FD714AB69E118EBA7FE7E7C6311F1580FAEA0ACB345DB34A842DB81

Function 05ACFCEB Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4807bd9e71968b48e82749656d2b25ccd06078cd1f603c60a67bdf9680d97b
Instruction ID: fe1dae006f0acbbd08a177c26045e51947d5c9fc763797721837cbc56f8b9d84
Opcode Fuzzy Hash: df4807bd9e71968b48e82749656d2b25ccd06078cd1f603c60a67bdf9680d97b
Instruction Fuzzy Hash: E521A130208205CFD31ACB29D544FA67FB7EB82318F54C1EBE8158B669D775AC46C7A1

Function 05AC9098 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af3c1f5abedd51690564930949b4eae640535412417c1d4a13460e21c3f1101
Instruction ID: e22313aec76e03d0d6011babf96a632030e6c36295e5c3bc5fea04cc090160f5
Opcode Fuzzy Hash: 9af3c1f5abedd51690564930949b4eae640535412417c1d4a13460e21c3f1101
Instruction Fuzzy Hash: A41126717082546FCB06AF79581596F3FEBEBC5250B10446AE505C73D2CF348D0293A2

Function 05ACC381 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5251c979e586b6ea57761b4df21149fe80d6c99757e198a4dc34982366f3b9
Instruction ID: e384d8de8f4bb2c0f267986652bb81b076ff75a9834a84e0c0fa9ca08b7c8bd1
Opcode Fuzzy Hash: 2a5251c979e586b6ea57761b4df21149fe80d6c99757e198a4dc34982366f3b9
Instruction Fuzzy Hash: 4A215C34B141108FDB49BB69D069A3E37E3FB89700B518569E807EF389CE349D029B86

Function 05AC03B3 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262c8d0b616af1b657406bb238645455712e37ac091ed3bd8caebf52f5c06d0f
Instruction ID: 4a85d0e8ec246aebc85519d467b8c15d99b07e4c8314782c233d2691ffc69809
Opcode Fuzzy Hash: 262c8d0b616af1b657406bb238645455712e37ac091ed3bd8caebf52f5c06d0f
Instruction Fuzzy Hash: 47210720304644AFD309AB78981556DBFA6FFC2210B4580A9E459DB382EE316D0E87E2

Function 05AC27D1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cab551b81a6e8dc82f12dd9c50d26db800878b402d79a33c77d450c293a0560
Instruction ID: 433eb7db7db0fb34711ca0e452a5babd655a741356272c9b59741066337f426f
Opcode Fuzzy Hash: 9cab551b81a6e8dc82f12dd9c50d26db800878b402d79a33c77d450c293a0560
Instruction Fuzzy Hash: 0021BC38904208DFDB08DF68C489BADBFF2FF45310F1080EDD845AB281DB7159969B82

Function 05ACBEE8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471e5afe7f4d5b2ac9e4668f30b648e18c6b387aca3e441b7d7653116817ce82
Instruction ID: 081571c8fc438dd9cf53d28a0cf31e6af96cbb1bf2736ca4eb39a63a5e577bd9
Opcode Fuzzy Hash: 471e5afe7f4d5b2ac9e4668f30b648e18c6b387aca3e441b7d7653116817ce82
Instruction Fuzzy Hash: 46118431918159CFC711861A9546F3A3FB79787210FCA80FAD5169B652C676CC828FF2

Function 05AC1820 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9981b5447e95e6d303d247bc6a9eae62d20302f5eb598a80b06cd7dc4bb907ff
Instruction ID: 970138c3651b427314a5e8574ccca382b2258ab5bc50fa4fd52dbbaca6d477b4
Opcode Fuzzy Hash: 9981b5447e95e6d303d247bc6a9eae62d20302f5eb598a80b06cd7dc4bb907ff
Instruction Fuzzy Hash: 52213430704A008FD724DF19D584E62FBE6FF84324F05CAA9D45A8BAA2D770E885CB80

Function 05ACFCF8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb3251aa659bd2c6202adf7fcbcf00abad8cf7de301af51abb64c8d8594e5c
Instruction ID: eb8452c457219416ca14f23cf5c500aaff8b018fcf009173df0b74891a6ad45b
Opcode Fuzzy Hash: a0cb3251aa659bd2c6202adf7fcbcf00abad8cf7de301af51abb64c8d8594e5c
Instruction Fuzzy Hash: FF216D30204205CFD319CF1AD544FA67BB7FB82318F54C5EBE8158B669D775A882CBA1

Function 05AC2708 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9227446910548db707c07f43cfd7da908d8eaa3f443a8ba477fa3f893e4ad692
Instruction ID: 13e15dcbce4516f386406c803a8bf15f9fe97f0b0556410a1e2ba3f120003c45
Opcode Fuzzy Hash: 9227446910548db707c07f43cfd7da908d8eaa3f443a8ba477fa3f893e4ad692
Instruction Fuzzy Hash: 52219D346002059FC704EB38C585AAEBBE5EF84310B14846DD459DB360EB34EA4ACB90

Function 05AC18F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a42807d6adb9cf21b056c9398109fc8ed39feec5245874e0a0e009251d9169
Instruction ID: 18363008f902efe9da76361da70f697814af58fc777b5dce0b0c396b44ff1123
Opcode Fuzzy Hash: 58a42807d6adb9cf21b056c9398109fc8ed39feec5245874e0a0e009251d9169
Instruction Fuzzy Hash: E81130753042409FD724CB29D888E56BFF9FF89314B5585ADE44ACB263D730E846CB50

Function 05ACFE10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c49ba541b803ecae5fda69d9f2c10492f31bee99602792af2d808f2e4561a0
Instruction ID: 934e85f0f9d3e1ab9b1d8319c2a0b4e9ec9935409e6da32c3d82b2fedf919595
Opcode Fuzzy Hash: 93c49ba541b803ecae5fda69d9f2c10492f31bee99602792af2d808f2e4561a0
Instruction Fuzzy Hash: 72117031109645AFCB01EF69D8D485ABFAAEF87314309C1DAE8499F117DA35E84ACB60

Function 05AC9341 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1ff2b91df5e1acdd1db12a643988a13fe82ceda996e2360ca31896082c3835
Instruction ID: 52a0438aea22be0faa79eec9f394209034e5b0aaaf56e6d46e626d3dc3b62294
Opcode Fuzzy Hash: 7c1ff2b91df5e1acdd1db12a643988a13fe82ceda996e2360ca31896082c3835
Instruction Fuzzy Hash: EF1114B28002499FCB10CF99C944AEEBFF5EB48320F15845DE564A7360C739A554DFA5

Function 05ACC631 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb161848ed7f908921cc6021365e3a3828d8d69fca3617724363203c1ff68929
Instruction ID: 5b1563efc7cef089a880b510ec04d6d1787871657ad3690a5a3cdcf82c446b1e
Opcode Fuzzy Hash: eb161848ed7f908921cc6021365e3a3828d8d69fca3617724363203c1ff68929
Instruction Fuzzy Hash: BD212934B04104CFE704BB65D068A6A7BE3FB89310F558569E8169F39ADE349C429B81

Function 05AC2718 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935134522aee98680c65349e50981baae8ba313f8baf51d152b3b20a81b0969f
Instruction ID: d090ad81b77a6ad5520beea190cad79dce465ba26492757065fdf4ad4806073a
Opcode Fuzzy Hash: 935134522aee98680c65349e50981baae8ba313f8baf51d152b3b20a81b0969f
Instruction Fuzzy Hash: 12114C346002059FC704EB39C585AAEBBE9EF84310B54C429D859DB364EF70EA4ACB91

Function 05AC8B00 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5940621b35cacef61aa2f1029407d8039411493b53c0926632a8b50ecffa8c
Instruction ID: 83eaf9dddff1bb567c0f3af1f66d9c24bfdbf454829f4419ac91bf516cba21e5
Opcode Fuzzy Hash: 4a5940621b35cacef61aa2f1029407d8039411493b53c0926632a8b50ecffa8c
Instruction Fuzzy Hash: C71123B2800249DFCB10DF99C944BEEBFF5EF48320F148459E958A7250C379A990DFA5

Function 05ACC471 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ce0ffdfdbde32808d908c43b58bbc3802a9caf525dae84c72de7de53fbe3da
Instruction ID: a86c56e8c49b46040bf3795dc48ddbec9889710d07b9488f50b3c8abcb132356
Opcode Fuzzy Hash: 33ce0ffdfdbde32808d908c43b58bbc3802a9caf525dae84c72de7de53fbe3da
Instruction Fuzzy Hash: 96115E34B04114CFDB04BB65D164A2E37E3FBC9300B518569E906AB389DE345C429B86

Function 05AC0C50 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d7295101f7276171c11b2b1ae12c6f22d041346ec8e2ce94e673fb0fbe73f4
Instruction ID: 74c230c079b7b0367e914d3d72639185bfadeb4268dd3057744303afb8664e55
Opcode Fuzzy Hash: 69d7295101f7276171c11b2b1ae12c6f22d041346ec8e2ce94e673fb0fbe73f4
Instruction Fuzzy Hash: 4E015A397042008FC7109F69D888E2BBBFAFBC8365B155469F949DB361DA31EC018B90

Function 05AC03E0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859b941ecbf1bb436f9063f3e8158c80aa0bd8facb1fb17f03bb7d4697797f78
Instruction ID: 2ff111ab55ecb328d7dc7a86238e25df48a6ed78150730b34f6ff455ac131d81
Opcode Fuzzy Hash: 859b941ecbf1bb436f9063f3e8158c80aa0bd8facb1fb17f03bb7d4697797f78
Instruction Fuzzy Hash: AB01E530300600AFD608EB69D85297EB7A2FBC2210790842CE8169B385EE71BD0F47D2

Function 05AC9560 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49325d69f2a16fefe53be497ab9a5e7d4a2253b4baff173a24fa71ec317cd728
Instruction ID: 1ed605ea8cd8739fcb75c6f6a29dc2382a1c95530e4c5dfac8f25d1bcf369cba
Opcode Fuzzy Hash: 49325d69f2a16fefe53be497ab9a5e7d4a2253b4baff173a24fa71ec317cd728
Instruction Fuzzy Hash: 6A11653694D28CDFCB02EBF8CD1449E7FB19F4620070545E7D548EB262E9358E24A792

Function 05AC1441 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efd8af58f6cb898f53c2dd1c153252ae3314d3743922ac930a948e843474cc5
Instruction ID: a0ca91cedf2f3c7847616f7c7376391424c339874afd8bc79b7f4c468a408cd5
Opcode Fuzzy Hash: 0efd8af58f6cb898f53c2dd1c153252ae3314d3743922ac930a948e843474cc5
Instruction Fuzzy Hash: 41111970A00204CFDB25DBB5C584BACBBB2BB44315F6449ADD502AB262CB35DC82CF10

Function 05ACAF20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe99f4f6d8550660aecf8fc20264bebd65e2c48ca9a36636143a816730e025c2
Instruction ID: be91db261eac3bde9810c5c3618d410946644335c4beb20db3702d5d8708c30d
Opcode Fuzzy Hash: fe99f4f6d8550660aecf8fc20264bebd65e2c48ca9a36636143a816730e025c2
Instruction Fuzzy Hash: 95112BB090460CDFDB04DF6AD588B68BFF2BB45304F5481FED419AB256EB3459809B82

Function 05AC0C60 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b9783dc265e3fc54d857e3014cad518f058d975d922d999baa98ad825e5f94
Instruction ID: 1adac4fe18baca3394651da55eb6eaf56c405f50a89aaeb5136264bf322f9c1e
Opcode Fuzzy Hash: f7b9783dc265e3fc54d857e3014cad518f058d975d922d999baa98ad825e5f94
Instruction Fuzzy Hash: E3014B393042018FC714CF69D888D2BBBEAFBCD2657154469F989DB361DA31EC018B90

Function 05AC6D40 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7709c87a33693f52f10ffbcdb891c6a162efa0f5cd496dc072e92c14a3608fd
Instruction ID: 6ecf6c5c6f89524fc048c57d8934f91d008b87690e9327de0a8ed588c222c6ab
Opcode Fuzzy Hash: f7709c87a33693f52f10ffbcdb891c6a162efa0f5cd496dc072e92c14a3608fd
Instruction Fuzzy Hash: 53017C71F045248FC755EBADD014AAE7BF2FB89311F51806AE21AEB744DE348D06CBA1

Function 05ACAF30 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327b6cedbcd3f4beae78b36e882f14f87e0c0250a9544b944a43661d5778c673
Instruction ID: 6cc1e2e45476607e0f0ea234b7e33d8cb5e8963c50f35c84fd4249bbed65ea23
Opcode Fuzzy Hash: 327b6cedbcd3f4beae78b36e882f14f87e0c0250a9544b944a43661d5778c673
Instruction Fuzzy Hash: C911E5B0D0460CDFDB00DF9AD588BADBFF2BB48305F5081FAD009AA615DB305A819B82

Function 05AC6D50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d75bde95a19f522409ab050059e097ae5f47b902a8589b378f94b14578fc84
Instruction ID: 5278f3358616bc5990c87ab31cfde2eee232ee19f988c65f29da60f390254816
Opcode Fuzzy Hash: a6d75bde95a19f522409ab050059e097ae5f47b902a8589b378f94b14578fc84
Instruction Fuzzy Hash: 6CF08171B041148FC744EB6DD4046AF7BF6FB89311F514029E50AEB345EE349D01CBA1

Function 05ACB36F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bb02bcb5a06daa74375b48cd8598b2f256b6881f9f6bcc23792d20ce27fb93
Instruction ID: 44b3e6ec2d6cb7203d87cc79dd1b438c61c82ca58fbde5218b88d5f7b977c54a
Opcode Fuzzy Hash: 33bb02bcb5a06daa74375b48cd8598b2f256b6881f9f6bcc23792d20ce27fb93
Instruction Fuzzy Hash: 15F0C82140E3CC9FC71297B49D1A99D3FB59F43100B1544DBE458EF1A3E9794D1493B6

Function 05AC9500 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e7abcae03cbd2a54d10b98fa83e5557f4674ad83c3d1e30ddffd3810683b6b
Instruction ID: d622beeb685695a59aad7395d7a209451c1127507f4cf4512babe5292437213b
Opcode Fuzzy Hash: f0e7abcae03cbd2a54d10b98fa83e5557f4674ad83c3d1e30ddffd3810683b6b
Instruction Fuzzy Hash: DCE09B6190424C9EC7019774894489B7FBD9B46200B0015DED615DB252EA365E195397

Function 05AC8710 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2195da1dfc75d68fc75fcf55491fb8641a70f027285b6519d70aa4fda06dfe
Instruction ID: 9d6e1b304e7dbd10ad7ea132c7a9bd213f8c377c0dc613d1a744331b897f2ddd
Opcode Fuzzy Hash: 3e2195da1dfc75d68fc75fcf55491fb8641a70f027285b6519d70aa4fda06dfe
Instruction Fuzzy Hash: 58E04871615245AFCB058B54CC40CF5BF6EFB86250705C0DFFD64A7622D6729C1287A0

Function 05AC8861 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1c723454955ce54e60492a3e4e0bf6f995735ac7268912a23147f8c667620c
Instruction ID: ffc90de18b51486d4abc439e459cc916ec45487934fcc16ba3142b2068b9e9f1
Opcode Fuzzy Hash: 5e1c723454955ce54e60492a3e4e0bf6f995735ac7268912a23147f8c667620c
Instruction Fuzzy Hash: D3E08631A04105AFC305C6549800CB57F2AFAD6260B14C0EBBC15CB752D677DC028790

Function 05ACD071 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6c0dc84c155635b521ea58330fa4a862c50c316b1a6d4a75f160242284635b
Instruction ID: b34d44e48f612bbfc36b867aef3e33bea1738a756fb106a5d227694026ecc0d9
Opcode Fuzzy Hash: ec6c0dc84c155635b521ea58330fa4a862c50c316b1a6d4a75f160242284635b
Instruction Fuzzy Hash: B1F0B234A4024ACFDB14DF04D594FA9BBB3BB49310F5482E8E1296F645C734AD85EF90

Function 05AC8E78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ce0c135077957ac2ad99662d94474ad66f5f6135e88603776ee99663c78bca
Instruction ID: 79db67d054f234e0897eec6cc37713f70b575ccb9b4cde9adb4cb7a5694fd499
Opcode Fuzzy Hash: c2ce0c135077957ac2ad99662d94474ad66f5f6135e88603776ee99663c78bca
Instruction Fuzzy Hash: 15E08C31604260AFD3169B48D8108B8BF64FF96390318C0AFEC58CB312C632CD0287E1

Function 05ACB3D7 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef276ec624cad0d5b0a42aa9e2e430364536c48f0d0f990b32e0fdc020842b6
Instruction ID: 3e3fd26360320aa44224319e9f00757a495304b3f58e647fb5c45a5a20a54097
Opcode Fuzzy Hash: fef276ec624cad0d5b0a42aa9e2e430364536c48f0d0f990b32e0fdc020842b6
Instruction Fuzzy Hash: 4CE0C22244D7C55FCB1283B06D572E83FA19A12211B8D01EBF0588A6E3D94D440A9721

Function 05AC7571 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cd2c1890951a69a5f4b9f5636fea1cd28081296fca1f295fa2713dcb6d9bf0
Instruction ID: a1eb32999f10c27d79694efa5c30b8ca211fbf393e5999a5c860d06af980d805
Opcode Fuzzy Hash: c9cd2c1890951a69a5f4b9f5636fea1cd28081296fca1f295fa2713dcb6d9bf0
Instruction Fuzzy Hash: DED01231610218AB8B04DE98D841CE6FB6AEB85260744C05EFD5597610C772ED12CBD0

Function 05AC6689 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3598751af3f7bd1d37e4c3ab39595e1d8cbe0709b855def3253839251bf23a
Instruction ID: 6a741f97f21954fd25fc5ccf94094d3830178c803517d4ca99fcbbe5b3198027
Opcode Fuzzy Hash: ab3598751af3f7bd1d37e4c3ab39595e1d8cbe0709b855def3253839251bf23a
Instruction Fuzzy Hash: 58E04F30B04104DFE708DBAAE445FAA7BF3FB8A305F55C069E202AB649DB3454428F59

Function 05ACB3C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3b265433da4a05075db8ae56d9b7625f973dc264dd30aeb514bbeef1541746
Instruction ID: f80baff57d5ff30c2c1182a3a9c688b95c81d3beda084bd178eb3c732e56170e
Opcode Fuzzy Hash: 9b3b265433da4a05075db8ae56d9b7625f973dc264dd30aeb514bbeef1541746
Instruction Fuzzy Hash: 69D0A776D4A5455FC306C2D0DD529647F59DBD3254B1842DAD019CFB57C9379C034261

Function 05AC9510 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d1a4ffa4cf8358e9e72661a5162c0c3885173205694e9b35b7e28484508156
Instruction ID: 5e5b7d95243a5e38a11a5f8622cb8921ffda8c0507a75ec5ca24d5a15b5cd1d0
Opcode Fuzzy Hash: 29d1a4ffa4cf8358e9e72661a5162c0c3885173205694e9b35b7e28484508156
Instruction Fuzzy Hash: 03D05E3194020CEB8B00EBA8890444EB7E99B49100B0005A58908D7210E9328E105782

Function 05AC8720 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction ID: 1b0a6f6d896694a697788613f5e5355b62e48349d74697ae87246d03dd23ea49
Opcode Fuzzy Hash: 01121f2c778aaa955698064ff843d2996bee34fc2f5530b77e7ea5e79a423cb0
Instruction Fuzzy Hash: 05D0C936200118BF9B04DE88DC41CAABB6EEB89660714C05FFD1887311CAB3ED22DBD0

Function 05AC8E88 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 05AC8870 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Function 05AC6B73 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc311ba24b4aa8a0dc785e734ddfd1fedd7a00eefab56504aa1416550bda0be6
Instruction ID: f5aaca601f0d844a07d413a838ff85304c777249c33e18895e05b4a6c4fe34be
Opcode Fuzzy Hash: bc311ba24b4aa8a0dc785e734ddfd1fedd7a00eefab56504aa1416550bda0be6
Instruction Fuzzy Hash: A3C0126915E3D28FC7021FA464548943F75141B22430E53C3E4A8CB9E3C91142159316

Function 05AC7780 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05ACB3D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Function 05ACB3F0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3e87a7eacd9e5fa355897d8b122c8ec8f766adba69aa4b17867d9276680f1a
Instruction ID: 7d66dad73e26e92c30049225488b40b3f9997be24a22fea2db04402bc8809436
Opcode Fuzzy Hash: cf3e87a7eacd9e5fa355897d8b122c8ec8f766adba69aa4b17867d9276680f1a
Instruction Fuzzy Hash: D4B0123205430953D5101285E80B7707B4D8B01715F001031B10C4C5C28C4950101455

Function 05AC6B80 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1846937102.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5ac0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f38b1bb0639dfbe257feb2fa0ab823b928275443961539bcabfe73bea905bee
Instruction ID: 0fdecd2ee4d8b355c30158c2f53399429f6635680faeb487eb60db0457d6ac2a
Opcode Fuzzy Hash: 9f38b1bb0639dfbe257feb2fa0ab823b928275443961539bcabfe73bea905bee
Instruction Fuzzy Hash: 7A90027305461DCB46402795740A555BB9C96445257849051B50D81E025E6564105596

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Zam.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zam.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ymvnpo.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu2gr1mn.cvq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cooi1fkd.1t1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvk42joq.azs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfhbddxc.nhj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2iewkag.5dv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r35n0t0k.5ta.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdnjen1i.ogt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yszadek5.m4r.ps1

C:\Users\user\AppData\Local\Temp\tmpBA4E.tmp

C:\Users\user\AppData\Local\Temp\tmpD037.tmp

Windows Analysis Report
Zam.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre