Edit tour

Windows Analysis Report
tnbws7pyQvMUSjF.exe

Overview

General Information

Sample name:	tnbws7pyQvMUSjF.exe
Analysis ID:	1527842
MD5:	17a1259bd9c1cb80ac8d105d513bed7f
SHA1:	cae2ad2f6a8055ad2145e25324d29033fe1133ae
SHA256:	03b5cfab3f0ffdf96e415006004be9a0c05e6365e1d5834984cfd5cea9df85fe
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

tnbws7pyQvMUSjF.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe" MD5: 17A1259BD9C1CB80AC8D105D513BED7F)

powershell.exe (PID: 7832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8040 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

tnbws7pyQvMUSjF.exe (PID: 7840 cmdline: "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe" MD5: 17A1259BD9C1CB80AC8D105D513BED7F)

tnbws7pyQvMUSjF.exe (PID: 7856 cmdline: "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe" MD5: 17A1259BD9C1CB80AC8D105D513BED7F)

explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmstp.exe (PID: 8172 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

cmd.exe (PID: 7216 cmdline: /c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.xhibitonenotary.info/t18n/"], "decoy": ["tmusicoregon.net", "atici.online", "j7u7.xyz", "iewunucierwuerwnziqi1.info", "ruvabetgiris.website", "acik.lat", "obsk.top", "sphaltpaving-ttp1-shd-us-2.shop", "ispensarynearme.news", "b3nd.bond", "urelook.xyz", "gearlpfbm.top", "aconstructionjob.bond", "killsnexis.info", "oshon.xyz", "ashabsxw.top", "ussiatraiding.buzz", "raipsehumus.homes", "6ae23rx.forum", "edar88vvip.shop", "47-nurse-92864.bond", "p4g6.xyz", "kymacaw.net", "amedepot.shop", "hekindclub.net", "remiumpetsupplies.net", "enisekran.xyz", "pacerpa.shop", "milelab.pro", "mlibertypac.net", "yflume.net", "lecrtort.net", "destramentoemcasa.shop", "atubri.info", "hop-gb.sbs", "entalcar-onlineservices.lol", "aylocnuocionkiem.website", "oliticsclickour.xyz", "eo-company-abc.online", "efoplin.xyz", "ndisec.net", "ain-relief-728.xyz", "essislotgoal14.xyz", "1ngg4hdiwt5.shop", "avada-ga-20.press", "earing-tests-49842.bond", "dnusaunni05.sbs", "sim-for-travel.today", "lotehupi.shop", "bresz.xyz", "ozyjtmt.christmas", "awersip.xyz", "unihbahis.net", "ndustrialrichmond.best", "isdom-sol.xyz", "iden-paaaa.buzz", "32xa544mg.autos", "ental-health-89041.bond", "uylevothyroxine.online", "olar-installer-job-at-de2.today", "usiness-phone-systems-6543.bond", "77.info", "enaydereli.xyz", "pjn.xxx"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b8091:$a1: 3C 30 50 4F 53 54 74 09 40 0x2e64b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x3138d1:$a1: 3C 30 50 4F 53 54 74 09 40 0x2ce9d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2fcdf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x32a210:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2bc80f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2eac2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x31804f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2c76f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x2f5b17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x322f37:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2bb748:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bb9c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2e9b68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2e9de2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x316f88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x317202:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2c74f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2f5915:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x322d35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2c6fe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2f5401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x322821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2c75f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2f5a17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x322e37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2c776f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2f5b8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x322faf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bc3da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2ea7fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x317c1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2ca659:$sqlite3step: 68 34 1C 7B E1 0x2ca76c:$sqlite3step: 68 34 1C 7B E1 0x2f8a79:$sqlite3step: 68 34 1C 7B E1 0x2f8b8c:$sqlite3step: 68 34 1C 7B E1 0x325e99:$sqlite3step: 68 34 1C 7B E1 0x325fac:$sqlite3step: 68 34 1C 7B E1 0x2ca688:$sqlite3text: 68 38 2A 90 C5 0x2ca7ad:$sqlite3text: 68 38 2A 90 C5 0x2f8aa8:$sqlite3text: 68 38 2A 90 C5 0x2f8bcd:$sqlite3text: 68 38 2A 90 C5 0x325ec8:$sqlite3text: 68 38 2A 90 C5 0x325fed:$sqlite3text: 68 38 2A 90 C5 0x2ca69b:$sqlite3blob: 68 53 D8 7F 8C 0x2ca7c3:$sqlite3blob: 68 53 D8 7F 8C 0x2f8abb:$sqlite3blob: 68 53 D8 7F 8C 0x2f8be3:$sqlite3blob: 68 53 D8 7F 8C 0x325edb:$sqlite3blob: 68 53 D8 7F 8C 0x326003:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7664	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3490c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7856	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x130:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmstp.exe PID: 8172	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9842f:$a1: 3C 30 50 4F 53 54 74 09 40 0x1b13ac:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f052f:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x75e71:$a1: 3C 30 50 4F 53 54 74 09 40 0xa4291:$a1: 3C 30 50 4F 53 54 74 09 40 0xd16b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x8c7b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbabd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe7ff0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7a5ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa8a0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd5e2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x854d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xb38f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xe0d17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x79528:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x797a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7948:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7bc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd4d68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd4fe2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x852d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb36f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe0b15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x84dc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb31e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe0601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x853d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb37f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe0c17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8554f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb396f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe0d8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7a1ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa85da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd59fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x88439:$sqlite3step: 68 34 1C 7B E1 0x8854c:$sqlite3step: 68 34 1C 7B E1 0xb6859:$sqlite3step: 68 34 1C 7B E1 0xb696c:$sqlite3step: 68 34 1C 7B E1 0xe3c79:$sqlite3step: 68 34 1C 7B E1 0xe3d8c:$sqlite3step: 68 34 1C 7B E1 0x88468:$sqlite3text: 68 38 2A 90 C5 0x8858d:$sqlite3text: 68 38 2A 90 C5 0xb6888:$sqlite3text: 68 38 2A 90 C5 0xb69ad:$sqlite3text: 68 38 2A 90 C5 0xe3ca8:$sqlite3text: 68 38 2A 90 C5 0xe3dcd:$sqlite3text: 68 38 2A 90 C5 0x8847b:$sqlite3blob: 68 53 D8 7F 8C 0x885a3:$sqlite3blob: 68 53 D8 7F 8C 0xb689b:$sqlite3blob: 68 53 D8 7F 8C 0xb69c3:$sqlite3blob: 68 53 D8 7F 8C 0xe3cbb:$sqlite3blob: 68 53 D8 7F 8C 0xe3de3:$sqlite3blob: 68 53 D8 7F 8C
0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe5a91:$a1: 3C 30 50 4F 53 54 74 09 40 0x113eb1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1412d1:$a1: 3C 30 50 4F 53 54 74 09 40 0xfc3d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x12a7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x157c10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xea20f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x11862f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x145a4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf50f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x123517:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x150937:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe9148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe93c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117568:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1177e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x144988:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x144c02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf4ef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x123315:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x150735:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf49e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x122e01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x150221:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf4ff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x123417:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x150837:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf516f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12358f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1509af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe9dda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1181fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14561a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf8059:$sqlite3step: 68 34 1C 7B E1 0xf816c:$sqlite3step: 68 34 1C 7B E1 0x126479:$sqlite3step: 68 34 1C 7B E1 0x12658c:$sqlite3step: 68 34 1C 7B E1 0x153899:$sqlite3step: 68 34 1C 7B E1 0x1539ac:$sqlite3step: 68 34 1C 7B E1 0xf8088:$sqlite3text: 68 38 2A 90 C5 0xf81ad:$sqlite3text: 68 38 2A 90 C5 0x1264a8:$sqlite3text: 68 38 2A 90 C5 0x1265cd:$sqlite3text: 68 38 2A 90 C5 0x1538c8:$sqlite3text: 68 38 2A 90 C5 0x1539ed:$sqlite3text: 68 38 2A 90 C5 0xf809b:$sqlite3blob: 68 53 D8 7F 8C 0xf81c3:$sqlite3blob: 68 53 D8 7F 8C 0x1264bb:$sqlite3blob: 68 53 D8 7F 8C 0x1265e3:$sqlite3blob: 68 53 D8 7F 8C 0x1538db:$sqlite3blob: 68 53 D8 7F 8C 0x153a03:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CMSTP Execution Process Creation

Source: Process started

Author: Nik Seetharaman: Data: Command: /c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", CommandLine: /c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 8172, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", ProcessId: 7216, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", ParentImage: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe, ParentProcessId: 7664, ParentProcessName: tnbws7pyQvMUSjF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", ProcessId: 7832, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", ParentImage: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe, ParentProcessId: 7664, ParentProcessName: tnbws7pyQvMUSjF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe", ProcessId: 7832, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tnbws7pyQvMUSjF.exe

Avira: detected

Found malware configuration

Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.xhibitonenotary.info/t18n/"], "decoy": ["tmusicoregon.net", "atici.online", "j7u7.xyz", "iewunucierwuerwnziqi1.info", "ruvabetgiris.website", "acik.lat", "obsk.top", "sphaltpaving-ttp1-shd-us-2.shop", "ispensarynearme.news", "b3nd.bond", "urelook.xyz", "gearlpfbm.top", "aconstructionjob.bond", "killsnexis.info", "oshon.xyz", "ashabsxw.top", "ussiatraiding.buzz", "raipsehumus.homes", "6ae23rx.forum", "edar88vvip.shop", "47-nurse-92864.bond", "p4g6.xyz", "kymacaw.net", "amedepot.shop", "hekindclub.net", "remiumpetsupplies.net", "enisekran.xyz", "pacerpa.shop", "milelab.pro", "mlibertypac.net", "yflume.net", "lecrtort.net", "destramentoemcasa.shop", "atubri.info", "hop-gb.sbs", "entalcar-onlineservices.lol", "aylocnuocionkiem.website", "oliticsclickour.xyz", "eo-company-abc.online", "efoplin.xyz", "ndisec.net", "ain-relief-728.xyz", "essislotgoal14.xyz", "1ngg4hdiwt5.shop", "avada-ga-20.press", "earing-tests-49842.bond", "dnusaunni05.sbs", "sim-for-travel.today", "lotehupi.shop", "bresz.xyz", "ozyjtmt.christmas", "awersip.xyz", "unihbahis.net", "ndustrialrichmond.best", "isdom-sol.xyz", "iden-paaaa.buzz", "32xa544mg.autos", "ental-health-89041.bond", "uylevothyroxine.online", "olar-installer-job-at-de2.today", "usiness-phone-systems-6543.bond", "77.info", "enaydereli.xyz", "pjn.xxx"]}

Multi AV Scanner detection for submitted file

Source: tnbws7pyQvMUSjF.exe	ReversingLabs: Detection: 60%
Source: tnbws7pyQvMUSjF.exe	Virustotal: Detection: 66%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: tnbws7pyQvMUSjF.exe

Joe Sandbox ML: detected

Source: tnbws7pyQvMUSjF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tnbws7pyQvMUSjF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmstp.pdbGCTL source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1472918784.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, tnbws7pyQvMUSjF.exe, 00000006.00000002.1474929284.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3847506565.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: ckcA.pdb source: tnbws7pyQvMUSjF.exe
Source:	Binary string: wntdll.pdbUGP source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.1475234081.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.1472898863.0000000004865000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tnbws7pyQvMUSjF.exe, tnbws7pyQvMUSjF.exe, 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000003.1475234081.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.1472898863.0000000004865000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ckcA.pdbSHA256 source: tnbws7pyQvMUSjF.exe
Source:	Binary string: cmstp.pdb source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1472918784.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, tnbws7pyQvMUSjF.exe, 00000006.00000002.1474929284.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000002.3847506565.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		9_2_0040894B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040B3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		9_2_0040B3C4

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 4x nop then pop esi	6_2_004172E6
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 4x nop then pop ebx	6_2_00407B23
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop esi	9_2_02D072E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop ebx	9_2_02CF7B23

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.xhibitonenotary.info/t18n/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.urelook.xyz
Source:	DNS query: www.essislotgoal14.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.ruvabetgiris.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aylocnuocionkiem.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.milelab.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.gearlpfbm.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.xhibitonenotary.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.6ae23rx.forum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.urelook.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.essislotgoal14.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.dnusaunni05.sbs replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lecrtort.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.destramentoemcasa.shop replaycode: Name error (3)

Source: unknown	DNS traffic detected: query: www.ruvabetgiris.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aylocnuocionkiem.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.milelab.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.gearlpfbm.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.xhibitonenotary.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.6ae23rx.forum replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.urelook.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.essislotgoal14.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.dnusaunni05.sbs replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lecrtort.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.destramentoemcasa.shop replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.ruvabetgiris.website
Source: global traffic	DNS traffic detected: DNS query: www.urelook.xyz
Source: global traffic	DNS traffic detected: DNS query: www.6ae23rx.forum
Source: global traffic	DNS traffic detected: DNS query: www.gearlpfbm.top
Source: global traffic	DNS traffic detected: DNS query: www.xhibitonenotary.info
Source: global traffic	DNS traffic detected: DNS query: www.aylocnuocionkiem.website
Source: global traffic	DNS traffic detected: DNS query: www.milelab.pro
Source: global traffic	DNS traffic detected: DNS query: www.dnusaunni05.sbs
Source: global traffic	DNS traffic detected: DNS query: www.lecrtort.net
Source: global traffic	DNS traffic detected: DNS query: www.destramentoemcasa.shop
Source: global traffic	DNS traffic detected: DNS query: www.essislotgoal14.xyz

Source: explorer.exe, 00000007.00000003.2285772758.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3854658121.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076254780.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000007.00000003.2285772758.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3854658121.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076254780.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000007.00000002.3854658121.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2285772758.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076935292.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3854658121.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076254780.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000000.1413529906.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3849810107.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000007.00000003.2285772758.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3854658121.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076254780.0000000009264000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.3854031180.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000007.00000000.1417862053.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1417841209.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1411129106.0000000002C80000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: tnbws7pyQvMUSjF.exe, 00000000.00000002.1411362800.00000000031E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6ae23rx.forum
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6ae23rx.forum/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6ae23rx.forum/t18n/www.gearlpfbm.top
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6ae23rx.forumReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aylocnuocionkiem.website
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aylocnuocionkiem.website/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aylocnuocionkiem.website/t18n/www.milelab.pro
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aylocnuocionkiem.websiteReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyz/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyz/t18n/www.urelook.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bresz.xyzReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shop
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shop/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shop/t18n/www.essislotgoal14.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.destramentoemcasa.shopReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnusaunni05.sbs
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnusaunni05.sbs/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnusaunni05.sbs/t18n/www.lecrtort.net
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dnusaunni05.sbsReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enisekran.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enisekran.xyz/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enisekran.xyz/t18n/www.ozyjtmt.christmas
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enisekran.xyzReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.essislotgoal14.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.essislotgoal14.xyz/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.essislotgoal14.xyz/t18n/www.enisekran.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.essislotgoal14.xyzReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gearlpfbm.top
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gearlpfbm.top/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gearlpfbm.top/t18n/www.xhibitonenotary.info
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gearlpfbm.topReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lecrtort.net
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lecrtort.net/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lecrtort.net/t18n/www.destramentoemcasa.shop
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lecrtort.netReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lotehupi.shop
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lotehupi.shop/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lotehupi.shop/t18n/www.sphaltpaving-ttp1-shd-us-2.shop
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lotehupi.shopReferer:
Source: explorer.exe, 00000007.00000002.3854658121.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076935292.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.milelab.pro
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.milelab.pro/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.milelab.pro/t18n/www.dnusaunni05.sbs
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.milelab.proReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozyjtmt.christmas
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozyjtmt.christmas/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozyjtmt.christmas/t18n/www.lotehupi.shop
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ozyjtmt.christmasReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruvabetgiris.website
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruvabetgiris.website/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruvabetgiris.website/t18n/www.bresz.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruvabetgiris.websiteReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sphaltpaving-ttp1-shd-us-2.shop
Source: explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sphaltpaving-ttp1-shd-us-2.shopReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.urelook.xyz
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.urelook.xyz/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.urelook.xyz/t18n/www.6ae23rx.forum
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.urelook.xyzReferer:
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.info
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.info/t18n/
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.info/t18n/www.aylocnuocionkiem.website
Source: explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xhibitonenotary.infoReferer:
Source: explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000007.00000003.2286415291.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3077380643.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3075985304.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3850684822.000000000704E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.3854031180.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000007.00000002.3854031180.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.3854031180.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1426705990.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 8172, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A3DD NtReadFile,	6_2_0041A3DD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A382 NtCreateFile,	6_2_0041A382
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A45A NtClose,	6_2_0041A45A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041A58B NtAllocateVirtualMemory,	6_2_0041A58B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2B60 NtClose,LdrInitializeThunk,	6_2_012B2B60
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_012B2BF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2AD0 NtReadFile,LdrInitializeThunk,	6_2_012B2AD0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_012B2D30
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_012B2D10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_012B2DF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_012B2DD0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_012B2C70
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_012B2CA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2F30 NtCreateSection,LdrInitializeThunk,	6_2_012B2F30
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2FB0 NtResumeThread,LdrInitializeThunk,	6_2_012B2FB0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_012B2F90
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2FE0 NtCreateFile,LdrInitializeThunk,	6_2_012B2FE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_012B2EA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_012B2E80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B4340 NtSetContextThread,	6_2_012B4340
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B4650 NtSuspendThread,	6_2_012B4650
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2BA0 NtEnumerateValueKey,	6_2_012B2BA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2B80 NtQueryInformationFile,	6_2_012B2B80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2BE0 NtQueryValueKey,	6_2_012B2BE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2AB0 NtWaitForSingleObject,	6_2_012B2AB0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2AF0 NtWriteFile,	6_2_012B2AF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2D00 NtSetInformationFile,	6_2_012B2D00
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2DB0 NtEnumerateKey,	6_2_012B2DB0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2C00 NtQueryInformationProcess,	6_2_012B2C00
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2C60 NtCreateKey,	6_2_012B2C60
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2CF0 NtOpenProcess,	6_2_012B2CF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2CC0 NtQueryVirtualMemory,	6_2_012B2CC0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2F60 NtCreateProcessEx,	6_2_012B2F60
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2FA0 NtQuerySection,	6_2_012B2FA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2E30 NtWriteVirtualMemory,	6_2_012B2E30
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2EE0 NtQueueApcThread,	6_2_012B2EE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B3010 NtOpenDirectoryObject,	6_2_012B3010
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B3090 NtSetValueKey,	6_2_012B3090
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B35C0 NtCreateMutant,	6_2_012B35C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B39B0 NtGetContextThread,	6_2_012B39B0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B3D10 NtOpenProcessToken,	6_2_012B3D10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B3D70 NtOpenThread,	6_2_012B3D70
Source: C:\Windows\explorer.exe	Code function: 7_2_0E052E12 NtProtectVirtualMemory,	7_2_0E052E12
Source: C:\Windows\explorer.exe	Code function: 7_2_0E051232 NtCreateFile,	7_2_0E051232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E052E0A NtProtectVirtualMemory,	7_2_0E052E0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_04C42CA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42C60 NtCreateKey,LdrInitializeThunk,	9_2_04C42C60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04C42C70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42DD0 NtDelayExecution,LdrInitializeThunk,	9_2_04C42DD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04C42DF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_04C42D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04C42EA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42FE0 NtCreateFile,LdrInitializeThunk,	9_2_04C42FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42F30 NtCreateSection,LdrInitializeThunk,	9_2_04C42F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42AD0 NtReadFile,LdrInitializeThunk,	9_2_04C42AD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_04C42BE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04C42BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42B60 NtClose,LdrInitializeThunk,	9_2_04C42B60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C435C0 NtCreateMutant,LdrInitializeThunk,	9_2_04C435C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C44650 NtSuspendThread,	9_2_04C44650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C44340 NtSetContextThread,	9_2_04C44340
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42CC0 NtQueryVirtualMemory,	9_2_04C42CC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42CF0 NtOpenProcess,	9_2_04C42CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42C00 NtQueryInformationProcess,	9_2_04C42C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42DB0 NtEnumerateKey,	9_2_04C42DB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42D00 NtSetInformationFile,	9_2_04C42D00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42D30 NtUnmapViewOfSection,	9_2_04C42D30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42EE0 NtQueueApcThread,	9_2_04C42EE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42E80 NtReadVirtualMemory,	9_2_04C42E80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42E30 NtWriteVirtualMemory,	9_2_04C42E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42F90 NtProtectVirtualMemory,	9_2_04C42F90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42FA0 NtQuerySection,	9_2_04C42FA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42FB0 NtResumeThread,	9_2_04C42FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42F60 NtCreateProcessEx,	9_2_04C42F60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42AF0 NtWriteFile,	9_2_04C42AF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42AB0 NtWaitForSingleObject,	9_2_04C42AB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42B80 NtQueryInformationFile,	9_2_04C42B80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C42BA0 NtEnumerateValueKey,	9_2_04C42BA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C43090 NtSetValueKey,	9_2_04C43090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C43010 NtOpenDirectoryObject,	9_2_04C43010
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C43D70 NtOpenThread,	9_2_04C43D70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C43D10 NtOpenProcessToken,	9_2_04C43D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C439B0 NtGetContextThread,	9_2_04C439B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A3E0 NtReadFile,	9_2_02D0A3E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A330 NtCreateFile,	9_2_02D0A330
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A460 NtClose,	9_2_02D0A460
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A510 NtAllocateVirtualMemory,	9_2_02D0A510
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A3DD NtReadFile,	9_2_02D0A3DD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A382 NtCreateFile,	9_2_02D0A382
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A45A NtClose,	9_2_02D0A45A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0A58B NtAllocateVirtualMemory,	9_2_02D0A58B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B0A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	9_2_04B0A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B09BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	9_2_04B09BAF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B0A042 NtQueryInformationProcess,	9_2_04B0A042
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B09BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_04B09BB2

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0158D5BC	0_2_0158D5BC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05607368	0_2_05607368
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05608250	0_2_05608250
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05605D90	0_2_05605D90
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560AC50	0_2_0560AC50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560CF78	0_2_0560CF78
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05606900	0_2_05606900
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A9F8	0_2_0560A9F8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A57A	0_2_0560A57A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A588	0_2_0560A588
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A7E8	0_2_0560A7E8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A7D8	0_2_0560A7D8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05608160	0_2_05608160
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05609168	0_2_05609168
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560B168	0_2_0560B168
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05609178	0_2_05609178
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560B178	0_2_0560B178
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05605178	0_2_05605178
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05605188	0_2_05605188
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05607359	0_2_05607359
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A3E8	0_2_0560A3E8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A3DB	0_2_0560A3DB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560B223	0_2_0560B223
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05609D48	0_2_05609D48
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05605D2B	0_2_05605D2B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05609D39	0_2_05609D39
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560AC40	0_2_0560AC40
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05605CD8	0_2_05605CD8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05608F69	0_2_05608F69
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560CF69	0_2_0560CF69
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_05608F78	0_2_05608F78
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560CF01	0_2_0560CF01
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560DFA8	0_2_0560DFA8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560DF98	0_2_0560DF98
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560A9E8	0_2_0560A9E8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560C9C8	0_2_0560C9C8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560C9B9	0_2_0560C9B9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_056068F1	0_2_056068F1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560DA60	0_2_0560DA60
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_0560DA70	0_2_0560DA70
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A5738	0_2_074A5738
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A76B8	0_2_074A76B8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A4513	0_2_074A4513
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A5300	0_2_074A5300
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A52F1	0_2_074A52F1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A4EC8	0_2_074A4EC8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A6DE0	0_2_074A6DE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074A08D0	0_2_074A08D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041EB99	6_2_0041EB99
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041DC3D	6_2_0041DC3D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041E549	6_2_0041E549
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_00409E5C	6_2_00409E5C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041D6BC	6_2_0041D6BC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041DF7D	6_2_0041DF7D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041E7AE	6_2_0041E7AE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270100	6_2_01270100
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131A118	6_2_0131A118
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01308158	6_2_01308158
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013401AA	6_2_013401AA
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013381CC	6_2_013381CC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133A352	6_2_0133A352
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013403E6	6_2_013403E6
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E3F0	6_2_0128E3F0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013002C0	6_2_013002C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280535	6_2_01280535
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01340591	6_2_01340591
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01332446	6_2_01332446
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0132E4F6	6_2_0132E4F6
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A4750	6_2_012A4750
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127C7C0	6_2_0127C7C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129C6E0	6_2_0129C6E0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01296962	6_2_01296962
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0134A9A6	6_2_0134A9A6
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128A840	6_2_0128A840
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01282840	6_2_01282840
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012668B8	6_2_012668B8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE8F0	6_2_012AE8F0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133AB40	6_2_0133AB40
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01336BD7	6_2_01336BD7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128AD00	6_2_0128AD00
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01298DBF	6_2_01298DBF
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127ADE0	6_2_0127ADE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280C00	6_2_01280C00
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320CB5	6_2_01320CB5
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270CF2	6_2_01270CF2
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012C2F28	6_2_012C2F28
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A0F30	6_2_012A0F30
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F4F40	6_2_012F4F40
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FEFA0	6_2_012FEFA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128CFE0	6_2_0128CFE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01272FC8	6_2_01272FC8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133EE26	6_2_0133EE26
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280E59	6_2_01280E59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133CE93	6_2_0133CE93
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01292E90	6_2_01292E90
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133EEDB	6_2_0133EEDB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B516C	6_2_012B516C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126F172	6_2_0126F172
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0134B16B	6_2_0134B16B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128B1B0	6_2_0128B1B0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133F0E0	6_2_0133F0E0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013370E9	6_2_013370E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012870C0	6_2_012870C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0132F0CC	6_2_0132F0CC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133132D	6_2_0133132D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126D34C	6_2_0126D34C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012C739A	6_2_012C739A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012852A0	6_2_012852A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013212ED	6_2_013212ED
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129B2C0	6_2_0129B2C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01337571	6_2_01337571
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131D5B0	6_2_0131D5B0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133F43F	6_2_0133F43F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01271460	6_2_01271460
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133F7B0	6_2_0133F7B0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013316CC	6_2_013316CC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01289950	6_2_01289950
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129B950	6_2_0129B950
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ED800	6_2_012ED800
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012838E0	6_2_012838E0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133FB76	6_2_0133FB76
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129FB80	6_2_0129FB80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012BDBF9	6_2_012BDBF9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F5BF0	6_2_012F5BF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F3A6C	6_2_012F3A6C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01337A46	6_2_01337A46
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133FA49	6_2_0133FA49
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012C5AA0	6_2_012C5AA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131DAAC	6_2_0131DAAC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0132DAC6	6_2_0132DAC6
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01337D73	6_2_01337D73
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01283D40	6_2_01283D40
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01331D5A	6_2_01331D5A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129FDC0	6_2_0129FDC0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F9C32	6_2_012F9C32
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133FCF2	6_2_0133FCF2
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133FF09	6_2_0133FF09
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133FFB1	6_2_0133FFB1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01281F92	6_2_01281F92
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01289EB0	6_2_01289EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF455CD	7_2_0DF455CD
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF3F912	7_2_0DF3F912
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF39D02	7_2_0DF39D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF38082	7_2_0DF38082
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF41036	7_2_0DF41036
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF3CB32	7_2_0DF3CB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF3CB30	7_2_0DF3CB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF42232	7_2_0DF42232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E051232	7_2_0E051232
Source: C:\Windows\explorer.exe	Code function: 7_2_0E050036	7_2_0E050036
Source: C:\Windows\explorer.exe	Code function: 7_2_0E047082	7_2_0E047082
Source: C:\Windows\explorer.exe	Code function: 7_2_0E048D02	7_2_0E048D02
Source: C:\Windows\explorer.exe	Code function: 7_2_0E04E912	7_2_0E04E912
Source: C:\Windows\explorer.exe	Code function: 7_2_0E04BB30	7_2_0E04BB30
Source: C:\Windows\explorer.exe	Code function: 7_2_0E04BB32	7_2_0E04BB32
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0545CD	7_2_0E0545CD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040B634	9_2_0040B634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CBE4F6	9_2_04CBE4F6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC2446	9_2_04CC2446
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CB4420	9_2_04CB4420
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CD0591	9_2_04CD0591
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C10535	9_2_04C10535
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C2C6E0	9_2_04C2C6E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C0C7C0	9_2_04C0C7C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C34750	9_2_04C34750
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C10770	9_2_04C10770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CA2000	9_2_04CA2000
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC81CC	9_2_04CC81CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CD01AA	9_2_04CD01AA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC41A2	9_2_04CC41A2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C98158	9_2_04C98158
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C00100	9_2_04C00100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CAA118	9_2_04CAA118
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C902C0	9_2_04C902C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CB0274	9_2_04CB0274
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CD03E6	9_2_04CD03E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C1E3F0	9_2_04C1E3F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCA352	9_2_04CCA352
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C00CF2	9_2_04C00CF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CB0CB5	9_2_04CB0CB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C10C00	9_2_04C10C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C0ADE0	9_2_04C0ADE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C28DBF	9_2_04C28DBF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C1AD00	9_2_04C1AD00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CACD1F	9_2_04CACD1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCEEDB	9_2_04CCEEDB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C22E90	9_2_04C22E90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCCE93	9_2_04CCCE93
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C10E59	9_2_04C10E59
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCEE26	9_2_04CCEE26
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C02FC8	9_2_04C02FC8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C1CFE0	9_2_04C1CFE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C8EFA0	9_2_04C8EFA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C84F40	9_2_04C84F40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C52F28	9_2_04C52F28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C30F30	9_2_04C30F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CB2F30	9_2_04CB2F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04BF68B8	9_2_04BF68B8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C3E8F0	9_2_04C3E8F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C1A840	9_2_04C1A840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C12840	9_2_04C12840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C129A0	9_2_04C129A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CDA9A6	9_2_04CDA9A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C26962	9_2_04C26962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C0EA80	9_2_04C0EA80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC6BD7	9_2_04CC6BD7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCAB40	9_2_04CCAB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C01460	9_2_04C01460
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCF43F	9_2_04CCF43F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CAD5B0	9_2_04CAD5B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC7571	9_2_04CC7571
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC16CC	9_2_04CC16CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCF7B0	9_2_04CCF7B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C170C0	9_2_04C170C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CBF0CC	9_2_04CBF0CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC70E9	9_2_04CC70E9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCF0E0	9_2_04CCF0E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C1B1B0	9_2_04C1B1B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CDB16B	9_2_04CDB16B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C4516C	9_2_04C4516C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04BFF172	9_2_04BFF172
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C2B2C0	9_2_04C2B2C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CB12ED	9_2_04CB12ED
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C152A0	9_2_04C152A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C5739A	9_2_04C5739A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC132D	9_2_04CC132D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04BFD34C	9_2_04BFD34C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCFCF2	9_2_04CCFCF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C89C32	9_2_04C89C32
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C2FDC0	9_2_04C2FDC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C13D40	9_2_04C13D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC1D5A	9_2_04CC1D5A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC7D73	9_2_04CC7D73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C19EB0	9_2_04C19EB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C11F92	9_2_04C11F92
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCFFB1	9_2_04CCFFB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCFF09	9_2_04CCFF09
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C138E0	9_2_04C138E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C7D800	9_2_04C7D800
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C19950	9_2_04C19950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C2B950	9_2_04C2B950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CA5910	9_2_04CA5910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CBDAC6	9_2_04CBDAC6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C55AA0	9_2_04C55AA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CADAAC	9_2_04CADAAC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CB1AA3	9_2_04CB1AA3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCFA49	9_2_04CCFA49
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CC7A46	9_2_04CC7A46
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C83A6C	9_2_04C83A6C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C85BF0	9_2_04C85BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C4DBF9	9_2_04C4DBF9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C2FB80	9_2_04C2FB80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04CCFB76	9_2_04CCFB76
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0E7AE	9_2_02D0E7AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0E549	9_2_02D0E549
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0EB99	9_2_02D0EB99
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02CF9E5C	9_2_02CF9E5C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02CF9E60	9_2_02CF9E60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02CF2FB0	9_2_02CF2FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02CF2D90	9_2_02CF2D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B0A036	9_2_04B0A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B0E5CD	9_2_04B0E5CD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B02D02	9_2_04B02D02
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B01082	9_2_04B01082
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B08912	9_2_04B08912
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B0B232	9_2_04B0B232
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B05B30	9_2_04B05B30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B05B32	9_2_04B05B32

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04BFB970 appears 280 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04C8F290 appears 105 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04C57E54 appears 102 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 0040E951 appears 100 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04C7EA12 appears 86 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04C45130 appears 58 times
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: String function: 012EEA12 appears 86 times
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: String function: 0126B970 appears 274 times
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: String function: 012C7E54 appears 99 times
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: String function: 012FF290 appears 105 times
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: String function: 012B5130 appears 37 times

Source: tnbws7pyQvMUSjF.exe, 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe, 00000000.00000002.1417447158.0000000007420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe, 00000000.00000002.1418137456.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe, 00000000.00000002.1408866168.000000000134E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe, 00000000.00000000.1388874936.0000000000BF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameckcA.exe@ vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1472918784.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1473207542.000000000136D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1474929284.0000000002F30000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs tnbws7pyQvMUSjF.exe
Source: tnbws7pyQvMUSjF.exe	Binary or memory string: OriginalFilenameckcA.exe@ vs tnbws7pyQvMUSjF.exe

Source: tnbws7pyQvMUSjF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 8172, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: tnbws7pyQvMUSjF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: _0020.AddAccessRule
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, q1yRBkpS3y5kP3hRGO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: _0020.AddAccessRule
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, q1yRBkpS3y5kP3hRGO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, q1yRBkpS3y5kP3hRGO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, y6PHtoxs9c243ifuiW.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/6@11/0

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00408F05 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,InitiateSystemShutdownW,AdjustTokenPrivileges,CloseHandle,

9_2_00408F05

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tnbws7pyQvMUSjF.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kqi12ac.5ys.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Command line argument: kernel32.dll

9_2_00406052

Source: tnbws7pyQvMUSjF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tnbws7pyQvMUSjF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tnbws7pyQvMUSjF.exe	ReversingLabs: Detection: 60%
Source: tnbws7pyQvMUSjF.exe	Virustotal: Detection: 66%

Source: cmstp.exe

String found in binary or memory: /k certutil.exe -f -enterprise -v -addstore Root "%s"

Source: unknown	Process created: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: tnbws7pyQvMUSjF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tnbws7pyQvMUSjF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: tnbws7pyQvMUSjF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmstp.pdbGCTL source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1472918784.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, tnbws7pyQvMUSjF.exe, 00000006.00000002.1474929284.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000009.00000002.3847506565.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: ckcA.pdb source: tnbws7pyQvMUSjF.exe
Source:	Binary string: wntdll.pdbUGP source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.1475234081.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.1472898863.0000000004865000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tnbws7pyQvMUSjF.exe, tnbws7pyQvMUSjF.exe, 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000003.1475234081.0000000004A1C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000009.00000003.1472898863.0000000004865000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ckcA.pdbSHA256 source: tnbws7pyQvMUSjF.exe
Source:	Binary string: cmstp.pdb source: tnbws7pyQvMUSjF.exe, 00000006.00000002.1472918784.0000000000DE7000.00000004.00000020.00020000.00000000.sdmp, tnbws7pyQvMUSjF.exe, 00000006.00000002.1474929284.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000009.00000002.3847506565.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: tnbws7pyQvMUSjF.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.tnbws7pyQvMUSjF.exe.402a190.2.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, y6PHtoxs9c243ifuiW.cs	.Net Code: pE3psRdgvZ System.Reflection.Assembly.Load(byte[])
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, y6PHtoxs9c243ifuiW.cs	.Net Code: pE3psRdgvZ System.Reflection.Assembly.Load(byte[])
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, y6PHtoxs9c243ifuiW.cs	.Net Code: pE3psRdgvZ System.Reflection.Assembly.Load(byte[])
Source: 0.2.tnbws7pyQvMUSjF.exe.58c0000.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.explorer.exe.1034f840.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 9.2.cmstp.exe.515f840.3.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

Source: tnbws7pyQvMUSjF.exe

Static PE information: 0xBEAD93A9 [Sun May 17 00:02:49 2071 UTC]

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_056036A0 push eax; ret	0_2_056036A1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_056042F8 pushfd ; retf	0_2_05604301
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_056049F2 pushfd ; iretd	0_2_056049F9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074ACC2D push FFFFFF8Bh; iretd	0_2_074ACC2F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 0_2_074AA9B0 pushfd ; ret	0_2_074AA9B1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041F00F push edi; ret	6_2_0041F011
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_00401174 push ebp; retf	6_2_00401175
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041EB99 push ebp; ret	6_2_0041EE10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041D4D2 push eax; ret	6_2_0041D4D8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041D4DB push eax; ret	6_2_0041D542
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041D485 push eax; ret	6_2_0041D4D8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041D53C push eax; ret	6_2_0041D542
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0041C6D2 push esp; ret	6_2_0041C6D3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012709AD push ecx; mov dword ptr [esp], ecx	6_2_012709B6
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF459B5 push esp; retn 0000h	7_2_0DF45AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF45B1E push esp; retn 0000h	7_2_0DF45B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0DF45B02 push esp; retn 0000h	7_2_0DF45B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E054B02 push esp; retn 0000h	7_2_0E054B03
Source: C:\Windows\explorer.exe	Code function: 7_2_0E054B1E push esp; retn 0000h	7_2_0E054B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_0E0549B5 push esp; retn 0000h	7_2_0E054AE7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00411A3D push ecx; ret	9_2_00411A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04C009AD push ecx; mov dword ptr [esp], ecx	9_2_04C009B6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0F00F push edi; ret	9_2_02D0F011
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0C6D2 push esp; ret	9_2_02D0C6D3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0D4D2 push eax; ret	9_2_02D0D4D8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0D4DB push eax; ret	9_2_02D0D542
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0D485 push eax; ret	9_2_02D0D4D8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0D53C push eax; ret	9_2_02D0D542
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0EB99 push ebp; ret	9_2_02D0EE10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_02D0D91A push esp; ret	9_2_02D0D91B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_04B0E9B5 push esp; retn 0000h	9_2_04B0EAE7

Source: tnbws7pyQvMUSjF.exe

Static PE information: section name: .text entropy: 7.434680807200467

Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, WX6id07sUvqusiwXCg.cs	High entropy of concatenated method names: 'luZ9UAIOPX', 'BRL9Jrw4va', 'eXU9KAgfOb', 'KRl94QHADh', 'cqI9QXxyay', 'hMJ9q99cdj', 'xS59muoDON', 'lXk9VKrnnv', 'rdd9oai2PZ', 'xT69TC8o36'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, lBhxSurWTdsRV4Kif8.cs	High entropy of concatenated method names: 'mtO4GEuMWE', 'BEF4BhaOx6', 'Ps7Kaf9OSP', 'RXfK7GjqJN', 'RoeKZ2PgXt', 'zIKKS4g8e7', 'hAFKHnLYfL', 'l0BKEUHhQ7', 'tFQKOGQWuj', 'FXnKDXZ2Lm'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, F8sgaJm1w73yVem1qw.cs	High entropy of concatenated method names: 'ToString', 'v6c2x3tica', 'MHC2Ni1M67', 'S4F2ahmjNA', 'JrE27vlPb1', 'P5Y2ZFlnGT', 'U0u2Sv0tEN', 'MLC2Hx7asZ', 'aJO2EXqocX', 'Am52OxG18w'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, DwXbfPJKTvNGH1hoJB.cs	High entropy of concatenated method names: 'FSDPqrcFAb', 'anpPmwJf3q', 'VRqPo3B5kG', 'AN4PTwHAse', 'TVNPRoJtLV', 'IBZP2gvNXC', 'C2elJaFQbR2Co4vpKp', 'k31kTVsJHEFRQQL89Y', 'zUjPPtJ05l', 'Ef2PtaVEAI'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, YQTZhXU03VdybrXaA2.cs	High entropy of concatenated method names: 'ndcKC3Tk0F', 'UAPKlJUlt7', 'Q4sKdjprsp', 'vnZK8w2AMU', 'tA7KRY8P54', 'z0VK28FmKv', 'XBGKe5D1Jk', 'J6DK9P1xFR', 'GSGKMnljZU', 'JtMKXqe9QD'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, oICLJeKLMeyK81sbtPm.cs	High entropy of concatenated method names: 'i7GMfNFjA9', 's59MctoL3Y', 'eX3Ms2LXtK', 'wdGMCqskIY', 'DZ9MGiO2q0', 'SNyMld59l9', 'y26MBpHZ8L', 'ir7MdcIk8M', 'ibxM83jKad', 'gdRMwAQ0vX'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, anZIZUvahbo8m36Em5.cs	High entropy of concatenated method names: 'I5XMP1Mt0R', 'aqnMtFTEHX', 'Yn0MpUCHWB', 'PwoMULpEGs', 'vLjMJZ3iti', 'gI4M4NLwLT', 'EomMQcOZa8', 'KEf9b02Hj9', 'tho9yV8a0f', 'zAI9ApuiqF'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, etTXdp1X8V6NlmkcnO.cs	High entropy of concatenated method names: 'MWgQ67C9vj', 'b3mQJBrWd2', 'SQwQ4AsUjV', 'RbcQq1NZjG', 'TXeQmfvA2r', 'EuT4gjypA5', 'ni5457DWhu', 'v4q4b81Z92', 'VWk4yKRhQE', 'q3a4A7yXsC'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, d0SNm99VcgUf1Y29Ws.cs	High entropy of concatenated method names: 'qmEqUiXd4l', 'HbZqKV4jTV', 'KqEqQ1ZTu9', 'bXKQukgAlx', 'mH7QzOXNTR', 'ni1qIpBvC2', 'WjZqPht2F3', 'Obfq1P2BXE', 'exkqtAfBHa', 'VOEqp7AprD'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, At0mNj5JCKLWRZ41td.cs	High entropy of concatenated method names: 'vDjsr003a', 'nSaCr9I5Q', 'JlplCRtNB', 'arZBIZrLs', 'l018DRUpr', 'NEKwI0gvM', 'Sonc55VhgqkQVVgTMr', 'HKK3i3cBJPegqXZXUZ', 'RbK9P9y2P', 'AWjX4b40f'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, jbhJFoOtPd8SynLbCU.cs	High entropy of concatenated method names: 'Dispose', 'e5dPAZTLVe', 'BMk1NtZNby', 'zV8LLPPKOt', 'm8YPuQfw5H', 'aQPPzLtfxJ', 'ProcessDialogKey', 'KR81IGvkHI', 'd031P4kvfh', 'rLO11tRpNo'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, YbprunAdej833j571V.cs	High entropy of concatenated method names: 'u0LeyfZddb', 'iBNeuy1jNO', 'AOR9I471pR', 'CNr9PelUoh', 'dhAexbkIQ5', 'wfDe0uIM9q', 'P8eeiIsNOr', 'vlHeY7evwv', 'S8CejaB8Md', 'lCfevTyfWV'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, TaAiifNZxnIK0gKrV6.cs	High entropy of concatenated method names: 'iiy3dliiv3', 'z7I381E1MN', 'eDi3FsUVeS', 'fy53NlkULf', 'crp37wxRpe', 'AGG3ZYqhfD', 'hLO3HKr5MN', 'fAu3EGgl1Z', 'zEf3DUhYIT', 'YrM3x6589C'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, gxuNj4iueV3QrTrwc7.cs	High entropy of concatenated method names: 'nuVqfC9qBY', 'jMKqcagHE9', 'r1rqsK1bWw', 'cfdqCe3GGR', 'we9qGkoP27', 'cOwqliNJRb', 'NFMqBUduCJ', 'A2OqdP59SM', 'wHvq8x09FC', 'a4jqwS0Dd8'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, o0MTSKKweWEVQKjro4x.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RXFXYqT9X4', 'yohXjeKVpj', 'H3oXvMkFhB', 'f9HXre0vSF', 'zynXgrAwnT', 'eW7X5cRf3c', 'kurXb830FI'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, XSuGiCFPwpINIaNj1i.cs	High entropy of concatenated method names: 'j65eoI5AVF', 'X0neTi7HIo', 'ToString', 'XwEeUlJX41', 'IfWeJIZVJ1', 'm33eKoJ5aC', 'cFDe4Nx5o9', 'qMIeQl3jWk', 'Ou6eqBfmOf', 'IxMemcGvFw'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, q1yRBkpS3y5kP3hRGO.cs	High entropy of concatenated method names: 'VGrJYOUsmF', 'nPSJjo5to2', 'Va1JvRIhoF', 'graJrHeeUl', 'z4cJgL2Hnr', 'gFMJ5pVLjf', 'BP0JbcqOG4', 'nFJJysCZfD', 'pH5JA8U67F', 'JYlJu0vx9g'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, y6PHtoxs9c243ifuiW.cs	High entropy of concatenated method names: 'uXXt6LmmkP', 'vE1tUryNm2', 'TLEtJBZr9E', 'uLatKsAAuL', 'noct4NpLX2', 'MNstQVnoiE', 'RfetqMQ5xD', 'BEdtmjIjSX', 'agHtVOGk8D', 'pDMtohGfN0'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, owmcQrfhm38luXPsgX.cs	High entropy of concatenated method names: 'z5sRDcTJLV', 'AMTR04YJ70', 'boDRYlNnEw', 'mAPRjOdGsD', 'oNZRN8QFHh', 'fkmRabgVhy', 'zQnR7HTu2v', 'SyyRZQBZdq', 'vaoRSmO72p', 'FXDRHkLSx0'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, DXq8YSG6iTZgiJi4YW.cs	High entropy of concatenated method names: 'p8t9FHaZhP', 'MRI9NnEZYq', 'LNd9atNRxZ', 'G1J97VEQ7w', 'BRY9YOTkfj', 'SrC9Zx6s5a', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.tnbws7pyQvMUSjF.exe.7420000.4.raw.unpack, F5G4HpzwED2Rs1Ytvi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ubFM3qbRRF', 'koJMRrkr7S', 'rWyM2SfbBv', 'f9hMeobkju', 'VU9M9NdJZP', 'wraMMrYgvV', 'eIyMXdiD9j'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, WX6id07sUvqusiwXCg.cs	High entropy of concatenated method names: 'luZ9UAIOPX', 'BRL9Jrw4va', 'eXU9KAgfOb', 'KRl94QHADh', 'cqI9QXxyay', 'hMJ9q99cdj', 'xS59muoDON', 'lXk9VKrnnv', 'rdd9oai2PZ', 'xT69TC8o36'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, lBhxSurWTdsRV4Kif8.cs	High entropy of concatenated method names: 'mtO4GEuMWE', 'BEF4BhaOx6', 'Ps7Kaf9OSP', 'RXfK7GjqJN', 'RoeKZ2PgXt', 'zIKKS4g8e7', 'hAFKHnLYfL', 'l0BKEUHhQ7', 'tFQKOGQWuj', 'FXnKDXZ2Lm'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, F8sgaJm1w73yVem1qw.cs	High entropy of concatenated method names: 'ToString', 'v6c2x3tica', 'MHC2Ni1M67', 'S4F2ahmjNA', 'JrE27vlPb1', 'P5Y2ZFlnGT', 'U0u2Sv0tEN', 'MLC2Hx7asZ', 'aJO2EXqocX', 'Am52OxG18w'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, DwXbfPJKTvNGH1hoJB.cs	High entropy of concatenated method names: 'FSDPqrcFAb', 'anpPmwJf3q', 'VRqPo3B5kG', 'AN4PTwHAse', 'TVNPRoJtLV', 'IBZP2gvNXC', 'C2elJaFQbR2Co4vpKp', 'k31kTVsJHEFRQQL89Y', 'zUjPPtJ05l', 'Ef2PtaVEAI'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, YQTZhXU03VdybrXaA2.cs	High entropy of concatenated method names: 'ndcKC3Tk0F', 'UAPKlJUlt7', 'Q4sKdjprsp', 'vnZK8w2AMU', 'tA7KRY8P54', 'z0VK28FmKv', 'XBGKe5D1Jk', 'J6DK9P1xFR', 'GSGKMnljZU', 'JtMKXqe9QD'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, oICLJeKLMeyK81sbtPm.cs	High entropy of concatenated method names: 'i7GMfNFjA9', 's59MctoL3Y', 'eX3Ms2LXtK', 'wdGMCqskIY', 'DZ9MGiO2q0', 'SNyMld59l9', 'y26MBpHZ8L', 'ir7MdcIk8M', 'ibxM83jKad', 'gdRMwAQ0vX'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, anZIZUvahbo8m36Em5.cs	High entropy of concatenated method names: 'I5XMP1Mt0R', 'aqnMtFTEHX', 'Yn0MpUCHWB', 'PwoMULpEGs', 'vLjMJZ3iti', 'gI4M4NLwLT', 'EomMQcOZa8', 'KEf9b02Hj9', 'tho9yV8a0f', 'zAI9ApuiqF'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, etTXdp1X8V6NlmkcnO.cs	High entropy of concatenated method names: 'MWgQ67C9vj', 'b3mQJBrWd2', 'SQwQ4AsUjV', 'RbcQq1NZjG', 'TXeQmfvA2r', 'EuT4gjypA5', 'ni5457DWhu', 'v4q4b81Z92', 'VWk4yKRhQE', 'q3a4A7yXsC'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, d0SNm99VcgUf1Y29Ws.cs	High entropy of concatenated method names: 'qmEqUiXd4l', 'HbZqKV4jTV', 'KqEqQ1ZTu9', 'bXKQukgAlx', 'mH7QzOXNTR', 'ni1qIpBvC2', 'WjZqPht2F3', 'Obfq1P2BXE', 'exkqtAfBHa', 'VOEqp7AprD'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, At0mNj5JCKLWRZ41td.cs	High entropy of concatenated method names: 'vDjsr003a', 'nSaCr9I5Q', 'JlplCRtNB', 'arZBIZrLs', 'l018DRUpr', 'NEKwI0gvM', 'Sonc55VhgqkQVVgTMr', 'HKK3i3cBJPegqXZXUZ', 'RbK9P9y2P', 'AWjX4b40f'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, jbhJFoOtPd8SynLbCU.cs	High entropy of concatenated method names: 'Dispose', 'e5dPAZTLVe', 'BMk1NtZNby', 'zV8LLPPKOt', 'm8YPuQfw5H', 'aQPPzLtfxJ', 'ProcessDialogKey', 'KR81IGvkHI', 'd031P4kvfh', 'rLO11tRpNo'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, YbprunAdej833j571V.cs	High entropy of concatenated method names: 'u0LeyfZddb', 'iBNeuy1jNO', 'AOR9I471pR', 'CNr9PelUoh', 'dhAexbkIQ5', 'wfDe0uIM9q', 'P8eeiIsNOr', 'vlHeY7evwv', 'S8CejaB8Md', 'lCfevTyfWV'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, TaAiifNZxnIK0gKrV6.cs	High entropy of concatenated method names: 'iiy3dliiv3', 'z7I381E1MN', 'eDi3FsUVeS', 'fy53NlkULf', 'crp37wxRpe', 'AGG3ZYqhfD', 'hLO3HKr5MN', 'fAu3EGgl1Z', 'zEf3DUhYIT', 'YrM3x6589C'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, gxuNj4iueV3QrTrwc7.cs	High entropy of concatenated method names: 'nuVqfC9qBY', 'jMKqcagHE9', 'r1rqsK1bWw', 'cfdqCe3GGR', 'we9qGkoP27', 'cOwqliNJRb', 'NFMqBUduCJ', 'A2OqdP59SM', 'wHvq8x09FC', 'a4jqwS0Dd8'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, o0MTSKKweWEVQKjro4x.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RXFXYqT9X4', 'yohXjeKVpj', 'H3oXvMkFhB', 'f9HXre0vSF', 'zynXgrAwnT', 'eW7X5cRf3c', 'kurXb830FI'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, XSuGiCFPwpINIaNj1i.cs	High entropy of concatenated method names: 'j65eoI5AVF', 'X0neTi7HIo', 'ToString', 'XwEeUlJX41', 'IfWeJIZVJ1', 'm33eKoJ5aC', 'cFDe4Nx5o9', 'qMIeQl3jWk', 'Ou6eqBfmOf', 'IxMemcGvFw'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, q1yRBkpS3y5kP3hRGO.cs	High entropy of concatenated method names: 'VGrJYOUsmF', 'nPSJjo5to2', 'Va1JvRIhoF', 'graJrHeeUl', 'z4cJgL2Hnr', 'gFMJ5pVLjf', 'BP0JbcqOG4', 'nFJJysCZfD', 'pH5JA8U67F', 'JYlJu0vx9g'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, y6PHtoxs9c243ifuiW.cs	High entropy of concatenated method names: 'uXXt6LmmkP', 'vE1tUryNm2', 'TLEtJBZr9E', 'uLatKsAAuL', 'noct4NpLX2', 'MNstQVnoiE', 'RfetqMQ5xD', 'BEdtmjIjSX', 'agHtVOGk8D', 'pDMtohGfN0'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, owmcQrfhm38luXPsgX.cs	High entropy of concatenated method names: 'z5sRDcTJLV', 'AMTR04YJ70', 'boDRYlNnEw', 'mAPRjOdGsD', 'oNZRN8QFHh', 'fkmRabgVhy', 'zQnR7HTu2v', 'SyyRZQBZdq', 'vaoRSmO72p', 'FXDRHkLSx0'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, DXq8YSG6iTZgiJi4YW.cs	High entropy of concatenated method names: 'p8t9FHaZhP', 'MRI9NnEZYq', 'LNd9atNRxZ', 'G1J97VEQ7w', 'BRY9YOTkfj', 'SrC9Zx6s5a', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, F5G4HpzwED2Rs1Ytvi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ubFM3qbRRF', 'koJMRrkr7S', 'rWyM2SfbBv', 'f9hMeobkju', 'VU9M9NdJZP', 'wraMMrYgvV', 'eIyMXdiD9j'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, WX6id07sUvqusiwXCg.cs	High entropy of concatenated method names: 'luZ9UAIOPX', 'BRL9Jrw4va', 'eXU9KAgfOb', 'KRl94QHADh', 'cqI9QXxyay', 'hMJ9q99cdj', 'xS59muoDON', 'lXk9VKrnnv', 'rdd9oai2PZ', 'xT69TC8o36'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, lBhxSurWTdsRV4Kif8.cs	High entropy of concatenated method names: 'mtO4GEuMWE', 'BEF4BhaOx6', 'Ps7Kaf9OSP', 'RXfK7GjqJN', 'RoeKZ2PgXt', 'zIKKS4g8e7', 'hAFKHnLYfL', 'l0BKEUHhQ7', 'tFQKOGQWuj', 'FXnKDXZ2Lm'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, F8sgaJm1w73yVem1qw.cs	High entropy of concatenated method names: 'ToString', 'v6c2x3tica', 'MHC2Ni1M67', 'S4F2ahmjNA', 'JrE27vlPb1', 'P5Y2ZFlnGT', 'U0u2Sv0tEN', 'MLC2Hx7asZ', 'aJO2EXqocX', 'Am52OxG18w'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, DwXbfPJKTvNGH1hoJB.cs	High entropy of concatenated method names: 'FSDPqrcFAb', 'anpPmwJf3q', 'VRqPo3B5kG', 'AN4PTwHAse', 'TVNPRoJtLV', 'IBZP2gvNXC', 'C2elJaFQbR2Co4vpKp', 'k31kTVsJHEFRQQL89Y', 'zUjPPtJ05l', 'Ef2PtaVEAI'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, YQTZhXU03VdybrXaA2.cs	High entropy of concatenated method names: 'ndcKC3Tk0F', 'UAPKlJUlt7', 'Q4sKdjprsp', 'vnZK8w2AMU', 'tA7KRY8P54', 'z0VK28FmKv', 'XBGKe5D1Jk', 'J6DK9P1xFR', 'GSGKMnljZU', 'JtMKXqe9QD'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, oICLJeKLMeyK81sbtPm.cs	High entropy of concatenated method names: 'i7GMfNFjA9', 's59MctoL3Y', 'eX3Ms2LXtK', 'wdGMCqskIY', 'DZ9MGiO2q0', 'SNyMld59l9', 'y26MBpHZ8L', 'ir7MdcIk8M', 'ibxM83jKad', 'gdRMwAQ0vX'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, anZIZUvahbo8m36Em5.cs	High entropy of concatenated method names: 'I5XMP1Mt0R', 'aqnMtFTEHX', 'Yn0MpUCHWB', 'PwoMULpEGs', 'vLjMJZ3iti', 'gI4M4NLwLT', 'EomMQcOZa8', 'KEf9b02Hj9', 'tho9yV8a0f', 'zAI9ApuiqF'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, etTXdp1X8V6NlmkcnO.cs	High entropy of concatenated method names: 'MWgQ67C9vj', 'b3mQJBrWd2', 'SQwQ4AsUjV', 'RbcQq1NZjG', 'TXeQmfvA2r', 'EuT4gjypA5', 'ni5457DWhu', 'v4q4b81Z92', 'VWk4yKRhQE', 'q3a4A7yXsC'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, d0SNm99VcgUf1Y29Ws.cs	High entropy of concatenated method names: 'qmEqUiXd4l', 'HbZqKV4jTV', 'KqEqQ1ZTu9', 'bXKQukgAlx', 'mH7QzOXNTR', 'ni1qIpBvC2', 'WjZqPht2F3', 'Obfq1P2BXE', 'exkqtAfBHa', 'VOEqp7AprD'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, At0mNj5JCKLWRZ41td.cs	High entropy of concatenated method names: 'vDjsr003a', 'nSaCr9I5Q', 'JlplCRtNB', 'arZBIZrLs', 'l018DRUpr', 'NEKwI0gvM', 'Sonc55VhgqkQVVgTMr', 'HKK3i3cBJPegqXZXUZ', 'RbK9P9y2P', 'AWjX4b40f'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, jbhJFoOtPd8SynLbCU.cs	High entropy of concatenated method names: 'Dispose', 'e5dPAZTLVe', 'BMk1NtZNby', 'zV8LLPPKOt', 'm8YPuQfw5H', 'aQPPzLtfxJ', 'ProcessDialogKey', 'KR81IGvkHI', 'd031P4kvfh', 'rLO11tRpNo'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, YbprunAdej833j571V.cs	High entropy of concatenated method names: 'u0LeyfZddb', 'iBNeuy1jNO', 'AOR9I471pR', 'CNr9PelUoh', 'dhAexbkIQ5', 'wfDe0uIM9q', 'P8eeiIsNOr', 'vlHeY7evwv', 'S8CejaB8Md', 'lCfevTyfWV'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, TaAiifNZxnIK0gKrV6.cs	High entropy of concatenated method names: 'iiy3dliiv3', 'z7I381E1MN', 'eDi3FsUVeS', 'fy53NlkULf', 'crp37wxRpe', 'AGG3ZYqhfD', 'hLO3HKr5MN', 'fAu3EGgl1Z', 'zEf3DUhYIT', 'YrM3x6589C'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, gxuNj4iueV3QrTrwc7.cs	High entropy of concatenated method names: 'nuVqfC9qBY', 'jMKqcagHE9', 'r1rqsK1bWw', 'cfdqCe3GGR', 'we9qGkoP27', 'cOwqliNJRb', 'NFMqBUduCJ', 'A2OqdP59SM', 'wHvq8x09FC', 'a4jqwS0Dd8'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, o0MTSKKweWEVQKjro4x.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RXFXYqT9X4', 'yohXjeKVpj', 'H3oXvMkFhB', 'f9HXre0vSF', 'zynXgrAwnT', 'eW7X5cRf3c', 'kurXb830FI'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, XSuGiCFPwpINIaNj1i.cs	High entropy of concatenated method names: 'j65eoI5AVF', 'X0neTi7HIo', 'ToString', 'XwEeUlJX41', 'IfWeJIZVJ1', 'm33eKoJ5aC', 'cFDe4Nx5o9', 'qMIeQl3jWk', 'Ou6eqBfmOf', 'IxMemcGvFw'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, q1yRBkpS3y5kP3hRGO.cs	High entropy of concatenated method names: 'VGrJYOUsmF', 'nPSJjo5to2', 'Va1JvRIhoF', 'graJrHeeUl', 'z4cJgL2Hnr', 'gFMJ5pVLjf', 'BP0JbcqOG4', 'nFJJysCZfD', 'pH5JA8U67F', 'JYlJu0vx9g'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, y6PHtoxs9c243ifuiW.cs	High entropy of concatenated method names: 'uXXt6LmmkP', 'vE1tUryNm2', 'TLEtJBZr9E', 'uLatKsAAuL', 'noct4NpLX2', 'MNstQVnoiE', 'RfetqMQ5xD', 'BEdtmjIjSX', 'agHtVOGk8D', 'pDMtohGfN0'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, owmcQrfhm38luXPsgX.cs	High entropy of concatenated method names: 'z5sRDcTJLV', 'AMTR04YJ70', 'boDRYlNnEw', 'mAPRjOdGsD', 'oNZRN8QFHh', 'fkmRabgVhy', 'zQnR7HTu2v', 'SyyRZQBZdq', 'vaoRSmO72p', 'FXDRHkLSx0'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, DXq8YSG6iTZgiJi4YW.cs	High entropy of concatenated method names: 'p8t9FHaZhP', 'MRI9NnEZYq', 'LNd9atNRxZ', 'G1J97VEQ7w', 'BRY9YOTkfj', 'SrC9Zx6s5a', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, F5G4HpzwED2Rs1Ytvi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ubFM3qbRRF', 'koJMRrkr7S', 'rWyM2SfbBv', 'f9hMeobkju', 'VU9M9NdJZP', 'wraMMrYgvV', 'eIyMXdiD9j'

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040A068 memset,memset,RegOpenKeyExW,RegQueryValueExW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,LoadStringW,MessageBoxW,GetSystemDirectoryW,	9_2_0040A068
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040A47F RegOpenKeyExW,RegQueryValueExW,GetPrivateProfileIntW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,	9_2_0040A47F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040DD1E memset,memset,memset,memset,LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,lstrlenW,memset,lstrlenW,lstrlenW,RegSetValueExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,CmFree,CmFree,GetPrivateProfileIntW,SetFileAttributesW,SHFileOperationW,RegCloseKey,RegCloseKey,	9_2_0040DD1E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040D233 RegOpenKeyExW,GetPrivateProfileIntW,GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,memset,RegEnumValueW,RegCloseKey,	9_2_0040D233
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040B634 LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,LoadStringW,MessageBoxW,CmFree,CmFree,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadStringW,MessageBoxW,memset,memset,memset,RegOpenKeyExW,RegQueryValueExW,ExpandEnvironmentStringsW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,LoadStringW,RegCreateKeyW,lstrlenW,RegSetValueExW,LoadStringW,MessageBoxW,RegCloseKey,RegCloseKey,memset,memset,CopyFileW,LoadStringW,MessageBoxW,GetOSVersion,GetOSMajorVersion,CmMalloc,memset,CmFree,CmMalloc,memset,GetLastError,CmFree,lstrlenW,CmMalloc,lstrlenW,CmFree,CmFree,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,LoadStringW,MessageBoxExW,CmMalloc,memset,CmFree,CmMalloc,	9_2_0040B634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00405DEC memset,GetPrivateProfileStringW,GetModuleHandleA,GetProcAddress,GetCurrentProcess,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetProcAddress,GetProcAddress,FreeLibrary,	9_2_00405DEC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040A6EE GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,lstrlenW,lstrlenW,lstrlenW,LoadStringW,LoadStringW,MessageBoxW,LoadStringW,GetSystemDirectoryW,LoadStringW,MessageBoxW,	9_2_0040A6EE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040CAB4 GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,CmFree,	9_2_0040CAB4

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: tnbws7pyQvMUSjF.exe PID: 7664, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2CF9904 second address: 2CF990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2CF9B7E second address: 2CF9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: 7F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: 8F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: 90C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: A0C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: A420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: B420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Memory allocated: C420000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5848	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3778	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2304	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7621	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 9753	Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	API coverage: 1.8 %
Source: C:\Windows\SysWOW64\cmstp.exe	API coverage: 1.6 %

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5948	Thread sleep count: 2304 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5948	Thread sleep time: -4608000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5948	Thread sleep count: 7621 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5948	Thread sleep time: -15242000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7476	Thread sleep count: 220 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7476	Thread sleep time: -440000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7476	Thread sleep count: 9753 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7476	Thread sleep time: -19506000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		9_2_0040894B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_0040B3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		9_2_0040B3C4

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_0040F80E GetSystemInfo,GetVersionExW,

9_2_0040F80E

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000002.3854031180.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 00000007.00000000.1408552220.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000007.00000003.2286137779.000000000928D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000007.00000003.2285772758.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 00000007.00000000.1408552220.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000007.00000000.1421559530.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3854658121.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076935292.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000007.00000002.3854031180.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000000.1408552220.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000003.2285772758.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000003.2286137779.000000000928D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000007.00000000.1408552220.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A0124 mov eax, dword ptr fs:[00000030h]	6_2_012A0124
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01330115 mov eax, dword ptr fs:[00000030h]	6_2_01330115
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131A118 mov ecx, dword ptr fs:[00000030h]	6_2_0131A118
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131A118 mov eax, dword ptr fs:[00000030h]	6_2_0131A118
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131A118 mov eax, dword ptr fs:[00000030h]	6_2_0131A118
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131A118 mov eax, dword ptr fs:[00000030h]	6_2_0131A118
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01308158 mov eax, dword ptr fs:[00000030h]	6_2_01308158
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126C156 mov eax, dword ptr fs:[00000030h]	6_2_0126C156
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276154 mov eax, dword ptr fs:[00000030h]	6_2_01276154
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276154 mov eax, dword ptr fs:[00000030h]	6_2_01276154
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01304144 mov eax, dword ptr fs:[00000030h]	6_2_01304144
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01304144 mov eax, dword ptr fs:[00000030h]	6_2_01304144
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01304144 mov ecx, dword ptr fs:[00000030h]	6_2_01304144
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01304144 mov eax, dword ptr fs:[00000030h]	6_2_01304144
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01304144 mov eax, dword ptr fs:[00000030h]	6_2_01304144
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B0185 mov eax, dword ptr fs:[00000030h]	6_2_012B0185
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F019F mov eax, dword ptr fs:[00000030h]	6_2_012F019F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F019F mov eax, dword ptr fs:[00000030h]	6_2_012F019F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F019F mov eax, dword ptr fs:[00000030h]	6_2_012F019F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F019F mov eax, dword ptr fs:[00000030h]	6_2_012F019F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126A197 mov eax, dword ptr fs:[00000030h]	6_2_0126A197
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126A197 mov eax, dword ptr fs:[00000030h]	6_2_0126A197
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126A197 mov eax, dword ptr fs:[00000030h]	6_2_0126A197
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0132C188 mov eax, dword ptr fs:[00000030h]	6_2_0132C188
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0132C188 mov eax, dword ptr fs:[00000030h]	6_2_0132C188
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013461E5 mov eax, dword ptr fs:[00000030h]	6_2_013461E5
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A01F8 mov eax, dword ptr fs:[00000030h]	6_2_012A01F8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013361C3 mov eax, dword ptr fs:[00000030h]	6_2_013361C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013361C3 mov eax, dword ptr fs:[00000030h]	6_2_013361C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE1D0 mov eax, dword ptr fs:[00000030h]	6_2_012EE1D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE1D0 mov eax, dword ptr fs:[00000030h]	6_2_012EE1D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE1D0 mov ecx, dword ptr fs:[00000030h]	6_2_012EE1D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE1D0 mov eax, dword ptr fs:[00000030h]	6_2_012EE1D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE1D0 mov eax, dword ptr fs:[00000030h]	6_2_012EE1D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01306030 mov eax, dword ptr fs:[00000030h]	6_2_01306030
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126A020 mov eax, dword ptr fs:[00000030h]	6_2_0126A020
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126C020 mov eax, dword ptr fs:[00000030h]	6_2_0126C020
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F4000 mov ecx, dword ptr fs:[00000030h]	6_2_012F4000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01312000 mov eax, dword ptr fs:[00000030h]	6_2_01312000
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E016 mov eax, dword ptr fs:[00000030h]	6_2_0128E016
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E016 mov eax, dword ptr fs:[00000030h]	6_2_0128E016
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E016 mov eax, dword ptr fs:[00000030h]	6_2_0128E016
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E016 mov eax, dword ptr fs:[00000030h]	6_2_0128E016
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129C073 mov eax, dword ptr fs:[00000030h]	6_2_0129C073
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01272050 mov eax, dword ptr fs:[00000030h]	6_2_01272050
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6050 mov eax, dword ptr fs:[00000030h]	6_2_012F6050
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013360B8 mov eax, dword ptr fs:[00000030h]	6_2_013360B8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013360B8 mov ecx, dword ptr fs:[00000030h]	6_2_013360B8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013080A8 mov eax, dword ptr fs:[00000030h]	6_2_013080A8
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127208A mov eax, dword ptr fs:[00000030h]	6_2_0127208A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0126A0E3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012780E9 mov eax, dword ptr fs:[00000030h]	6_2_012780E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F60E0 mov eax, dword ptr fs:[00000030h]	6_2_012F60E0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0126C0F0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B20F0 mov ecx, dword ptr fs:[00000030h]	6_2_012B20F0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F20DE mov eax, dword ptr fs:[00000030h]	6_2_012F20DE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA30B mov eax, dword ptr fs:[00000030h]	6_2_012AA30B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA30B mov eax, dword ptr fs:[00000030h]	6_2_012AA30B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA30B mov eax, dword ptr fs:[00000030h]	6_2_012AA30B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126C310 mov ecx, dword ptr fs:[00000030h]	6_2_0126C310
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01290310 mov ecx, dword ptr fs:[00000030h]	6_2_01290310
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131437C mov eax, dword ptr fs:[00000030h]	6_2_0131437C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133A352 mov eax, dword ptr fs:[00000030h]	6_2_0133A352
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F2349 mov eax, dword ptr fs:[00000030h]	6_2_012F2349
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F035C mov eax, dword ptr fs:[00000030h]	6_2_012F035C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F035C mov eax, dword ptr fs:[00000030h]	6_2_012F035C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F035C mov eax, dword ptr fs:[00000030h]	6_2_012F035C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F035C mov ecx, dword ptr fs:[00000030h]	6_2_012F035C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F035C mov eax, dword ptr fs:[00000030h]	6_2_012F035C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F035C mov eax, dword ptr fs:[00000030h]	6_2_012F035C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129438F mov eax, dword ptr fs:[00000030h]	6_2_0129438F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129438F mov eax, dword ptr fs:[00000030h]	6_2_0129438F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126E388 mov eax, dword ptr fs:[00000030h]	6_2_0126E388
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126E388 mov eax, dword ptr fs:[00000030h]	6_2_0126E388
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126E388 mov eax, dword ptr fs:[00000030h]	6_2_0126E388
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01268397 mov eax, dword ptr fs:[00000030h]	6_2_01268397
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01268397 mov eax, dword ptr fs:[00000030h]	6_2_01268397
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01268397 mov eax, dword ptr fs:[00000030h]	6_2_01268397
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012803E9 mov eax, dword ptr fs:[00000030h]	6_2_012803E9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A63FF mov eax, dword ptr fs:[00000030h]	6_2_012A63FF
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0128E3F0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0128E3F0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0128E3F0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013143D4 mov eax, dword ptr fs:[00000030h]	6_2_013143D4
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013143D4 mov eax, dword ptr fs:[00000030h]	6_2_013143D4
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0127A3C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0127A3C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0127A3C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0127A3C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0127A3C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0127A3C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012783C0 mov eax, dword ptr fs:[00000030h]	6_2_012783C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012783C0 mov eax, dword ptr fs:[00000030h]	6_2_012783C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012783C0 mov eax, dword ptr fs:[00000030h]	6_2_012783C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012783C0 mov eax, dword ptr fs:[00000030h]	6_2_012783C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F63C0 mov eax, dword ptr fs:[00000030h]	6_2_012F63C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0132C3CD mov eax, dword ptr fs:[00000030h]	6_2_0132C3CD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126823B mov eax, dword ptr fs:[00000030h]	6_2_0126823B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01320274 mov eax, dword ptr fs:[00000030h]	6_2_01320274
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01274260 mov eax, dword ptr fs:[00000030h]	6_2_01274260
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01274260 mov eax, dword ptr fs:[00000030h]	6_2_01274260
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01274260 mov eax, dword ptr fs:[00000030h]	6_2_01274260
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126826B mov eax, dword ptr fs:[00000030h]	6_2_0126826B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F8243 mov eax, dword ptr fs:[00000030h]	6_2_012F8243
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F8243 mov ecx, dword ptr fs:[00000030h]	6_2_012F8243
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126A250 mov eax, dword ptr fs:[00000030h]	6_2_0126A250
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276259 mov eax, dword ptr fs:[00000030h]	6_2_01276259
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012802A0 mov eax, dword ptr fs:[00000030h]	6_2_012802A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012802A0 mov eax, dword ptr fs:[00000030h]	6_2_012802A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013062A0 mov eax, dword ptr fs:[00000030h]	6_2_013062A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013062A0 mov ecx, dword ptr fs:[00000030h]	6_2_013062A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013062A0 mov eax, dword ptr fs:[00000030h]	6_2_013062A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013062A0 mov eax, dword ptr fs:[00000030h]	6_2_013062A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013062A0 mov eax, dword ptr fs:[00000030h]	6_2_013062A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013062A0 mov eax, dword ptr fs:[00000030h]	6_2_013062A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F0283 mov eax, dword ptr fs:[00000030h]	6_2_012F0283
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F0283 mov eax, dword ptr fs:[00000030h]	6_2_012F0283
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F0283 mov eax, dword ptr fs:[00000030h]	6_2_012F0283
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE284 mov eax, dword ptr fs:[00000030h]	6_2_012AE284
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE284 mov eax, dword ptr fs:[00000030h]	6_2_012AE284
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012802E1 mov eax, dword ptr fs:[00000030h]	6_2_012802E1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012802E1 mov eax, dword ptr fs:[00000030h]	6_2_012802E1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012802E1 mov eax, dword ptr fs:[00000030h]	6_2_012802E1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0127A2C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0127A2C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0127A2C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0127A2C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0127A2C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E53E mov eax, dword ptr fs:[00000030h]	6_2_0129E53E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E53E mov eax, dword ptr fs:[00000030h]	6_2_0129E53E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E53E mov eax, dword ptr fs:[00000030h]	6_2_0129E53E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E53E mov eax, dword ptr fs:[00000030h]	6_2_0129E53E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E53E mov eax, dword ptr fs:[00000030h]	6_2_0129E53E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280535 mov eax, dword ptr fs:[00000030h]	6_2_01280535
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280535 mov eax, dword ptr fs:[00000030h]	6_2_01280535
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280535 mov eax, dword ptr fs:[00000030h]	6_2_01280535
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280535 mov eax, dword ptr fs:[00000030h]	6_2_01280535
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280535 mov eax, dword ptr fs:[00000030h]	6_2_01280535
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280535 mov eax, dword ptr fs:[00000030h]	6_2_01280535
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01306500 mov eax, dword ptr fs:[00000030h]	6_2_01306500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344500 mov eax, dword ptr fs:[00000030h]	6_2_01344500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344500 mov eax, dword ptr fs:[00000030h]	6_2_01344500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344500 mov eax, dword ptr fs:[00000030h]	6_2_01344500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344500 mov eax, dword ptr fs:[00000030h]	6_2_01344500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344500 mov eax, dword ptr fs:[00000030h]	6_2_01344500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344500 mov eax, dword ptr fs:[00000030h]	6_2_01344500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344500 mov eax, dword ptr fs:[00000030h]	6_2_01344500
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A656A mov eax, dword ptr fs:[00000030h]	6_2_012A656A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A656A mov eax, dword ptr fs:[00000030h]	6_2_012A656A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A656A mov eax, dword ptr fs:[00000030h]	6_2_012A656A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278550 mov eax, dword ptr fs:[00000030h]	6_2_01278550
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278550 mov eax, dword ptr fs:[00000030h]	6_2_01278550
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F05A7 mov eax, dword ptr fs:[00000030h]	6_2_012F05A7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F05A7 mov eax, dword ptr fs:[00000030h]	6_2_012F05A7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F05A7 mov eax, dword ptr fs:[00000030h]	6_2_012F05A7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012945B1 mov eax, dword ptr fs:[00000030h]	6_2_012945B1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012945B1 mov eax, dword ptr fs:[00000030h]	6_2_012945B1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A4588 mov eax, dword ptr fs:[00000030h]	6_2_012A4588
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01272582 mov eax, dword ptr fs:[00000030h]	6_2_01272582
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01272582 mov ecx, dword ptr fs:[00000030h]	6_2_01272582
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE59C mov eax, dword ptr fs:[00000030h]	6_2_012AE59C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012725E0 mov eax, dword ptr fs:[00000030h]	6_2_012725E0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC5ED mov eax, dword ptr fs:[00000030h]	6_2_012AC5ED
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC5ED mov eax, dword ptr fs:[00000030h]	6_2_012AC5ED
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0129E5E7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE5CF mov eax, dword ptr fs:[00000030h]	6_2_012AE5CF
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE5CF mov eax, dword ptr fs:[00000030h]	6_2_012AE5CF
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012765D0 mov eax, dword ptr fs:[00000030h]	6_2_012765D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA5D0 mov eax, dword ptr fs:[00000030h]	6_2_012AA5D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA5D0 mov eax, dword ptr fs:[00000030h]	6_2_012AA5D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126C427 mov eax, dword ptr fs:[00000030h]	6_2_0126C427
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126E420 mov eax, dword ptr fs:[00000030h]	6_2_0126E420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126E420 mov eax, dword ptr fs:[00000030h]	6_2_0126E420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126E420 mov eax, dword ptr fs:[00000030h]	6_2_0126E420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6420 mov eax, dword ptr fs:[00000030h]	6_2_012F6420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6420 mov eax, dword ptr fs:[00000030h]	6_2_012F6420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6420 mov eax, dword ptr fs:[00000030h]	6_2_012F6420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6420 mov eax, dword ptr fs:[00000030h]	6_2_012F6420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6420 mov eax, dword ptr fs:[00000030h]	6_2_012F6420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6420 mov eax, dword ptr fs:[00000030h]	6_2_012F6420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F6420 mov eax, dword ptr fs:[00000030h]	6_2_012F6420
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA430 mov eax, dword ptr fs:[00000030h]	6_2_012AA430
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A8402 mov eax, dword ptr fs:[00000030h]	6_2_012A8402
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A8402 mov eax, dword ptr fs:[00000030h]	6_2_012A8402
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A8402 mov eax, dword ptr fs:[00000030h]	6_2_012A8402
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FC460 mov ecx, dword ptr fs:[00000030h]	6_2_012FC460
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129A470 mov eax, dword ptr fs:[00000030h]	6_2_0129A470
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129A470 mov eax, dword ptr fs:[00000030h]	6_2_0129A470
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129A470 mov eax, dword ptr fs:[00000030h]	6_2_0129A470
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AE443 mov eax, dword ptr fs:[00000030h]	6_2_012AE443
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129245A mov eax, dword ptr fs:[00000030h]	6_2_0129245A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126645D mov eax, dword ptr fs:[00000030h]	6_2_0126645D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012764AB mov eax, dword ptr fs:[00000030h]	6_2_012764AB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A44B0 mov ecx, dword ptr fs:[00000030h]	6_2_012A44B0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FA4B0 mov eax, dword ptr fs:[00000030h]	6_2_012FA4B0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012704E5 mov ecx, dword ptr fs:[00000030h]	6_2_012704E5
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC720 mov eax, dword ptr fs:[00000030h]	6_2_012AC720
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC720 mov eax, dword ptr fs:[00000030h]	6_2_012AC720
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A273C mov eax, dword ptr fs:[00000030h]	6_2_012A273C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A273C mov ecx, dword ptr fs:[00000030h]	6_2_012A273C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A273C mov eax, dword ptr fs:[00000030h]	6_2_012A273C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EC730 mov eax, dword ptr fs:[00000030h]	6_2_012EC730
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC700 mov eax, dword ptr fs:[00000030h]	6_2_012AC700
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270710 mov eax, dword ptr fs:[00000030h]	6_2_01270710
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A0710 mov eax, dword ptr fs:[00000030h]	6_2_012A0710
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278770 mov eax, dword ptr fs:[00000030h]	6_2_01278770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280770 mov eax, dword ptr fs:[00000030h]	6_2_01280770
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A674D mov esi, dword ptr fs:[00000030h]	6_2_012A674D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A674D mov eax, dword ptr fs:[00000030h]	6_2_012A674D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A674D mov eax, dword ptr fs:[00000030h]	6_2_012A674D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FE75D mov eax, dword ptr fs:[00000030h]	6_2_012FE75D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270750 mov eax, dword ptr fs:[00000030h]	6_2_01270750
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F4755 mov eax, dword ptr fs:[00000030h]	6_2_012F4755
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2750 mov eax, dword ptr fs:[00000030h]	6_2_012B2750
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2750 mov eax, dword ptr fs:[00000030h]	6_2_012B2750
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012707AF mov eax, dword ptr fs:[00000030h]	6_2_012707AF
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131678E mov eax, dword ptr fs:[00000030h]	6_2_0131678E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012927ED mov eax, dword ptr fs:[00000030h]	6_2_012927ED
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012927ED mov eax, dword ptr fs:[00000030h]	6_2_012927ED
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012927ED mov eax, dword ptr fs:[00000030h]	6_2_012927ED
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FE7E1 mov eax, dword ptr fs:[00000030h]	6_2_012FE7E1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012747FB mov eax, dword ptr fs:[00000030h]	6_2_012747FB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012747FB mov eax, dword ptr fs:[00000030h]	6_2_012747FB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0127C7C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F07C3 mov eax, dword ptr fs:[00000030h]	6_2_012F07C3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A6620 mov eax, dword ptr fs:[00000030h]	6_2_012A6620
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A8620 mov eax, dword ptr fs:[00000030h]	6_2_012A8620
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127262C mov eax, dword ptr fs:[00000030h]	6_2_0127262C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128E627 mov eax, dword ptr fs:[00000030h]	6_2_0128E627
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128260B mov eax, dword ptr fs:[00000030h]	6_2_0128260B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128260B mov eax, dword ptr fs:[00000030h]	6_2_0128260B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128260B mov eax, dword ptr fs:[00000030h]	6_2_0128260B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128260B mov eax, dword ptr fs:[00000030h]	6_2_0128260B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128260B mov eax, dword ptr fs:[00000030h]	6_2_0128260B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128260B mov eax, dword ptr fs:[00000030h]	6_2_0128260B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128260B mov eax, dword ptr fs:[00000030h]	6_2_0128260B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE609 mov eax, dword ptr fs:[00000030h]	6_2_012EE609
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B2619 mov eax, dword ptr fs:[00000030h]	6_2_012B2619
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA660 mov eax, dword ptr fs:[00000030h]	6_2_012AA660
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA660 mov eax, dword ptr fs:[00000030h]	6_2_012AA660
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133866E mov eax, dword ptr fs:[00000030h]	6_2_0133866E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133866E mov eax, dword ptr fs:[00000030h]	6_2_0133866E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A2674 mov eax, dword ptr fs:[00000030h]	6_2_012A2674
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128C640 mov eax, dword ptr fs:[00000030h]	6_2_0128C640
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC6A6 mov eax, dword ptr fs:[00000030h]	6_2_012AC6A6
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A66B0 mov eax, dword ptr fs:[00000030h]	6_2_012A66B0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01274690 mov eax, dword ptr fs:[00000030h]	6_2_01274690
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01274690 mov eax, dword ptr fs:[00000030h]	6_2_01274690
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE6F2 mov eax, dword ptr fs:[00000030h]	6_2_012EE6F2
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE6F2 mov eax, dword ptr fs:[00000030h]	6_2_012EE6F2
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE6F2 mov eax, dword ptr fs:[00000030h]	6_2_012EE6F2
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE6F2 mov eax, dword ptr fs:[00000030h]	6_2_012EE6F2
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F06F1 mov eax, dword ptr fs:[00000030h]	6_2_012F06F1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F06F1 mov eax, dword ptr fs:[00000030h]	6_2_012F06F1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA6C7 mov ebx, dword ptr fs:[00000030h]	6_2_012AA6C7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA6C7 mov eax, dword ptr fs:[00000030h]	6_2_012AA6C7
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F892A mov eax, dword ptr fs:[00000030h]	6_2_012F892A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0130892B mov eax, dword ptr fs:[00000030h]	6_2_0130892B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE908 mov eax, dword ptr fs:[00000030h]	6_2_012EE908
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EE908 mov eax, dword ptr fs:[00000030h]	6_2_012EE908
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FC912 mov eax, dword ptr fs:[00000030h]	6_2_012FC912
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01268918 mov eax, dword ptr fs:[00000030h]	6_2_01268918
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01268918 mov eax, dword ptr fs:[00000030h]	6_2_01268918
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B096E mov eax, dword ptr fs:[00000030h]	6_2_012B096E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B096E mov edx, dword ptr fs:[00000030h]	6_2_012B096E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012B096E mov eax, dword ptr fs:[00000030h]	6_2_012B096E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01314978 mov eax, dword ptr fs:[00000030h]	6_2_01314978
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01314978 mov eax, dword ptr fs:[00000030h]	6_2_01314978
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01296962 mov eax, dword ptr fs:[00000030h]	6_2_01296962
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01296962 mov eax, dword ptr fs:[00000030h]	6_2_01296962
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01296962 mov eax, dword ptr fs:[00000030h]	6_2_01296962
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FC97C mov eax, dword ptr fs:[00000030h]	6_2_012FC97C
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F0946 mov eax, dword ptr fs:[00000030h]	6_2_012F0946
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012829A0 mov eax, dword ptr fs:[00000030h]	6_2_012829A0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012709AD mov eax, dword ptr fs:[00000030h]	6_2_012709AD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012709AD mov eax, dword ptr fs:[00000030h]	6_2_012709AD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F89B3 mov esi, dword ptr fs:[00000030h]	6_2_012F89B3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F89B3 mov eax, dword ptr fs:[00000030h]	6_2_012F89B3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F89B3 mov eax, dword ptr fs:[00000030h]	6_2_012F89B3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FE9E0 mov eax, dword ptr fs:[00000030h]	6_2_012FE9E0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A29F9 mov eax, dword ptr fs:[00000030h]	6_2_012A29F9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A29F9 mov eax, dword ptr fs:[00000030h]	6_2_012A29F9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133A9D3 mov eax, dword ptr fs:[00000030h]	6_2_0133A9D3
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_013069C0 mov eax, dword ptr fs:[00000030h]	6_2_013069C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0127A9D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0127A9D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0127A9D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0127A9D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0127A9D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0127A9D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A49D0 mov eax, dword ptr fs:[00000030h]	6_2_012A49D0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131483A mov eax, dword ptr fs:[00000030h]	6_2_0131483A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131483A mov eax, dword ptr fs:[00000030h]	6_2_0131483A
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AA830 mov eax, dword ptr fs:[00000030h]	6_2_012AA830
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01292835 mov eax, dword ptr fs:[00000030h]	6_2_01292835
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01292835 mov eax, dword ptr fs:[00000030h]	6_2_01292835
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01292835 mov eax, dword ptr fs:[00000030h]	6_2_01292835
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01292835 mov ecx, dword ptr fs:[00000030h]	6_2_01292835
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01292835 mov eax, dword ptr fs:[00000030h]	6_2_01292835
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01292835 mov eax, dword ptr fs:[00000030h]	6_2_01292835
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FC810 mov eax, dword ptr fs:[00000030h]	6_2_012FC810
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01306870 mov eax, dword ptr fs:[00000030h]	6_2_01306870
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01306870 mov eax, dword ptr fs:[00000030h]	6_2_01306870
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FE872 mov eax, dword ptr fs:[00000030h]	6_2_012FE872
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FE872 mov eax, dword ptr fs:[00000030h]	6_2_012FE872
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01282840 mov ecx, dword ptr fs:[00000030h]	6_2_01282840
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01274859 mov eax, dword ptr fs:[00000030h]	6_2_01274859
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01274859 mov eax, dword ptr fs:[00000030h]	6_2_01274859
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A0854 mov eax, dword ptr fs:[00000030h]	6_2_012A0854
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270887 mov eax, dword ptr fs:[00000030h]	6_2_01270887
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FC89D mov eax, dword ptr fs:[00000030h]	6_2_012FC89D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC8F9 mov eax, dword ptr fs:[00000030h]	6_2_012AC8F9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AC8F9 mov eax, dword ptr fs:[00000030h]	6_2_012AC8F9
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133A8E4 mov eax, dword ptr fs:[00000030h]	6_2_0133A8E4
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0129E8C0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129EB20 mov eax, dword ptr fs:[00000030h]	6_2_0129EB20
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129EB20 mov eax, dword ptr fs:[00000030h]	6_2_0129EB20
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01338B28 mov eax, dword ptr fs:[00000030h]	6_2_01338B28
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01338B28 mov eax, dword ptr fs:[00000030h]	6_2_01338B28
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012EEB1D mov eax, dword ptr fs:[00000030h]	6_2_012EEB1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0126CB7E mov eax, dword ptr fs:[00000030h]	6_2_0126CB7E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01306B40 mov eax, dword ptr fs:[00000030h]	6_2_01306B40
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01306B40 mov eax, dword ptr fs:[00000030h]	6_2_01306B40
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0133AB40 mov eax, dword ptr fs:[00000030h]	6_2_0133AB40
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01318B42 mov eax, dword ptr fs:[00000030h]	6_2_01318B42
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280BBE mov eax, dword ptr fs:[00000030h]	6_2_01280BBE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280BBE mov eax, dword ptr fs:[00000030h]	6_2_01280BBE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129EBFC mov eax, dword ptr fs:[00000030h]	6_2_0129EBFC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278BF0 mov eax, dword ptr fs:[00000030h]	6_2_01278BF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278BF0 mov eax, dword ptr fs:[00000030h]	6_2_01278BF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278BF0 mov eax, dword ptr fs:[00000030h]	6_2_01278BF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FCBF0 mov eax, dword ptr fs:[00000030h]	6_2_012FCBF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0131EBD0 mov eax, dword ptr fs:[00000030h]	6_2_0131EBD0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01290BCB mov eax, dword ptr fs:[00000030h]	6_2_01290BCB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01290BCB mov eax, dword ptr fs:[00000030h]	6_2_01290BCB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01290BCB mov eax, dword ptr fs:[00000030h]	6_2_01290BCB
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270BCD mov eax, dword ptr fs:[00000030h]	6_2_01270BCD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270BCD mov eax, dword ptr fs:[00000030h]	6_2_01270BCD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270BCD mov eax, dword ptr fs:[00000030h]	6_2_01270BCD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0129EA2E mov eax, dword ptr fs:[00000030h]	6_2_0129EA2E
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACA24 mov eax, dword ptr fs:[00000030h]	6_2_012ACA24
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACA38 mov eax, dword ptr fs:[00000030h]	6_2_012ACA38
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01294A35 mov eax, dword ptr fs:[00000030h]	6_2_01294A35
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01294A35 mov eax, dword ptr fs:[00000030h]	6_2_01294A35
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012FCA11 mov eax, dword ptr fs:[00000030h]	6_2_012FCA11
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACA6F mov eax, dword ptr fs:[00000030h]	6_2_012ACA6F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACA6F mov eax, dword ptr fs:[00000030h]	6_2_012ACA6F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACA6F mov eax, dword ptr fs:[00000030h]	6_2_012ACA6F
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ECA72 mov eax, dword ptr fs:[00000030h]	6_2_012ECA72
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ECA72 mov eax, dword ptr fs:[00000030h]	6_2_012ECA72
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280A5B mov eax, dword ptr fs:[00000030h]	6_2_01280A5B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01280A5B mov eax, dword ptr fs:[00000030h]	6_2_01280A5B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276A50 mov eax, dword ptr fs:[00000030h]	6_2_01276A50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276A50 mov eax, dword ptr fs:[00000030h]	6_2_01276A50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276A50 mov eax, dword ptr fs:[00000030h]	6_2_01276A50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276A50 mov eax, dword ptr fs:[00000030h]	6_2_01276A50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276A50 mov eax, dword ptr fs:[00000030h]	6_2_01276A50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276A50 mov eax, dword ptr fs:[00000030h]	6_2_01276A50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01276A50 mov eax, dword ptr fs:[00000030h]	6_2_01276A50
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278AA0 mov eax, dword ptr fs:[00000030h]	6_2_01278AA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278AA0 mov eax, dword ptr fs:[00000030h]	6_2_01278AA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012C6AA4 mov eax, dword ptr fs:[00000030h]	6_2_012C6AA4
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127EA80 mov eax, dword ptr fs:[00000030h]	6_2_0127EA80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344A80 mov eax, dword ptr fs:[00000030h]	6_2_01344A80
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A8A90 mov edx, dword ptr fs:[00000030h]	6_2_012A8A90
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AAAEE mov eax, dword ptr fs:[00000030h]	6_2_012AAAEE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012AAAEE mov eax, dword ptr fs:[00000030h]	6_2_012AAAEE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012C6ACC mov eax, dword ptr fs:[00000030h]	6_2_012C6ACC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012C6ACC mov eax, dword ptr fs:[00000030h]	6_2_012C6ACC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012C6ACC mov eax, dword ptr fs:[00000030h]	6_2_012C6ACC
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270AD0 mov eax, dword ptr fs:[00000030h]	6_2_01270AD0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A4AD0 mov eax, dword ptr fs:[00000030h]	6_2_012A4AD0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A4AD0 mov eax, dword ptr fs:[00000030h]	6_2_012A4AD0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012F8D20 mov eax, dword ptr fs:[00000030h]	6_2_012F8D20
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01328D10 mov eax, dword ptr fs:[00000030h]	6_2_01328D10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01328D10 mov eax, dword ptr fs:[00000030h]	6_2_01328D10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128AD00 mov eax, dword ptr fs:[00000030h]	6_2_0128AD00
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128AD00 mov eax, dword ptr fs:[00000030h]	6_2_0128AD00
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0128AD00 mov eax, dword ptr fs:[00000030h]	6_2_0128AD00
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01266D10 mov eax, dword ptr fs:[00000030h]	6_2_01266D10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01266D10 mov eax, dword ptr fs:[00000030h]	6_2_01266D10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01266D10 mov eax, dword ptr fs:[00000030h]	6_2_01266D10
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A4D1D mov eax, dword ptr fs:[00000030h]	6_2_012A4D1D
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01308D6B mov eax, dword ptr fs:[00000030h]	6_2_01308D6B
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270D59 mov eax, dword ptr fs:[00000030h]	6_2_01270D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270D59 mov eax, dword ptr fs:[00000030h]	6_2_01270D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01270D59 mov eax, dword ptr fs:[00000030h]	6_2_01270D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278D59 mov eax, dword ptr fs:[00000030h]	6_2_01278D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278D59 mov eax, dword ptr fs:[00000030h]	6_2_01278D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278D59 mov eax, dword ptr fs:[00000030h]	6_2_01278D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278D59 mov eax, dword ptr fs:[00000030h]	6_2_01278D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01278D59 mov eax, dword ptr fs:[00000030h]	6_2_01278D59
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012A6DA0 mov eax, dword ptr fs:[00000030h]	6_2_012A6DA0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01298DBF mov eax, dword ptr fs:[00000030h]	6_2_01298DBF
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01298DBF mov eax, dword ptr fs:[00000030h]	6_2_01298DBF
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01344DAD mov eax, dword ptr fs:[00000030h]	6_2_01344DAD
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACDB1 mov ecx, dword ptr fs:[00000030h]	6_2_012ACDB1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACDB1 mov eax, dword ptr fs:[00000030h]	6_2_012ACDB1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_012ACDB1 mov eax, dword ptr fs:[00000030h]	6_2_012ACDB1
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01338DAE mov eax, dword ptr fs:[00000030h]	6_2_01338DAE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01338DAE mov eax, dword ptr fs:[00000030h]	6_2_01338DAE
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01310DF0 mov eax, dword ptr fs:[00000030h]	6_2_01310DF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_01310DF0 mov eax, dword ptr fs:[00000030h]	6_2_01310DF0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0127ADE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0127ADE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0127ADE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0127ADE0
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Code function: 6_2_0127ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0127ADE0

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00410040 WideCharToMultiByte,GetFileVersionInfoSizeA,GetLastError,GetProcessHeap,HeapAlloc,GetFileVersionInfoA,GetLastError,VerQueryValueA,VerQueryValueA,HeapFree,

9_2_00410040

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_00411720 SetUnhandledExceptionFilter,		9_2_00411720
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 9_2_004114D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		9_2_004114D0

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	NtQueueApcThread: Indirect: 0x177A4F2			Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	NtClose: Indirect: 0x177A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Memory written: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Thread register set: target process: 4084			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 4084			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 400000

Jump to behavior

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Process created: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00408DB2 AllocateAndInitializeSid,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeSid,FreeLibrary,

9_2_00408DB2

Source: explorer.exe, 00000007.00000003.2284429922.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1413908531.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3854765237.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.3847852434.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1408552220.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1409861632.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.1409861632.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3848290732.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000007.00000000.1409861632.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3848290732.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000003.2284429922.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3854765237.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Queries volume information: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_00411945 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00411945

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 9_2_0040F80E GetSystemInfo,GetVersionExW,

9_2_0040F80E

Source: C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnbws7pyQvMUSjF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a84220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tnbws7pyQvMUSjF.exe.4a14600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	512 Process Injection	11 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	215 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Timestomp	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tnbws7pyQvMUSjF.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
tnbws7pyQvMUSjF.exe	67%	Virustotal		Browse
tnbws7pyQvMUSjF.exe	100%	Avira	HEUR/AGEN.1305639
tnbws7pyQvMUSjF.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.urelook.xyz	0%	Virustotal	Browse
www.lecrtort.net	0%	Virustotal	Browse
www.essislotgoal14.xyz	0%	Virustotal	Browse
www.gearlpfbm.top	0%	Virustotal	Browse
www.aylocnuocionkiem.website	0%	Virustotal	Browse
www.xhibitonenotary.info	0%	Virustotal	Browse
www.milelab.pro	0%	Virustotal	Browse
www.6ae23rx.forum	0%	Virustotal	Browse
www.dnusaunni05.sbs	0%	Virustotal	Browse
www.ruvabetgiris.website	0%	Virustotal	Browse
www.destramentoemcasa.shop	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://www.lecrtort.net	0%	Virustotal		Browse
http://www.gearlpfbm.top/t18n/	1%	Virustotal		Browse
http://www.milelab.pro	0%	Virustotal		Browse
http://www.destramentoemcasa.shop/t18n/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.urelook.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.essislotgoal14.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.lecrtort.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.ruvabetgiris.website	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.milelab.pro	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.destramentoemcasa.shop	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.aylocnuocionkiem.website	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.gearlpfbm.top	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.6ae23rx.forum	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.xhibitonenotary.info	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.dnusaunni05.sbs	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.xhibitonenotary.info/t18n/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.aylocnuocionkiem.websiteReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comer	explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dnusaunni05.sbsReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.gearlpfbm.topReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000002.3854031180.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.lecrtort.net	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://excel.office.com	explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.destramentoemcasa.shop/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.gearlpfbm.top/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.milelab.pro	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.enisekran.xyz/t18n/www.ozyjtmt.christmas	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.sphaltpaving-ttp1-shd-us-2.shop/t18n/	explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lecrtort.net/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.microsoft.c	explorer.exe, 00000007.00000002.3854658121.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3076935292.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dnusaunni05.sbs	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tnbws7pyQvMUSjF.exe, 00000000.00000002.1411362800.00000000031E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://android.notify.windows.com/iOSd	explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.essislotgoal14.xyzReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.lecrtort.netReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.destramentoemcasa.shop	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.destramentoemcasa.shop/t18n/www.essislotgoal14.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dnusaunni05.sbs/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dnusaunni05.sbs/t18n/www.lecrtort.net	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ruvabetgiris.website/t18n/www.bresz.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.essislotgoal14.xyz/t18n/www.enisekran.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.xhibitonenotary.info/t18n/www.aylocnuocionkiem.website	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.milelab.proReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000007.00000002.3857695739.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1426705990.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lotehupi.shop/t18n/www.sphaltpaving-ttp1-shd-us-2.shop	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000007.00000002.3854031180.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1421559530.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2284429922.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6ae23rx.forum	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ruvabetgiris.website/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ruvabetgiris.websiteReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.urelook.xyz/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6ae23rx.forum/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.bresz.xyzReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.urelook.xyz/t18n/www.6ae23rx.forum	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000007.00000000.1417862053.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1417841209.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1411129106.0000000002C80000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/EM0	explorer.exe, 00000007.00000000.1426705990.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aylocnuocionkiem.website/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.enisekran.xyzReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.milelab.pro/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.xhibitonenotary.info/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.milelab.pro/t18n/www.dnusaunni05.sbs	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lotehupi.shop	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.bresz.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.bresz.xyz/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.destramentoemcasa.shopReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.xhibitonenotary.infoReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.bresz.xyz/t18n/www.urelook.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.enisekran.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.sphaltpaving-ttp1-shd-us-2.shop	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.urelook.xyzReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lotehupi.shopReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aylocnuocionkiem.website	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.essislotgoal14.xyz/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ozyjtmt.christmas/t18n/www.lotehupi.shop	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.lotehupi.shop/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://ns.adobeS	explorer.exe, 00000007.00000000.1413529906.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3849810107.0000000004405000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ruvabetgiris.website	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6ae23rx.forum/t18n/www.gearlpfbm.top	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.sphaltpaving-ttp1-shd-us-2.shopReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aylocnuocionkiem.website/t18n/www.milelab.pro	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc	explorer.exe, 00000007.00000002.3850684822.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1414665064.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ozyjtmt.christmas/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.urelook.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.com48	explorer.exe, 00000007.00000000.1426705990.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3857695739.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.enisekran.xyz/t18n/	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.gearlpfbm.top	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.essislotgoal14.xyz	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6ae23rx.forumReferer:	explorer.exe, 00000007.00000003.2286972160.000000000C133000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3859530494.000000000C127000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3078507753.000000000C132000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527842
Start date and time:	2024-10-07 10:39:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	tnbws7pyQvMUSjF.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/6@11/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 204 Number of non-executed functions: 302
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:40:11	API Interceptor	1x Sleep call for process: tnbws7pyQvMUSjF.exe modified
04:40:13	API Interceptor	13x Sleep call for process: powershell.exe modified
04:40:20	API Interceptor	7560411x Sleep call for process: explorer.exe modified
04:40:58	API Interceptor	6612749x Sleep call for process: cmstp.exe modified

Process:	C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:lGLHxvIIwLgZ2KRHWLOugss
MD5:	B9CC5EFE1FBFE7397745E31421CA5C07
SHA1:	604EEA678D7007BA23FBC85A5A550F4596B1ACCB
SHA-256:	0005DDD738AFA412C3B0ACB08186879CF788634D076242DC9DA13EC595EB7775
SHA-512:	CB9B6917A2A94C8AB476C4F4547284F7BB81A2F8AA8E75C8982E277A3F78F6D2408FDC82BEBD9C5EC56ADB8C2C1C1D9DE7A0F51285D86D39C74415A6D2508FA3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kqi12ac.5ys.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekohflb5.uah.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_puqmwdli.dyy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sekfrt1b.201.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.4304409346504725
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	tnbws7pyQvMUSjF.exe
File size:	748'544 bytes
MD5:	17a1259bd9c1cb80ac8d105d513bed7f
SHA1:	cae2ad2f6a8055ad2145e25324d29033fe1133ae
SHA256:	03b5cfab3f0ffdf96e415006004be9a0c05e6365e1d5834984cfd5cea9df85fe
SHA512:	f3edf3d6e0c10fd71e411c78fc7af1db10c0c4d56cc796dac113eae2afe96ff30eceb4d0c275a48bded4aeeb353e1a6d22f19f754baf1fd218b8fdaa63ff12b0
SSDEEP:	12288:XTrw1bZZn9LJ/x0NHhVdAU/ocoHqXNAN5sNUEj+CQBuxXF29cGNzw1ZW6bEm7N52:DrwLZnR30xhDLocIqXN8u+CQ0FJGVuZN
TLSH:	6BF427BAD1211F82DA173EB048182B413F3CBA7F5A74527C4FD20CA4429DDB9C964BAD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..`...........~... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b7e0a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBEAD93A9 [Sun May 17 00:02:49 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7db8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x62c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb6308	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb5e10	0xb6000	ff72b76e4296633eb1851eb5572358a9	False	0.7689785800137363	data	7.434680807200467	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x62c	0x800	f21aa5df427f398a0505d674e9164fa0	False	0.337890625	data	3.467971519221801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	bb3ab97fd92c11124ebfebc33d493b31	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb8090	0x39c	data			0.420995670995671
RT_MANIFEST	0xb843c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 10:40:51.685708046 CEST	56360	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:40:51.694446087 CEST	53	56360	1.1.1.1	192.168.2.8
Oct 7, 2024 10:41:31.701221943 CEST	61621	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:41:31.710576057 CEST	53	61621	1.1.1.1	192.168.2.8
Oct 7, 2024 10:41:52.294532061 CEST	52833	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:41:52.307439089 CEST	53	52833	1.1.1.1	192.168.2.8
Oct 7, 2024 10:42:12.768515110 CEST	62308	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:42:12.861042976 CEST	53	62308	1.1.1.1	192.168.2.8
Oct 7, 2024 10:42:33.232618093 CEST	64404	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:42:33.247456074 CEST	53	64404	1.1.1.1	192.168.2.8
Oct 7, 2024 10:42:53.701083899 CEST	55213	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:42:53.710244894 CEST	53	55213	1.1.1.1	192.168.2.8
Oct 7, 2024 10:43:14.188594103 CEST	51461	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:43:14.208576918 CEST	53	51461	1.1.1.1	192.168.2.8
Oct 7, 2024 10:43:35.407943010 CEST	59909	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:43:35.416449070 CEST	53	59909	1.1.1.1	192.168.2.8
Oct 7, 2024 10:43:56.355993032 CEST	55543	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:43:56.366086006 CEST	53	55543	1.1.1.1	192.168.2.8
Oct 7, 2024 10:44:17.107520103 CEST	57131	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:44:17.117014885 CEST	53	57131	1.1.1.1	192.168.2.8
Oct 7, 2024 10:44:39.719050884 CEST	61872	53	192.168.2.8	1.1.1.1
Oct 7, 2024 10:44:39.831641912 CEST	53	61872	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 10:40:51.685708046 CEST	192.168.2.8	1.1.1.1	0xf72d	Standard query (0)	www.ruvabetgiris.website	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:41:31.701221943 CEST	192.168.2.8	1.1.1.1	0x5d83	Standard query (0)	www.urelook.xyz	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:41:52.294532061 CEST	192.168.2.8	1.1.1.1	0x3a78	Standard query (0)	www.6ae23rx.forum	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:42:12.768515110 CEST	192.168.2.8	1.1.1.1	0x54aa	Standard query (0)	www.gearlpfbm.top	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:42:33.232618093 CEST	192.168.2.8	1.1.1.1	0x14a6	Standard query (0)	www.xhibitonenotary.info	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:42:53.701083899 CEST	192.168.2.8	1.1.1.1	0xaccf	Standard query (0)	www.aylocnuocionkiem.website	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:43:14.188594103 CEST	192.168.2.8	1.1.1.1	0xd697	Standard query (0)	www.milelab.pro	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:43:35.407943010 CEST	192.168.2.8	1.1.1.1	0x8d7c	Standard query (0)	www.dnusaunni05.sbs	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:43:56.355993032 CEST	192.168.2.8	1.1.1.1	0xe1da	Standard query (0)	www.lecrtort.net	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:44:17.107520103 CEST	192.168.2.8	1.1.1.1	0x1696	Standard query (0)	www.destramentoemcasa.shop	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:44:39.719050884 CEST	192.168.2.8	1.1.1.1	0x34e6	Standard query (0)	www.essislotgoal14.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 10:40:51.694446087 CEST	1.1.1.1	192.168.2.8	0xf72d	Name error (3)	www.ruvabetgiris.website	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:41:31.710576057 CEST	1.1.1.1	192.168.2.8	0x5d83	Name error (3)	www.urelook.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:41:52.307439089 CEST	1.1.1.1	192.168.2.8	0x3a78	Name error (3)	www.6ae23rx.forum	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:42:12.861042976 CEST	1.1.1.1	192.168.2.8	0x54aa	Name error (3)	www.gearlpfbm.top	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:42:33.247456074 CEST	1.1.1.1	192.168.2.8	0x14a6	Name error (3)	www.xhibitonenotary.info	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:42:53.710244894 CEST	1.1.1.1	192.168.2.8	0xaccf	Name error (3)	www.aylocnuocionkiem.website	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:43:14.208576918 CEST	1.1.1.1	192.168.2.8	0xd697	Name error (3)	www.milelab.pro	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:43:35.416449070 CEST	1.1.1.1	192.168.2.8	0x8d7c	Name error (3)	www.dnusaunni05.sbs	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:43:56.366086006 CEST	1.1.1.1	192.168.2.8	0xe1da	Name error (3)	www.lecrtort.net	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:44:17.117014885 CEST	1.1.1.1	192.168.2.8	0x1696	Name error (3)	www.destramentoemcasa.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 7, 2024 10:44:39.831641912 CEST	1.1.1.1	192.168.2.8	0x34e6	Name error (3)	www.essislotgoal14.xyz	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:40:10
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Imagebase:	0xbf0000
File size:	748'544 bytes
MD5 hash:	17A1259BD9C1CB80AC8D105D513BED7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1412416832.0000000004842000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:40:11
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Imagebase:	0xe70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:40:11
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Imagebase:	0xb0000
File size:	748'544 bytes
MD5 hash:	17A1259BD9C1CB80AC8D105D513BED7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:40:11
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:40:11
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Imagebase:	0x790000
File size:	748'544 bytes
MD5 hash:	17A1259BD9C1CB80AC8D105D513BED7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:40:12
Start date:	07/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	04:40:14
Start date:	07/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	04:40:16
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\cmstp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmstp.exe"
Imagebase:	0x400000
File size:	81'920 bytes
MD5 hash:	D7AABFAB5BEFD53BA3A27BD48F3CC675
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3847974925.0000000003070000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3848322868.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	04:40:19
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\tnbws7pyQvMUSjF.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:40:19
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	157
Total number of Limit Nodes:	6

Executed Functions

Function 0560AC50 Relevance: 3.9, Strings: 3, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NvTt, xrefs: 0560AD18
'<"C, xrefs: 0560ADB7
'<"C, xrefs: 0560ADB0

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: '<"C$'<"C$NvTt
API String ID: 0-1787953242
Opcode ID: 4d0ce49fd56e1c1263ea9eef739482cd5722e8925965f577c95247250573ef10
Instruction ID: 225d1201b1f083adf4d24033c47a62bd96bcd1e47577b89c18283d708589cc38
Opcode Fuzzy Hash: 4d0ce49fd56e1c1263ea9eef739482cd5722e8925965f577c95247250573ef10
Instruction Fuzzy Hash: 7E51C6B4E10219DBCB08CFE6D5855AEFBF2BF88310F14A42AE416A7354E7345A46CF54

Function 0560AC40 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NvTt, xrefs: 0560AD18
'<"C, xrefs: 0560ADB7
'<"C, xrefs: 0560ADB0

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: '<"C$'<"C$NvTt
API String ID: 0-1787953242
Opcode ID: 39990b04aaaaad6d554d2e9979f32968943bb99ab9b2ec3ef274d299c36fb7a2
Instruction ID: 6ef9b512318667b9c8f3fcbc84f6629bae3300bd98d2185d48a9ccca55340b00
Opcode Fuzzy Hash: 39990b04aaaaad6d554d2e9979f32968943bb99ab9b2ec3ef274d299c36fb7a2
Instruction Fuzzy Hash: 6951D4B5E102099BCB08CFE5D5855AEFBF2BF88310F14A42AE416A7394E7345A46CF50

Function 05606900 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

V3~, xrefs: 056069A6

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: V3~
API String ID: 0-1917302123
Opcode ID: d54d3e7d61cdb0b306aac894ec1e471715cd7299e3b1c4b62d0626ad438b74ba
Instruction ID: d7d6e2d1ba157083d404e52539ccdde7d4647430b335ffe820d6c33fbe2ca803
Opcode Fuzzy Hash: d54d3e7d61cdb0b306aac894ec1e471715cd7299e3b1c4b62d0626ad438b74ba
Instruction Fuzzy Hash: 14510A70E1421A8FDF08CFA9C5406AEFBF2FB88300F24D52AD419B7294D7349951CBA5

Function 056068F1 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

V3~, xrefs: 056069A6

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: V3~
API String ID: 0-1917302123
Opcode ID: 1f03fba1b814cfeeb03b0ceb5c820196f3a64f4642c88529abaaab5d05b40cf8
Instruction ID: 1a067551041fac055a82ed2917b733566c4fc8fbda33e91c15213ae0a643547b
Opcode Fuzzy Hash: 1f03fba1b814cfeeb03b0ceb5c820196f3a64f4642c88529abaaab5d05b40cf8
Instruction Fuzzy Hash: C9511DB0E0421A8FDB08CF99C9446AEFBF2FF88300F14D56AD519B7294D7349952CB95

Function 05608160 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974a80c3a4c5466992360d5420865878577075f5c14c932e72d36957ce58ff00
Instruction ID: 3b0f78b02ab66e51452a5725f34fc20ff882f714627461d51e6fef09f17e22e6
Opcode Fuzzy Hash: 974a80c3a4c5466992360d5420865878577075f5c14c932e72d36957ce58ff00
Instruction Fuzzy Hash: A9F18CB1D0060ADBCB18CFA9C8829AFFBB2FF95310B54A165D405AB395D734E942CF90

Function 05608250 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f284fff1bd711be8f8029fc668f0033046e077da89cfa34be63bcd3ac61d496c
Instruction ID: 0630f0efd0c383613756b30ed83a61e700dce8b43142053dd622e1f0cd0e6d6b
Opcode Fuzzy Hash: f284fff1bd711be8f8029fc668f0033046e077da89cfa34be63bcd3ac61d496c
Instruction Fuzzy Hash: 68D14C74D1460ADFCB18CFA9C4818AFFBB2FF89300B54A565D415AB354D734AA82CF94

Function 05605CD8 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c593922af3a9c668d7f02cf06e77bd81f5261c5d1f2ae00f094388a6b6fb4e1
Instruction ID: 97bd88c38b2202c9762cbdec482a670913fc832d84a3b069d23dc2dcbe537bbd
Opcode Fuzzy Hash: 8c593922af3a9c668d7f02cf06e77bd81f5261c5d1f2ae00f094388a6b6fb4e1
Instruction Fuzzy Hash: 83A12A75E112099FDB08CFA5C885AEEBFB2FF98310F54902AE416AB394D7319806CF54

Function 05605D2B Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ca35c976b696c5e289330df5d8a30ce13c966ae8f60702a1f27f57219b4070
Instruction ID: 41783eabafb0600d02a58bad38054f4a6b8b8bb4a1c87b65ec4706607a19254a
Opcode Fuzzy Hash: 46ca35c976b696c5e289330df5d8a30ce13c966ae8f60702a1f27f57219b4070
Instruction Fuzzy Hash: 3C91F875E112199FDB08CFA9C885AEEFBB2FF98310F14902AD816AB354D7319906CF54

Function 0560CF01 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2769860a90a6b6a54949a562007e819cd2d11a7e2b4027b60366e48efd59ce1b
Instruction ID: 6a1a40b0db416dc7cb6aab02acbcbb6ef56f1612cefc70674608e70a9fbc37d4
Opcode Fuzzy Hash: 2769860a90a6b6a54949a562007e819cd2d11a7e2b4027b60366e48efd59ce1b
Instruction Fuzzy Hash: 93812875E04209DFDB08CFEAD8859AEFBB2FF89310F14952AE415AB264D7309946CF11

Function 05605D90 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2a367bb2f1d9071c1649391f1a1c57d2391e0ca0120d9cdfb3e0413fff98ea
Instruction ID: 521a0ccf1464760a936f9112305963c73c7725f181c9192f0ae6f0cc1e7c0af8
Opcode Fuzzy Hash: 2a2a367bb2f1d9071c1649391f1a1c57d2391e0ca0120d9cdfb3e0413fff98ea
Instruction Fuzzy Hash: AB819474E112198FDB08DFA9C984AAEFBB2FF88300F14912AD816BB354DB355946CF54

Function 0560CF78 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca75b9dc4f08a3a809f45f7ad714f11100d9b1a86519a097315a14220d4d5f6d
Instruction ID: f8146f93c6c85c9255102ddbc06384e05d3c38829b156710f2c3e1f36b2a4374
Opcode Fuzzy Hash: ca75b9dc4f08a3a809f45f7ad714f11100d9b1a86519a097315a14220d4d5f6d
Instruction Fuzzy Hash: BB71F670D05209DFDB08CFEAD5849AEFBB2FF89310F10952AE416AB264DB309946CF51

Function 0560CF69 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bb587bc97b178a2d9af224d57e689795276320725a3f272867fac8785c6add
Instruction ID: 60b7bfa2f136bf93a82531e854b814352fa294df0e2a80e4bdfdf792b9005dd3
Opcode Fuzzy Hash: 42bb587bc97b178a2d9af224d57e689795276320725a3f272867fac8785c6add
Instruction Fuzzy Hash: 4E711875D04209DFDB08CFEAD4849AEFBB2FF89310F14952AE415AB264DB309946CF51

Function 0560A9E8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edc15e1ceab1d755d17b95b3a4838042704941aae7979f660bc1991d4a6c145
Instruction ID: 3afd1e9589f6f50e17f8d9df5a9ba3199ddc6231b7d72da4742734597c6ca531
Opcode Fuzzy Hash: 0edc15e1ceab1d755d17b95b3a4838042704941aae7979f660bc1991d4a6c145
Instruction Fuzzy Hash: 9E512670E1421A9FCB08CFA5D9555AEFBF2FB88350F00942AE516E7394EB349A05CF54

Function 0560A9F8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdd492fac7eb4981670fa1be5bba40dbb6b3fdcc2787f581de7c768538ddd8e
Instruction ID: 81b85561a9651a0a4a45dd053d77143c9c9b7d0b781b13a591b7b61cbbbc1b9e
Opcode Fuzzy Hash: dfdd492fac7eb4981670fa1be5bba40dbb6b3fdcc2787f581de7c768538ddd8e
Instruction Fuzzy Hash: 29512670E1421A9FCB08CFA5D9555AEFBF2FB88350F00942AE516E7394EB349A01CF54

Function 074A08D0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a27317b09942ab38514d966b4b8814f95340ba95d5099aa7a8cfd72730e1d1
Instruction ID: eefa307c686cd8bbd02b27715ea746f27843f3ea3cfa30ad04985621ccd589e0
Opcode Fuzzy Hash: 59a27317b09942ab38514d966b4b8814f95340ba95d5099aa7a8cfd72730e1d1
Instruction Fuzzy Hash: 963152B2D047489FDB19CF66DC5569AFBB7BFDA200F04C0ABC908AB265EB3405458F51

Function 05607368 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1507dc4ffc42f43d177ab7a6258471705e63190cc961fd1048daea05a42543
Instruction ID: 4419d467cc17b132c34615b0c4f4838dce2fc82e0a6d7fb0f34c4afec52f61f1
Opcode Fuzzy Hash: 6e1507dc4ffc42f43d177ab7a6258471705e63190cc961fd1048daea05a42543
Instruction Fuzzy Hash: 2121C3B1E006189BEB18CF9AD8447DEFBF2AFC8310F14C16AD409A6254DB751A4ACF90

Function 05607359 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e23417cba14975076f7b329d361ddfafd0cd6509c42bd74d2f31c03b777828
Instruction ID: 9297f5e57e19a62b39e6ebf20aa61c76b3d0ac00cf42691214383d01f3fa3f73
Opcode Fuzzy Hash: 95e23417cba14975076f7b329d361ddfafd0cd6509c42bd74d2f31c03b777828
Instruction Fuzzy Hash: 7921C6B1E006188BEB18CFAAC9557DEBBF3AFC8300F14C16AD409A6258DB741A46CF50

Function 0158D031 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0158D0BE
GetCurrentThread.KERNEL32 ref: 0158D0FB
GetCurrentProcess.KERNEL32 ref: 0158D138
GetCurrentThreadId.KERNEL32 ref: 0158D191

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 23acc631434c6af0449589e57456e69342cd1175c9e4c53d30a0412b1a59b1b2
Instruction ID: 96de25cd46cfdd6d65320c6819b3d8e981bd435787b2f3add192aa0603f6c611
Opcode Fuzzy Hash: 23acc631434c6af0449589e57456e69342cd1175c9e4c53d30a0412b1a59b1b2
Instruction Fuzzy Hash: 005155B0A007498FEB14EFA9D948BAEFBF1BF88314F208459D419BB390D7345944CB65

Function 0158D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0158D0BE
GetCurrentThread.KERNEL32 ref: 0158D0FB
GetCurrentProcess.KERNEL32 ref: 0158D138
GetCurrentThreadId.KERNEL32 ref: 0158D191

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6ccd350aace76080bf87055df960ef9c44b9b5f78952b7b4947057bd89c41e46
Instruction ID: 2edf6c2137c8c3f5786cdf0b1b343901808a2e57ea674539431f31e40eb3e100
Opcode Fuzzy Hash: 6ccd350aace76080bf87055df960ef9c44b9b5f78952b7b4947057bd89c41e46
Instruction Fuzzy Hash: D95145B09007498FEB14EFAAD948BAEFBF1BF88314F208459E419B7390D7745944CB65

Function 074A7F04 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 074A8146

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0ceb0e4ddcfb104dece9f9bb44107f985035205e44bf6e2475d8fbebd4d8d29a
Instruction ID: 0a53817d74076c654340b7b97ee504f14e614642939b9b2893feaf39b7166ff7
Opcode Fuzzy Hash: 0ceb0e4ddcfb104dece9f9bb44107f985035205e44bf6e2475d8fbebd4d8d29a
Instruction Fuzzy Hash: C8A17CB1D0061ADFEB21DF68C8417EEBBB6FF48310F14816AE819A7240DB759985CF91

Function 074A7F10 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 074A8146

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8bc0016fd9d358a4c8270b5ceff17e501dc23e741906d02a77df47b5b2660fda
Instruction ID: eda90dfbafed5041d22707b5dbb0ca13d50cfb41676a2765da83f02c6f8f0860
Opcode Fuzzy Hash: 8bc0016fd9d358a4c8270b5ceff17e501dc23e741906d02a77df47b5b2660fda
Instruction Fuzzy Hash: 8F916BB1D0061ADFEB21DF68C8417EEBBB6FF48310F14856AE819A7240DB749985CF91

Function 0158ADA8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0158AFFE

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 672ac6cbd33f9dbf90a0c4ade83d66875697ef6675cb050c9d18e170281d346d
Instruction ID: aae3dc0d4a3a4bc7be51d78a946bbb19a064f9a4bd0c20f4afb173d9fa78f39d
Opcode Fuzzy Hash: 672ac6cbd33f9dbf90a0c4ade83d66875697ef6675cb050c9d18e170281d346d
Instruction Fuzzy Hash: 67714970A00B058FE765EF29D44475ABBF1FF88304F00892ED49AEBA50D735E849CB90

Function 0158590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015859C9

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e5e783074703d7217c20a1277cc9c426ff3e29ba1e2e18e3376a364dc838bbba
Instruction ID: cd98695af6c17c63d5ebe6bd6667b4ec873784e60527f0ad48a9b0e74d20b8e9
Opcode Fuzzy Hash: e5e783074703d7217c20a1277cc9c426ff3e29ba1e2e18e3376a364dc838bbba
Instruction Fuzzy Hash: 74410FB1C00319CFEB24DFAAC8857CEBBB1BF89714F20816AD409AB251EB715946CF50

Function 015844B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015859C9

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8ac44f1b6e0c89831f26a2af1b4bd7024cf1c2b0ef726b689aac5c649aeb590
Instruction ID: 1001f8c3a32d8152dc0ce3225cb817a93cec61bb34b4dac38fc0be5af682b884
Opcode Fuzzy Hash: e8ac44f1b6e0c89831f26a2af1b4bd7024cf1c2b0ef726b689aac5c649aeb590
Instruction Fuzzy Hash: E141E171D00719CFEB24EFAAC88478EBBF5BF49704F20806AD509AB251EB755945CF90

Function 074A7C80 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 074A7D18

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 216d393c91fd57e534d49acf5cb29734bee2a1f5bb13bdac9d95d1afaa30eee2
Instruction ID: 996e9de96a28b42a6744138fd3bc5672f98d4aa1254c30d339c6df8ab4ff14d0
Opcode Fuzzy Hash: 216d393c91fd57e534d49acf5cb29734bee2a1f5bb13bdac9d95d1afaa30eee2
Instruction Fuzzy Hash: E9215AB59003099FDB10DFA9C885BEEBBF5FF88310F10842AE918A7340C7789945CBA0

Function 074A7D70 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 074A7DF8

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d9e336831bbc8d9e7b8f66a18bd34a7c2cfb8023bdeb82c84e3f805720fcd0ea
Instruction ID: 6273b3c168751179d978a4f6d02fa958fa1672202b2701f61d0b15928c0b45c7
Opcode Fuzzy Hash: d9e336831bbc8d9e7b8f66a18bd34a7c2cfb8023bdeb82c84e3f805720fcd0ea
Instruction Fuzzy Hash: 8E214AB18007499FDB10DFAAC881BEEFBF5FF48320F50842AE519A7240C7359941CBA1

Function 074A7C88 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 074A7D18

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 45b8117c3fb1cea0c3e6bc65672603d8585e961e19598b2b530c1eaeea15e2b9
Instruction ID: 55f0e5a3e5fcf74efbb8833ed06ba0588cfe5e3b85ad309c1022ed88db207f6b
Opcode Fuzzy Hash: 45b8117c3fb1cea0c3e6bc65672603d8585e961e19598b2b530c1eaeea15e2b9
Instruction Fuzzy Hash: 432127B59003499FDB10DFAAC885BEEBBF5FF48310F10842AE919A7240D7789944CBA0

Function 074A7AE8 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074A7B6E

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e8fd162d95cacc64ff18be5688492fc96207f2dcbb9e7b49fb52695a7ab2bacd
Instruction ID: b32bb2eb56ecbb8b6b91a3f61939df21926d64e62bd8a4465986b679e31bbfa1
Opcode Fuzzy Hash: e8fd162d95cacc64ff18be5688492fc96207f2dcbb9e7b49fb52695a7ab2bacd
Instruction Fuzzy Hash: 692148B19003099FDB10DFAAC4817EEBBF4EF58224F14842AD519A7240CB789945CBA0

Function 074A7D78 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 074A7DF8

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 147ad39c190909c3212c8316afa36d39783a528b15110f26b177cab84ffdbf27
Instruction ID: 9e7959d0c5ae265336b12e01f33dbd44fed609e134af2b6678c5904519209728
Opcode Fuzzy Hash: 147ad39c190909c3212c8316afa36d39783a528b15110f26b177cab84ffdbf27
Instruction Fuzzy Hash: 9E2109B18003599FDB10DFAAC881BEEFBF5FF48310F50842AE919A7240D7799945DBA4

Function 074A7AF0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074A7B6E

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b1e62824ada29effa86f4062796d64779d40f2f2f426dc3475dd05201c4822a1
Instruction ID: a3c4dcbc79589a5b2c04baa027984ccc5eb391cc5709543e5b0796c4f7eea01b
Opcode Fuzzy Hash: b1e62824ada29effa86f4062796d64779d40f2f2f426dc3475dd05201c4822a1
Instruction Fuzzy Hash: 5F2127B19003099FDB10DFAAC485BEEBBF4EF98324F14842AD559A7340CB789945CFA4

Function 0158D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158D717

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd737b398ec45261b5b25df30b337b3e2a8dccab25bfdb213df928da0f8e59da
Instruction ID: ef412c79d7a9d502b95046f82afb0a4f1bf32c9d0fb647950a229a816b445be0
Opcode Fuzzy Hash: bd737b398ec45261b5b25df30b337b3e2a8dccab25bfdb213df928da0f8e59da
Instruction Fuzzy Hash: C121E4B59002499FDB10DFAAD884BDEBFF8FB48310F14841AE918A7350C374A950CFA0

Function 0158D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158D717

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a266f71292b81fda0169014bc46223bfae69aced9c0d5c11bf4c12da10b6f631
Instruction ID: 2a3fcc74ad22a02c203964d1e73ab5c24e29ed045045136a94bfea183a89748d
Opcode Fuzzy Hash: a266f71292b81fda0169014bc46223bfae69aced9c0d5c11bf4c12da10b6f631
Instruction Fuzzy Hash: BA21DFB59002499FDB10DFAAD984BDEBBF5FB48214F14841AE918B7250D378A950CFA0

Function 074A7BC0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 074A7C36

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 79ada16542702d60c57b17ed789ba5eb99f357f0d94c84cb9b8a067341c2aeff
Instruction ID: e2f64d2d433ca18bb35763c3394112ed7e90a61c1b68e413ad9b65c9f8fd0631
Opcode Fuzzy Hash: 79ada16542702d60c57b17ed789ba5eb99f357f0d94c84cb9b8a067341c2aeff
Instruction Fuzzy Hash: 841159729003499FDB24DFA9C845BEEBBF5FF88320F10841AE519A7250C7359541CFA0

Function 074A7602 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 074A766A

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 84c08e27ce4c1fe545b5d9e2cda065f22b27bf253419dac5b674ba608fd11a4a
Instruction ID: 92bbe1ce89246f55b6317867d6b41c4d94c7135a9d2eb87ed00d1845baa8cf48
Opcode Fuzzy Hash: 84c08e27ce4c1fe545b5d9e2cda065f22b27bf253419dac5b674ba608fd11a4a
Instruction Fuzzy Hash: 96119AB18003498FDB20DFAAD8457EEFBF5EF88620F10881AD459A7740CB396540CFA4

Function 074A7BC8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 074A7C36

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 16cbfd271680ce192836474b0b45377d5557839775c82f255c8afcdd5d91f568
Instruction ID: 52a57fc375c6eb84a20ed12a5fe43f74997733913bd96c0cb15cc81b22bc6cf7
Opcode Fuzzy Hash: 16cbfd271680ce192836474b0b45377d5557839775c82f255c8afcdd5d91f568
Instruction Fuzzy Hash: 391137759003499FDB20DFAAC845BDFBBF5EF88320F14881AE519A7250C7759540CFA0

Function 074A7608 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 074A766A

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 236daeb9f6fa9c0cfb3d49d79acea1254856f533527d009e226d60a5c9879ede
Instruction ID: 76fbbc2d8385cf5a909e675ea43d43abcf89b9d9299af9fa05ff555e2ae34de4
Opcode Fuzzy Hash: 236daeb9f6fa9c0cfb3d49d79acea1254856f533527d009e226d60a5c9879ede
Instruction Fuzzy Hash: 13116AB18003498FDB20DFAAC4457DEFBF4AF88620F10881AD419A7340CB796540CF94

Function 074AAC79 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 074AACDD

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 327a421a360b366e12b88eb2ab982be6cc5b75e8d01e8f3a3b8a19c35a2ad0a5
Instruction ID: edc411908aedd808f41d7f070c9a0dbfbb5af51fa6624db21a8a8218420853be
Opcode Fuzzy Hash: 327a421a360b366e12b88eb2ab982be6cc5b75e8d01e8f3a3b8a19c35a2ad0a5
Instruction Fuzzy Hash: E51102B5800309AFDB10DF9AD485BDEBBF8FB48320F10840AE818A3640C375A944CFA1

Function 0158AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0158AFFE

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b9094fab5ed3ce796a1ade8a6b74f8a9194d76831096bfd653bad731cbdef345
Instruction ID: cc796cdeb505a7cff889f5b601bf9dd69dea553853a623c763de553c46b2e886
Opcode Fuzzy Hash: b9094fab5ed3ce796a1ade8a6b74f8a9194d76831096bfd653bad731cbdef345
Instruction Fuzzy Hash: BD11D2B5C00649CFDB14DF9AC444B9EFBF4BB88214F10841AD529B7650D379A545CFA1

Function 074A8E04 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 074AACDD

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 096b2ba868403a880eda31729f9846966b00d75219967d7b6b4be4f95ee80bef
Instruction ID: ca12366b97e9fddde2318d57dd111a9d63b5f983abe6b652efdba32c662be720
Opcode Fuzzy Hash: 096b2ba868403a880eda31729f9846966b00d75219967d7b6b4be4f95ee80bef
Instruction Fuzzy Hash: 3611F5B5900349AFDB10DF9AC585BDEBBF8FB48310F10841AE919A7340C375A944CFA1

Function 0560E618 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

uIA1, xrefs: 0560E657

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: uIA1
API String ID: 0-3125954435
Opcode ID: 7e3bf6eab7c3e873ca914f6393548e2bd66ab2d936ec588cceabc0691667fa52
Instruction ID: b87560ed1fc0f3fc07bee9e54d0932e54c6c17557dd263376520e5a63a6cb18a
Opcode Fuzzy Hash: 7e3bf6eab7c3e873ca914f6393548e2bd66ab2d936ec588cceabc0691667fa52
Instruction Fuzzy Hash: 84314970E14218DFDB08CFA9D5446AEFBF6FB88310F10E86AD416A7290DB358A41CF51

Function 0560E60A Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

uIA1, xrefs: 0560E657

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: uIA1
API String ID: 0-3125954435
Opcode ID: 33fe8ece5f942c9beb0d22cace7d39089f346bb383546f68223f8c3e25b35d3b
Instruction ID: a67d67351e7d4d7f964667eec8a1b0a3e37709d566222495c2196726a8fa4fbd
Opcode Fuzzy Hash: 33fe8ece5f942c9beb0d22cace7d39089f346bb383546f68223f8c3e25b35d3b
Instruction Fuzzy Hash: 2F316DB1E14219DFDB08CFA8D5446AEFBF6FB89310F14E4AAD416A7290D7358A42CF01

Function 056017A0 Relevance: .8, Instructions: 777COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b038a01e19c90d5de4dff5e1f4a66e9c6a8e521f7e9a47f446e959bbe41e6ad
Instruction ID: c265d290130b6e973e7f99b4c903b5794d17d1360fbfafcb0c761437e52378c6
Opcode Fuzzy Hash: 6b038a01e19c90d5de4dff5e1f4a66e9c6a8e521f7e9a47f446e959bbe41e6ad
Instruction Fuzzy Hash: D3622174E10B418ADB789FF4C8AC3AEBBA5BF45304F10591FC1AACAB90DB349445DB49

Function 056009F9 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b67efe9d4ee956526f91b5b41892089eeff7c6358f30dfb70de47dfb3f4a164
Instruction ID: 960998fff30b783a9bc679abb1465f44fd376d7e3dded2feb71d7093e0f85126
Opcode Fuzzy Hash: 3b67efe9d4ee956526f91b5b41892089eeff7c6358f30dfb70de47dfb3f4a164
Instruction Fuzzy Hash: 8381B234A01209AFCB04DF59D898EAEBBB6FF88724F514059F905AB361DB31ED41CB50

Function 0560633C Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed557353d4562135a38130ee957355a53094620e6c0cb7aa54bf06a1a4c5e88
Instruction ID: a116c1aa3ac31e5b543bc395b0a4907a51b250418302cdc6eb6af69d1e2d8579
Opcode Fuzzy Hash: 5ed557353d4562135a38130ee957355a53094620e6c0cb7aa54bf06a1a4c5e88
Instruction Fuzzy Hash: 57518F31B103068FCB05DB79989497FBBF6FFC8260B15852AE419DB390EB709D058751

Function 05602A28 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352d7df433cb3a5a039d2392b0cd7bd1d90cae862db6cfe73944baab18e667ca
Instruction ID: 6e63b38cbbd3756619a8fe4c4e6d780ab6e6f5dad741aad0add11f4b73a2c22e
Opcode Fuzzy Hash: 352d7df433cb3a5a039d2392b0cd7bd1d90cae862db6cfe73944baab18e667ca
Instruction Fuzzy Hash: FE41FA34B142298FDB54EF68C898BDEB7B1FF88714F110059D905AB7A1DB75A801CF60

Function 0560BC7C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121476a231f9871c9eb3c353cb84fdd4ecc4c6d432bfecc27c88ed1c071381c6
Instruction ID: cab4f26501a13171c2d934d8adaad2f52a39579e230a2fefcedb46190ddcd7dd
Opcode Fuzzy Hash: 121476a231f9871c9eb3c353cb84fdd4ecc4c6d432bfecc27c88ed1c071381c6
Instruction Fuzzy Hash: 5F3148B19003099FCB14DFA9D884A9EBFF9FF48320F10852AE409A7250D734A941CBA0

Function 0560B028 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00048eefc0800f5d0483cc06d06d2821ce6294f6ef28e4137b348c213a6d0bbb
Instruction ID: 11e3336e1316448794543ae89f768a98b100db4e3383a08bf8279818ff2d2d7d
Opcode Fuzzy Hash: 00048eefc0800f5d0483cc06d06d2821ce6294f6ef28e4137b348c213a6d0bbb
Instruction Fuzzy Hash: EA310675E142099FDB08CFA9D8955EEBBF2FF88310F10906AE816A7764DB305942CF54

Function 05603868 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d38949fd7e2db0caf6385f94a7ba5972969773e2d75e513d255fd6961160a7
Instruction ID: 7c32a0b6548af2488c2b4999fbb1cd18417eced22ac16595b3334153ab720034
Opcode Fuzzy Hash: 33d38949fd7e2db0caf6385f94a7ba5972969773e2d75e513d255fd6961160a7
Instruction Fuzzy Hash: 42218C357142058FDB08EB69D41896E77EAFFC862271544AAE906CB7A1EE31DC01CBA0

Function 0560B01A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbfbc40669b632c94a4bff65de07567e1c2a256574b269a9f46a920716b136e
Instruction ID: 6593bb1e0459927a88c4e883e31acfef498bdfbaf191f6e3d299c1bd869ed2df
Opcode Fuzzy Hash: bfbfbc40669b632c94a4bff65de07567e1c2a256574b269a9f46a920716b136e
Instruction Fuzzy Hash: D73118B5E102099FCB08CFA5D8456EEBBF2FF88311F14946AE416A77A4DB305942CF54

Function 0125D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402475252.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58414d81961c4a1c4c1e3e34ecf223bf4ddfe5c8adad5226072cc2495bfd130b
Instruction ID: 1d536b4f6691c9807d6649057c193bad2c2d0f12408d782f9efe1c9402626cad
Opcode Fuzzy Hash: 58414d81961c4a1c4c1e3e34ecf223bf4ddfe5c8adad5226072cc2495bfd130b
Instruction Fuzzy Hash: CF213371514309DFDB41DF54E8C0B26BF61FB88328F20C169ED090B246C336D446CBA2

Function 0125D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402475252.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f270949d90af834dc20ebd30aa118fe4b9af309fdf9747e703868c2b98176b
Instruction ID: c1219f52ac3f65cc42b51417fb8f485ed1e13eaf1bc390138f152f34e9609de0
Opcode Fuzzy Hash: d1f270949d90af834dc20ebd30aa118fe4b9af309fdf9747e703868c2b98176b
Instruction Fuzzy Hash: 082133B6214309DFDB05DF44D9C0B66BF65FB88324F20C169ED090B246C37AE446CBA2

Function 056030E9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf3d6c0f36ddc6f34192e2e9fd22b1e979b554056cac6dfbd19d8731c33c4df
Instruction ID: 349542a4623c8bbf386faa1cea18d1f79363161b3fa5bf423ae6ed9b72e4911c
Opcode Fuzzy Hash: 1bf3d6c0f36ddc6f34192e2e9fd22b1e979b554056cac6dfbd19d8731c33c4df
Instruction Fuzzy Hash: 9C214C303106018FCB58DB28C854A6A77F6FF89626B1584AEE506CF7A1DB71DC06CB40

Function 0127D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402651098.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a6d894ad59f355499c4d6c938956835d13452d080862c32373afa74f28667f
Instruction ID: 33c095d6f2e15f1d1cb9278dce03b13e1f7e186ba7b61d98da985f0df74e8b97
Opcode Fuzzy Hash: 81a6d894ad59f355499c4d6c938956835d13452d080862c32373afa74f28667f
Instruction Fuzzy Hash: 81210075614308AFEB01DF94D980B26BBA1FF84224F20C6ADE9494B283C376D807CA61

Function 0127D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402651098.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea3d69e3399f2519ead7a2c87164b563f593fd1e65b1657ea420c74111a84c4
Instruction ID: 427a4c6675b1a06b5a5b7a79454c9e80a0c83e0664f64e4982dded53f91b27dd
Opcode Fuzzy Hash: 5ea3d69e3399f2519ead7a2c87164b563f593fd1e65b1657ea420c74111a84c4
Instruction Fuzzy Hash: 02212275614308DFDB16DF64D984B17BB61FF84314F20C56DD90A0B286C37AD407CA62

Function 056030F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0767252fd9c53135b815b1707bc298afe25115191458d5f4429cc8c841125951
Instruction ID: 08257b4bb05bd8233a315960a2b88256e52296ed90a47d10e45092cd9562d4bb
Opcode Fuzzy Hash: 0767252fd9c53135b815b1707bc298afe25115191458d5f4429cc8c841125951
Instruction Fuzzy Hash: 7C213B303106118FDB58EB2DC864A2A77E6BF89616B1484AEE506CF7A0DF71DC46CB50

Function 056008B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84371d1b195bfa2c6cd97bd0a96a8a2ac2297c40878e8a866e13888beeb06c51
Instruction ID: cd2764da2efc1f54f5138d726c600df2311bbd565eeaae4e10f93c00402dde5f
Opcode Fuzzy Hash: 84371d1b195bfa2c6cd97bd0a96a8a2ac2297c40878e8a866e13888beeb06c51
Instruction Fuzzy Hash: 39214A35B006149FDB289E19D488F6BB3AABFC8621F50542EEA4687B91C731F841CB60

Function 05606420 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68257c5851fc560779a42f37c6d924c59487315b36110321a5f4c1abcc03247a
Instruction ID: a89be0e6f645e4812fe14ee95976fb6b61ddedd87de84ce85954522b8b76b0e1
Opcode Fuzzy Hash: 68257c5851fc560779a42f37c6d924c59487315b36110321a5f4c1abcc03247a
Instruction Fuzzy Hash: C831E0B0D00318DFEB24DF9AC988B9EBBF5BB48714F20911AE409BB290C7B55845CF90

Function 0560BFE6 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459cf9763b342855cfd2f30a693bf6b750ca3edcaa2a1c4da2679da7a4704747
Instruction ID: ec9ac8ac47908618393daa809ff8d66e5d491501f3d8e70e90d94e6455cc9413
Opcode Fuzzy Hash: 459cf9763b342855cfd2f30a693bf6b750ca3edcaa2a1c4da2679da7a4704747
Instruction Fuzzy Hash: 9821E0B1D01318DFEB24DF99C984B8EBBF5BB48714F24911AE409BB280C7B65845CF90

Function 05601258 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9836b857c1e4bbcdca531affdbf83769d2d73c2bae077477275dd72469b398
Instruction ID: 4000cdfea58fe55cf7bb6d49b45a79fedc126348aac758e2211da8a066d613df
Opcode Fuzzy Hash: 1a9836b857c1e4bbcdca531affdbf83769d2d73c2bae077477275dd72469b398
Instruction Fuzzy Hash: 8821DB71E0020A9FCB44DFA9C8449AFFBF9FF98310B11C55AE518E7211E774A956CB90

Function 056008A0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2eb274bf2f24b167dbb31ab73811c1ee0f00d437c487cca3c6186bcfb9eff4
Instruction ID: 3f3091fd9b8816b5de82bc1d6cb16e736adfae25dade7d43e77a8ce92cb45301
Opcode Fuzzy Hash: 5c2eb274bf2f24b167dbb31ab73811c1ee0f00d437c487cca3c6186bcfb9eff4
Instruction Fuzzy Hash: 60218C75B006049FDF68DE15D088F6BB3B6BF88620F50A02EE94687B91C731F841CB50

Function 0127D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402651098.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575e7c1ca2971072b68d77514efb65bc3849220be3c6e536f1355ad235a60d9a
Instruction ID: ed20d9e0ea142345b655e3590f5e06a84f2af750201638b2e799854a18eeba89
Opcode Fuzzy Hash: 575e7c1ca2971072b68d77514efb65bc3849220be3c6e536f1355ad235a60d9a
Instruction Fuzzy Hash: CE218E755093848FCB03CF24D990716BF71EF46314F28C5EAD9498B6A7C33A980ACB62

Function 05601268 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002c58d28d227a0954b211e36d31dcc8c8bf630cf6d79072e5c103ffa752216a
Instruction ID: 3be5344b0f7ea54886956dea0f934f2cbeb992692694fed01d50479fa18afdd9
Opcode Fuzzy Hash: 002c58d28d227a0954b211e36d31dcc8c8bf630cf6d79072e5c103ffa752216a
Instruction Fuzzy Hash: 8F21CC71E1020A9FCB04DFADC8448AFFBF9FF98210B11855AE518E7215E770A956CB90

Function 0560BE32 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b91066c90232c9404db77b075794e448a12ec1c47f338fbcb6727c8e22bde06
Instruction ID: 996f186afeb59631da3b6cd5480fd0fde1f26e279e903f555dd8bd5f17f21517
Opcode Fuzzy Hash: 5b91066c90232c9404db77b075794e448a12ec1c47f338fbcb6727c8e22bde06
Instruction Fuzzy Hash: 6111A0B2B002164B8B15DA7998849BFBAF6FBC8260B14892DE815D7380EF709A05C760

Function 0560B958 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b70faf13c523847a3ab14e11bfaf7d4b9dbd3f07a1890d5e006a402c2fd56bd
Instruction ID: 7f8f373244ef3761a4b6eea9bac3d82cf35eeb7c00640ff33387cd1d20e83b0b
Opcode Fuzzy Hash: 9b70faf13c523847a3ab14e11bfaf7d4b9dbd3f07a1890d5e006a402c2fd56bd
Instruction Fuzzy Hash: 39111C31B1021A8BCB18EBA998106EFB7B6EBC8350B505169C905E7390EF328D11DB95

Function 056032A0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5810b5718c84c7bd3675766de26d9c12812d595b5ca478a683c62b5c0dafb69
Instruction ID: 2b9c82b1ef7980cabc640352b587c58880a1dbc9477cece2518ea387812a1a11
Opcode Fuzzy Hash: c5810b5718c84c7bd3675766de26d9c12812d595b5ca478a683c62b5c0dafb69
Instruction Fuzzy Hash: EC012631B042181BD708E639985436F7B9BFBC9650F148478D80A8B380DE34884783A1

Function 05608890 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d0ad5cbe19cffc93f33cdd35b663240d15d6604caad3f4e514aa717e26deee
Instruction ID: 5cf45690ffd74d9a238a739bbf943aee9878fff2cb885368fafbfd2418cd39c2
Opcode Fuzzy Hash: 68d0ad5cbe19cffc93f33cdd35b663240d15d6604caad3f4e514aa717e26deee
Instruction Fuzzy Hash: C9114CB0E04609EFDB48DFA9D5505AEFBF2FF88300F14D5A6D41997254EB309A42DB40

Function 0125D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402475252.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 7f85e1757f0ef2f75cae52283527478f93943cb70f73f841afc01c820f1e2364
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 28119D76504284CFCB16CF54D5C4B16BF62FB84228F2486A9DD490B656C33AD45ACBA1

Function 0125D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402475252.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: e91b08922865522fb4a7d6b595861d495110dc3886aca131cad817401ebd1414
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 9D11CAB6504284CFDB06CF44D9C0B56BF72FB84224F24C2A9DD490A257C33AE45ACBA2

Function 0560BC8C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e246f10a0805acab2212c9225347fc123787db1409cc436bb2ef36b186d083
Instruction ID: 48c8d8a6c5c1c6351b01e462393d956ca85f3bc324eca2b3ae230477d5c9ad2f
Opcode Fuzzy Hash: 41e246f10a0805acab2212c9225347fc123787db1409cc436bb2ef36b186d083
Instruction Fuzzy Hash: 5A2103B58003499FCB10DF9AC884BDFBBF4FB48324F10852AE919A7240C378A954CFA1

Function 05608968 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2f82106877e7fc71b3ffc31d8da07b585b11cf5f19179ff89d50541403c296
Instruction ID: 779958a24aedaf2bf4af40bfa4973ec7f04618ba80deb0c017c43fdfb5bf1234
Opcode Fuzzy Hash: 8a2f82106877e7fc71b3ffc31d8da07b585b11cf5f19179ff89d50541403c296
Instruction Fuzzy Hash: 0511E774E04208EFDB48DFA9C945A5EFBF2FF88200F14D4A59518A7365EB309A01DB40

Function 05608958 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8777871c1b7ba0dc455a3a63c98d97a69852ae94cb6564e7ba8b6d69fbf5045
Instruction ID: 7e5540862892a14dce17bccacd4102363c1ecc31c11db38e84b91752396c5a32
Opcode Fuzzy Hash: d8777871c1b7ba0dc455a3a63c98d97a69852ae94cb6564e7ba8b6d69fbf5045
Instruction Fuzzy Hash: B2212C75E04209DFDB08CFA9C984A9EFBF2FF88310F19D1A5D9159B3A5D6309A01DB40

Function 05608881 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ae84b261bfc6d9caa16e253ba0d99265b99514f0fe6c72bf97c19726c1de64
Instruction ID: f2f8330379611d17656a954fefdf4d83eafe5331925188c9c6b78dad847ac5ab
Opcode Fuzzy Hash: b0ae84b261bfc6d9caa16e253ba0d99265b99514f0fe6c72bf97c19726c1de64
Instruction Fuzzy Hash: 8B215EB0E04649DFCB48CFA9C94069EFBF2EF89310F14D6AAD4159B295DB309A42DB40

Function 0127D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402651098.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 21b87998f3c640a5274b311faa0e7afa9492136967c5f3bcbcab936c3e68e3bc
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: F411BB75504284DFDB02CF54C5C0B16BFA2FF84224F28C6ADD9494B297C33AD40ACB61

Function 05600961 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff3d11dc2e1ef8ccd9a2a8d9ab30c26af3dd9fcf2fe338573b14749ff6d4130
Instruction ID: 60d8dbb59d6194a87938ef0ba7e819d16ef81d130ad08f323d010ce733266661
Opcode Fuzzy Hash: 8ff3d11dc2e1ef8ccd9a2a8d9ab30c26af3dd9fcf2fe338573b14749ff6d4130
Instruction Fuzzy Hash: 18118CB5A002099FDF05CF68C988BAF77E4FF48610F44442AE919D7750D730C911CB61

Function 05600970 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebefed4e6ffcb66cde79971141a408f9778e731d7635a519b15136055ffcf08
Instruction ID: ba994239f772482eaf186ed8ee029b3c30fea47c3b6dd65756acdc7a0a43cb3e
Opcode Fuzzy Hash: 5ebefed4e6ffcb66cde79971141a408f9778e731d7635a519b15136055ffcf08
Instruction Fuzzy Hash: 11113971A0020A9FDF15DF69C888AAF7BF5FF88610F44542AEA19D7750DB70D910CBA1

Function 05601388 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12021ca1ab165a680a43176170ca3008bf2d86bb8b5fb27484a4a5e7e03a6cd
Instruction ID: 8c855787142a0dd5b90f38779339f82dd5986e728ef8a320fedceacac3ec098c
Opcode Fuzzy Hash: b12021ca1ab165a680a43176170ca3008bf2d86bb8b5fb27484a4a5e7e03a6cd
Instruction Fuzzy Hash: 1301DF317003119BCB1DAA25D890B2BB3ABBFC2714B14D42ED8068BB90DF31DC02CB90

Function 0125D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402475252.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47aca9c624e75f086e6822f8bb84dbb954517379f148f0cbcdbc4046a61f6578
Instruction ID: 2787368ae55ccab7e51dce467dda6b355ea7d8556beeeee2b0780c5c116b73f5
Opcode Fuzzy Hash: 47aca9c624e75f086e6822f8bb84dbb954517379f148f0cbcdbc4046a61f6578
Instruction Fuzzy Hash: A201F7710143889AF7545B55CDC4B26BF98EF85625F14C51AEE084A282D2799440CBB1

Function 0560E519 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70079ca27e25f5181c7986c094dec7a5c6c540d97d769666bdf327e46e460e01
Instruction ID: 7b9e7ebba2ac04e449116a1dcbeb1ee40dbd16ac9b6596d7ce6b0ce7a300d69a
Opcode Fuzzy Hash: 70079ca27e25f5181c7986c094dec7a5c6c540d97d769666bdf327e46e460e01
Instruction Fuzzy Hash: EA1161B4E14219DFCB48CFA9C54469EFBF2FB88311F24996AD419A3790F7315A02CB40

Function 05601398 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b6de57d6920b6eda4b3235522d5d473cdff720c6cd73fdfd7817f420d8667e
Instruction ID: 012f04107f6bfc1cd24cab83ad06727870676b8eda8cec277ba9d31c4fd0bcd3
Opcode Fuzzy Hash: 53b6de57d6920b6eda4b3235522d5d473cdff720c6cd73fdfd7817f420d8667e
Instruction Fuzzy Hash: 1501A2307043158BCB1CA669D890A3BB3E6BFC2714710D42ED80A8BB94DF70DC46C791

Function 05602890 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2ad7f3ad9f06ce912f367dd4bc05befc19f006f01bb0f4042ef6de90166969
Instruction ID: add584cf1289c98a2d1e457549325cc86ee001b5f3be46b3f43f8709cd6a483f
Opcode Fuzzy Hash: fa2ad7f3ad9f06ce912f367dd4bc05befc19f006f01bb0f4042ef6de90166969
Instruction Fuzzy Hash: 2E01F7382443049FCB18DB29D864D67B7AAFFC1321B54C46ED80A8B7A1CB70EC0ACB50

Function 0560E528 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0f0b62202cee4eba737589e5c75b19d5f2d518b5705e7fcd412d9fd53bbbb3
Instruction ID: 4eeb0876b7e9791749af325855c91ad2d7b7c9ac7082d8ca51ad7eac78736d66
Opcode Fuzzy Hash: ea0f0b62202cee4eba737589e5c75b19d5f2d518b5705e7fcd412d9fd53bbbb3
Instruction Fuzzy Hash: 91011BB4E04219DFCB48CFA9C5446AEFBF6BB88200F1098AAD409A3380FB315A01CB50

Function 05601301 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43eb078957d9af76128e9a6800f2e68d7a11d8330e5c159b9d2dbbbfd0243a7
Instruction ID: 8a1a2142570e02036d8b4d9e0dae5f65927fe12142e8c2320692636f3478f0e1
Opcode Fuzzy Hash: c43eb078957d9af76128e9a6800f2e68d7a11d8330e5c159b9d2dbbbfd0243a7
Instruction Fuzzy Hash: AC01AD356003058FCB18DB19D850E2AB3AAFF86710F54D06AD8098BBA1CB71EC06CB80

Function 05601310 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cab9a71d1f1a087626b5902d98350d390d3ff097373c88ebf8ae5686ac0c6c
Instruction ID: 543127151c4c8f4e6f282e1bf8c00293d3b128eee50ee17ee1ad73061005470c
Opcode Fuzzy Hash: 98cab9a71d1f1a087626b5902d98350d390d3ff097373c88ebf8ae5686ac0c6c
Instruction Fuzzy Hash: 99016D347143048FC728DB69D854D26B3AABF86711B54D46AD80987B61CB71EC06CB90

Function 056028A0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8041e3331d1f1cddd4edf5947eb3550524d5b44bd6bc04371e9c7cffa3f83fb2
Instruction ID: 54ec4286fada34603050eb4e0984b04618621379d7cecee4f01b08a1378dcc86
Opcode Fuzzy Hash: 8041e3331d1f1cddd4edf5947eb3550524d5b44bd6bc04371e9c7cffa3f83fb2
Instruction Fuzzy Hash: F50162383543048FC758DA59D454D27B3A6BF85321B50D46AD80A877A1CB71DC0ACB90

Function 0125D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1402475252.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d21cf7064871f2b7c0600a9f85260925ac0d5436905da920e5d03131fa0e20b
Instruction ID: 34624792ce10979c56cb9ad428a1171f7435a247d482f6062c7fb4d3db97ec61
Opcode Fuzzy Hash: 9d21cf7064871f2b7c0600a9f85260925ac0d5436905da920e5d03131fa0e20b
Instruction Fuzzy Hash: 47F096714043889EE7559F1ACDC4B62FFD8EB85634F18C45AEE0C4B287C2799844CBB1

Function 05604AA0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5d06938785a87d8f952568d538d2f6f8ed5368543f5c2df1267398f2cc1e61
Instruction ID: 253ab8020c5ec4579e94845d712651fa78a975b5838ba543a9df76c6e0c53d51
Opcode Fuzzy Hash: ac5d06938785a87d8f952568d538d2f6f8ed5368543f5c2df1267398f2cc1e61
Instruction Fuzzy Hash: 43014B74D04248AFCB04DFA4D58899ABFF4EB49300F0080AAD805D7356DB345904DB11

Function 0560415A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bb28ad19b6da9ba182b327717cc9e668e58297a654ef7b1025ceb4ec2bffb7
Instruction ID: 2df36af3c0f96a2b12aafbe4c2b10df1921a531e308d4bd75b25940ff2ea6e81
Opcode Fuzzy Hash: a4bb28ad19b6da9ba182b327717cc9e668e58297a654ef7b1025ceb4ec2bffb7
Instruction Fuzzy Hash: DF016D70A2030DDFCB44EBB8E6A559CBFB2FF44212B1045A9E805D7205EF341A0CEB91

Function 05604340 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d015ce6edd1fd878c87518f5b5a619bf8f63140501910fce9625b6f2aed46d4
Instruction ID: ac32f2c76f1ae4bed9c884adc742cdfd5f150b62341acef1d525418acbf190cc
Opcode Fuzzy Hash: 2d015ce6edd1fd878c87518f5b5a619bf8f63140501910fce9625b6f2aed46d4
Instruction Fuzzy Hash: 38F0BE36321206ABDB05EB34E950AAE37AEEFC4215B044925FA048B264DF75AC11DBA0

Function 0560D3B9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3c0f6045a8bafb568b47c647e353c709b2d8509f4b86f65cadb2ac0e362cf0
Instruction ID: 11ecc5e9503e66ef68d9fa5114d526561e13088460fc6f530ca4b6ba23829e33
Opcode Fuzzy Hash: 0c3c0f6045a8bafb568b47c647e353c709b2d8509f4b86f65cadb2ac0e362cf0
Instruction Fuzzy Hash: EDF03A32604208BF9B09DB98D85599E7FAAEF48260B14826AE408D72A5EA71E950CB54

Function 05601418 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5d1543d2e18da0076bb1816e7a008b4be9874b4414a682a47d48701bd58ca2
Instruction ID: 5c589a82ff2eb93b52f62c6549ca85631511f269f03985f4d6f04a91585e4f64
Opcode Fuzzy Hash: ef5d1543d2e18da0076bb1816e7a008b4be9874b4414a682a47d48701bd58ca2
Instruction Fuzzy Hash: F8F01772D401098FDB90DFA8CC427ADBBA1FB04305F5885B6E418D7391E6389605CB90

Function 05604160 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee56256cbcb3a461cd377a26ffe2989144a83e6b615a035a0104657c71ba1814
Instruction ID: 90f52031a4a92e1d44af05b73a9694efe9f298e96777a77f1312df48f32a7095
Opcode Fuzzy Hash: ee56256cbcb3a461cd377a26ffe2989144a83e6b615a035a0104657c71ba1814
Instruction Fuzzy Hash: 3EF03C74A2030DDFCB45EFB8E66559CBFB2BF84202B1045A9E805D7205EF341A0CEB85

Function 05601428 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7e7165604796293b5bd06a0443456d26690029f09a02b4f8f25a0423b86aa3
Instruction ID: 193c869cdc08fddab6b4dfa121299b36b0c157eb13e68a7c5f0d6edcad717470
Opcode Fuzzy Hash: cc7e7165604796293b5bd06a0443456d26690029f09a02b4f8f25a0423b86aa3
Instruction Fuzzy Hash: 34F03A72D101098FDB90DFA8CC427BDBBF0FB04301F1485B6D418D7651E6389A15CB80

Function 05603B0E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb80ce98d663c9cdeea50b627bd156a178a91a06b4601a729db34010be35ed2c
Instruction ID: 4955cd7f195586a6a2158a49fa67076d10fab1bc9220b0f52e99c5af8804322a
Opcode Fuzzy Hash: cb80ce98d663c9cdeea50b627bd156a178a91a06b4601a729db34010be35ed2c
Instruction Fuzzy Hash: C7F01731724114DFDB18DB68E449BAA77B1FB0431BF401869E0169B7E0EB38998ACB20

Function 05604350 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fda4a8503e346fbfd66317939c1332bfc7ea53feb4d83d530ec50463b45420
Instruction ID: 1812ac7247dc9312c6a75032099f8edbc9da747f2f9583a049556fac89c39dd6
Opcode Fuzzy Hash: 77fda4a8503e346fbfd66317939c1332bfc7ea53feb4d83d530ec50463b45420
Instruction Fuzzy Hash: 83F01C3531120AAFDB18EF39D450CAE77AAEFC56553104569F6048B264DF71AC11CB90

Function 05604AB0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f748af87d94dde4bbf59e43668fe504fc0de862e849743bd270ab6cee7a3107d
Instruction ID: db620d5b245b7f6345e70a4f3458a41a1f9aa1284b989696ec8a65b6f0866b43
Opcode Fuzzy Hash: f748af87d94dde4bbf59e43668fe504fc0de862e849743bd270ab6cee7a3107d
Instruction Fuzzy Hash: 65F03AB8D04208EFCB54EFA8E68899EBBF0FB48300F1085A9D80597325EB309A00CF40

Function 05601748 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee618be03dd6e755bd259cfcf620665b7ce178ee1c2da801a21fda154cfa8d87
Instruction ID: 2a3bb3d1be7cd68c1fb027031335d70981e4ecc26e0159035f1be8cec8967588
Opcode Fuzzy Hash: ee618be03dd6e755bd259cfcf620665b7ce178ee1c2da801a21fda154cfa8d87
Instruction Fuzzy Hash: 3AE09B37240524878324DB4CF44247AB3E9F7496657198057E50CCEA14F633D807D790

Function 0560D7D0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa27482c7a227e387b0ac97d895f46c5fbf32eea124662ded53ad6779baea9b
Instruction ID: ccc17cf71895a1519b6f423805da22ca15293da3eed04263dcde23fc45f97e07
Opcode Fuzzy Hash: aaa27482c7a227e387b0ac97d895f46c5fbf32eea124662ded53ad6779baea9b
Instruction Fuzzy Hash: 23F05E75944248EFCB15CFA4D818A99BFB2EF09300F0481EAE90457271D7319A64EF40

Function 05606D49 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d51f4d446fdab407f274ea3e7ccdd981308e6697d95e6914b07034a025caf2
Instruction ID: 5bcb607ecabfbc906ec0205e1835511a7e717ad335e50e55e3b9d030df4ec6f0
Opcode Fuzzy Hash: 95d51f4d446fdab407f274ea3e7ccdd981308e6697d95e6914b07034a025caf2
Instruction Fuzzy Hash: 2EF08CB5900359DFCB15CFA8C8456EEBBB1FB0A352F10429AE86457792D7354A42DF80

Function 056029D0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119ac169685e53be0d4ddf52367c1d65fd11418f039c9b51ce3ab54e112a59a6
Instruction ID: b0628051db71c8a4e286164a8e2bb0e66a80096f982e9e6e47fbf12ecce76a00
Opcode Fuzzy Hash: 119ac169685e53be0d4ddf52367c1d65fd11418f039c9b51ce3ab54e112a59a6
Instruction Fuzzy Hash: 38E0263220430113C611A10DDC80FCFE7EAFFD0220F44492AEC15AB244DF28A80683F1

Function 0560D7E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a684d1a84af39b008066b540e98a75cb1d588bd00c0fbb4e90f2877979d2b99f
Instruction ID: da808f7ed815668be817a34b9edf09d57e7fbfc501daf9fe3c0af09abb8fd353
Opcode Fuzzy Hash: a684d1a84af39b008066b540e98a75cb1d588bd00c0fbb4e90f2877979d2b99f
Instruction Fuzzy Hash: 6CF01535900208EFCB15DFA4D808A9EBBB2FF09300F0081A9E90857270E73296A4EB80

Function 0560E758 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715eb76f2227383dbc02edb7f5e1cf87aaca8508dc35a44841ebaa78c65af4d3
Instruction ID: 71d4adaf00c31ac0c59377b56a2b866094dfdee134c8d4d30457799432becc04
Opcode Fuzzy Hash: 715eb76f2227383dbc02edb7f5e1cf87aaca8508dc35a44841ebaa78c65af4d3
Instruction Fuzzy Hash: C4F015B0D14248AFC750DFA8C859B4EBBF4EB48210F1480EAEC49D7391E635A900CB41

Function 05606D58 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc52dc648626080a567c0e229aacaed223c5bacbd981f237f0aa38f8bb0e3efd
Instruction ID: fc68a726d86a52c92e741f03b6827833bf9e83baed7738875075cec43df040a0
Opcode Fuzzy Hash: cc52dc648626080a567c0e229aacaed223c5bacbd981f237f0aa38f8bb0e3efd
Instruction Fuzzy Hash: 7FF0A5B4D00318EFCB04DFA8D545AAEBBB1FB09301F1085AAE824A3350E7719A51DF81

Function 05607F32 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cb097a8c9dc4a7df25b9167d1d966dab798d21dabf2567d0a17cd4f5f4c65b
Instruction ID: 518d1c7f9e686c4878b13b027d5d167ab6e62b4974d0f2d8029253f2b5f49b5a
Opcode Fuzzy Hash: f6cb097a8c9dc4a7df25b9167d1d966dab798d21dabf2567d0a17cd4f5f4c65b
Instruction Fuzzy Hash: A9F09D79A102688FCB50DFA8C980A9EBBB1FF49300F108595E409AB314D730AE81CF01

Function 0560E5C1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e2f35c40133156d2201d067d36b525c444c9176ac475bd385df85379069194
Instruction ID: b5f334928277293d2a057126418eceffdc7d3c199b886eca9f6c8dca6b8ca045
Opcode Fuzzy Hash: 83e2f35c40133156d2201d067d36b525c444c9176ac475bd385df85379069194
Instruction Fuzzy Hash: 16E01AB0D04248AFCB54DBADC85539DFBF4EB48210F4041AA9814A27A0FA756A54CB81

Function 05601790 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8295932b78dc335319d7e094c2b93ee20e62decd8ab13c64db9916e323291e6b
Instruction ID: 57b53a317ee0e616540d449f4bca91ddab495565c061e65a355a2c4370c27d2a
Opcode Fuzzy Hash: 8295932b78dc335319d7e094c2b93ee20e62decd8ab13c64db9916e323291e6b
Instruction Fuzzy Hash: ECE026325042285FC3145608DC60BA27BA9E702326F075156EE04D3A80CF78EC40CBA1

Function 05605140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762fbf889f7fb4d3885028420be3dfcb5c9550bd68bde357738b89f32da085fe
Instruction ID: 9856a94269b477f92a68ef798ace4391d7c64cf42c65c3612f6f4b0a2dad0d1c
Opcode Fuzzy Hash: 762fbf889f7fb4d3885028420be3dfcb5c9550bd68bde357738b89f32da085fe
Instruction Fuzzy Hash: 25D05EB2441308A7D210AA74DC1AF977BADE302226F040052BC09D2A81EB686504A571

Function 05604302 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093ddbe63c49fdb9100678b1fbb2b3af5140f1ad11cbe4d89feaff4d0d237f5f
Instruction ID: d2314148c81cc1f94182b28aafc1c8bb2c9d5133fffca079895c0fc45e594a76
Opcode Fuzzy Hash: 093ddbe63c49fdb9100678b1fbb2b3af5140f1ad11cbe4d89feaff4d0d237f5f
Instruction Fuzzy Hash: C6E0ED75D0020CEFCB00DFA4D9958DDFFB8EB44201F1482AAA805A3200EA306B45DB80

Function 05603AD2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c82f5d21f637a30a018f69dccf68b312f754d0c6f3a9daee3a3e0ad5b7d0b0
Instruction ID: 11ce68a58d01066d2049809bf7a9fea1fee09d7f17dcc6e55239c9ec3eb0190b
Opcode Fuzzy Hash: f8c82f5d21f637a30a018f69dccf68b312f754d0c6f3a9daee3a3e0ad5b7d0b0
Instruction Fuzzy Hash: E2E01A35320014CFCB04AA68E449BE877B1FB4425BF4000A5E006DB6E0DB34A94ACB10

Function 0560E768 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d353970459eec12b6c6bcedf16bf91b9cfefa4bdecc3d707f6474f3c8dce8a7b
Instruction ID: 15c34b70477401bcf1849cd5a06bbbba791dbe0a0d900781adcead41866259b6
Opcode Fuzzy Hash: d353970459eec12b6c6bcedf16bf91b9cfefa4bdecc3d707f6474f3c8dce8a7b
Instruction Fuzzy Hash: ADE09274E10208EFCB94DFA9D449A9DBBF4FB08610F1081EAE819D77A0E775AA44CF41

Function 05604308 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f8feb134c97dfaecd66fda8d827dc2278b4a0d7db32ad78de21d5d1f0a5c29
Instruction ID: 33e2f8388765ac5afcc2cf57d1f0eb9006f96385d70155f1a0dca958fc066fa5
Opcode Fuzzy Hash: a1f8feb134c97dfaecd66fda8d827dc2278b4a0d7db32ad78de21d5d1f0a5c29
Instruction Fuzzy Hash: C8E07575D1020CEFCB41DFA4D9558DDFBB5EB48201F1082AAA905A3200EA306B55DB80

Function 0560C30D Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5df42cca519a9114c75aefe7071169d51d46670745b52cea76b0f647bb2f0ed
Instruction ID: 20f3ed180aaece573fcfb76e16ac49ca0683690c4dd528fdbd635eb491a5c6ec
Opcode Fuzzy Hash: b5df42cca519a9114c75aefe7071169d51d46670745b52cea76b0f647bb2f0ed
Instruction Fuzzy Hash: 03E0C273C00028ABCB00AFD9DC040DFFB79EF05610F814152E800A7100C3705A22CBC1

Function 0560E5D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f06c0ce760ea5470f85cebc3473b5c9acd2b1fa9d485a84e576bc83124d893
Instruction ID: 50c1a8aa9453f4ce913ea3dc307fccc44ca0f5a79d7627c3baa558359132c14a
Opcode Fuzzy Hash: a9f06c0ce760ea5470f85cebc3473b5c9acd2b1fa9d485a84e576bc83124d893
Instruction Fuzzy Hash: CBE0E2B0E0020CAFCB98EFA9D44539DBBF4EB04200F4085AA9818A3790FB356A44CF81

Function 0560AC00 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65694238465378039ba408b4ddc155c539eddd4d07f4171d5bdd7c4835ecdf0
Instruction ID: d0ee123e229c5335d16e0158693fefc38fc7b1698919f2817c75355152858f2e
Opcode Fuzzy Hash: b65694238465378039ba408b4ddc155c539eddd4d07f4171d5bdd7c4835ecdf0
Instruction Fuzzy Hash: ADE0C26244D3C98FD322C7B8D8253AABFA05B03161F1802CBC9A04B6F3C7640B02D346

Function 05602860 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9043085cb693979b6a3aaca25478c4ae41cd68798a9454589b45cade8c93cdca
Instruction ID: 61b7e74bf95391d51384743392d5a423fbc05728e008149debbd7f1c59c1ac26
Opcode Fuzzy Hash: 9043085cb693979b6a3aaca25478c4ae41cd68798a9454589b45cade8c93cdca
Instruction Fuzzy Hash: 60D0A932284208BFDA40AA94CC82FCA3B6DFB48724F509000FE084A200C63AF913EB71

Function 0560C318 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: c68fa8bc077b49787d3582184cd443e04aac37c81a618a3f81e8d6937283c3e3
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 67D09E72D00139978B10AFE99C054DFFF79EF09650B818166E915A7100D7715A21DBD1

Function 05600870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30809e66286ce0e73198c4ae4415290bac773433dc2f2ef9b92ecfe1f9811077
Instruction ID: ea34fc495a2561eea0925c6d7982cf0bf70dde2c40ce9c6f838decea6e9da405
Opcode Fuzzy Hash: 30809e66286ce0e73198c4ae4415290bac773433dc2f2ef9b92ecfe1f9811077
Instruction Fuzzy Hash: 6FD0C9331841087BDB016A81CD42FCE7B5EFB546A4F188414FE041D6A1D67BE627ABA4

Function 0560AC10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b63ef87c918801a9b59a138a7f51d5c90f853688c458129ebe71ba814937f03
Instruction ID: 8e10bbce87a6bdf60e947d12e2e2f50187eda9c0718ea314b3d67cca7cb43549
Opcode Fuzzy Hash: 4b63ef87c918801a9b59a138a7f51d5c90f853688c458129ebe71ba814937f03
Instruction Fuzzy Hash: 69D0A970C1934CEBC744EFB8980A35EBBB8AB00200F6001A99808936A0EB301F04D781

Function 0560796D Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717b914afda1140612f87010da2761980ebbfb69e231741137260e7fc420e525
Instruction ID: 403a2e49505610d87dd0bfb27fa304a27222ec5052a78823d9422a2efb3db7f8
Opcode Fuzzy Hash: 717b914afda1140612f87010da2761980ebbfb69e231741137260e7fc420e525
Instruction Fuzzy Hash: EDE07E34611354CFC769DF20C5A9998BBB2FF0A306F5015A9F406AB360CB35ED81CE00

Function 05605150 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba8b5e1e51f9885825a04b278e3f2e672031c7658d2f89c0fb92e4252c4cbed
Instruction ID: b87687dd8877c11322e4e74745c0036676a998fa1938c1456e91028d39e0a4eb
Opcode Fuzzy Hash: bba8b5e1e51f9885825a04b278e3f2e672031c7658d2f89c0fb92e4252c4cbed
Instruction Fuzzy Hash: 04C0807181430CDBD710DFB8941DB1BBBACE707216F000196F40AC3580FF711544DA62

Function 05605605 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7b60e7857cee06391d2c0d87f5370e0680b6f15b4fae59cbaea690ec62b313
Instruction ID: a79c4f779adac845697dd8b84ac4b4ad296be4ee7ea0a4a47230201671f50309
Opcode Fuzzy Hash: df7b60e7857cee06391d2c0d87f5370e0680b6f15b4fae59cbaea690ec62b313
Instruction Fuzzy Hash: 16D0123095121A8FC795DF65D990A8CB772BF88201F009555D809A3129DB30598DCF04

Function 05606311 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b5142e59fb8e188c99a5306f253ec292f1ff0cae7f07153b61335d29648076
Instruction ID: ea8d0b821ee4a5dab53a042e9270e4b6007e5506c759f62f8b58e4c97febe093
Opcode Fuzzy Hash: d0b5142e59fb8e188c99a5306f253ec292f1ff0cae7f07153b61335d29648076
Instruction Fuzzy Hash: 98D0223A0040009FCF08EF50C894E1A3FB1FF60300B80E802AC080B021CB30C538CB43

Function 0560B920 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656db7bf5b110974ba7ad17fc37e9eaa0b90e4bd328f2e3c352a7631361b9831
Instruction ID: 0e688db92fa1eacf42edf354f502a15eaa830fdf7e7412ededb27c17d577bce7
Opcode Fuzzy Hash: 656db7bf5b110974ba7ad17fc37e9eaa0b90e4bd328f2e3c352a7631361b9831
Instruction Fuzzy Hash: 4CC08C3A1002411EF6472A30CD0CE023D24EB9120434891D19080950B5C2D1F92C9B12

Function 05602870 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d93b419cb47ec1f9c26749edb6825ffa928b35e756477533e5f5b84448e44c
Instruction ID: 22de85e24c0698a4c242c37b81e737dc97bf7c6283a4e43ef97d60113253136e
Opcode Fuzzy Hash: 48d93b419cb47ec1f9c26749edb6825ffa928b35e756477533e5f5b84448e44c
Instruction Fuzzy Hash: 0CC01236200208AFDA80AA98C800D56776AAB48614F509000BA080A601C272E862DBA0

Function 05600880 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf2fbeede14d05dae5cacda5b27d3baa2721ba9bb27a0b6447e8ebd142139b1
Instruction ID: 607d3bcb77cdecf86e8d052299c50b2491242ba949d274361fcab5a7c6d11efe
Opcode Fuzzy Hash: ecf2fbeede14d05dae5cacda5b27d3baa2721ba9bb27a0b6447e8ebd142139b1
Instruction Fuzzy Hash: 35C00232144108BBCB02AA85D805E5ABF2ABB55694F148055FB040D561D773D562AB90

Function 0560D391 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25edc53db818d95a86f66e2aaa529c0432f354d9b60069d24f2745b2f282a12
Instruction ID: 19162f0d928f7192a23386f25c06ba9f3e0584db2c78e68f14fe42ad34e1c5dc
Opcode Fuzzy Hash: e25edc53db818d95a86f66e2aaa529c0432f354d9b60069d24f2745b2f282a12
Instruction Fuzzy Hash: 89C09B7365478157F2059650CC05B573734D7B574075594925604F70D5C6D0B51DC53A

Function 0560BC6C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e173d1fc9b2ec7686627875f97a2551ef33d608c6fefb5cfc34b2e02785441
Instruction ID: 6802191912046d53bd9324837f4397b9cd5d6b8c8d56cf7bc18b3bbb9dd8ced8
Opcode Fuzzy Hash: f5e173d1fc9b2ec7686627875f97a2551ef33d608c6fefb5cfc34b2e02785441
Instruction Fuzzy Hash: 7EB01236395301E7540CB2A48C94B2F5971FFE6B10FC0EC07320482094CD614439E21F

Non-executed Functions

Function 0560A588 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

sX, xrefs: 0560A767

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: sX
API String ID: 0-3110708420
Opcode ID: a0adbc485557e67a626fa9f0a5f13d9a07dd2c78d9187be92a4587f3a0fa2d19
Instruction ID: 1739a8af582c965c1adad6fe58ce6e57a33b4a6ca12aaff28c053120f9521f7c
Opcode Fuzzy Hash: a0adbc485557e67a626fa9f0a5f13d9a07dd2c78d9187be92a4587f3a0fa2d19
Instruction Fuzzy Hash: 7661E374E156099FCB08CFA9C5848DEFBF2FB88250F24A42AD416B7354E7349A42CB64

Function 0560A57A Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

sX, xrefs: 0560A767

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: sX
API String ID: 0-3110708420
Opcode ID: 145347ae04bd4bb329d46344ac9cb7ae953b8a098043ded175145252abece0c4
Instruction ID: e9ac3d2e2a47f6b592588b3208d4b7cc3b86111af82151713de18708e0798dec
Opcode Fuzzy Hash: 145347ae04bd4bb329d46344ac9cb7ae953b8a098043ded175145252abece0c4
Instruction Fuzzy Hash: FA61F474E152099FCB08CFA9C5849DEFBF2FF88250F24A42AD416B7354E7349A42CB64

Function 074A4513 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

(, xrefs: 074A453D

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 2a6ef342758aee18eb2c038d29eb37c7fdf907a6dfdd0e142a5c945837156fe7
Instruction ID: 76386306c20977010f42e826bc46ce19b38a9fd9e3aaaede822c995d6b8a1969
Opcode Fuzzy Hash: 2a6ef342758aee18eb2c038d29eb37c7fdf907a6dfdd0e142a5c945837156fe7
Instruction Fuzzy Hash: 6D5148B4D59249EBCF04CFADD5406EEFBF5AB9A300F149466D409A7251D7709902CB50

Function 0560A3E8 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

4$VD, xrefs: 0560A43F

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: 4$VD
API String ID: 0-4229505421
Opcode ID: 727675e771b0af5f6be45466b9aa220cfbf01c80e9c43547c5eb12432bd54c92
Instruction ID: 63e91f68c33a802f51cc6031b8247cfc626443e35acb965e5c4d313ce2ed9ce2
Opcode Fuzzy Hash: 727675e771b0af5f6be45466b9aa220cfbf01c80e9c43547c5eb12432bd54c92
Instruction Fuzzy Hash: 784106B5E0060A9FCB48CFAAC4855AEFBF2BF88340F14D52AC415B7254E7349A46CF95

Function 0560A3DB Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

4$VD, xrefs: 0560A43F

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: 4$VD
API String ID: 0-4229505421
Opcode ID: 40a4d740b9ea14c9cd1698b85abed7d2ba7e88d316b2e7a7c86cf1447b2e9471
Instruction ID: 5c44e51a2671b032fb7b83a39568799ca78c7aff32ec68963b25884dd89d52d6
Opcode Fuzzy Hash: 40a4d740b9ea14c9cd1698b85abed7d2ba7e88d316b2e7a7c86cf1447b2e9471
Instruction Fuzzy Hash: 984105B5E0060A9BCB48CFAAC4855AEFBF2BF88350F14D52AC415A7394D7349A46CF94

Function 0560DFA8 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be15fbe1c5df5668b656b135fa563cdcd5b4b95c7c4fc6e3ddc075fa3830d7a
Instruction ID: 61f0f9825af9a4eeb21cf2226e3b9d4de233b8a2cde999bae14c84a923b58ff5
Opcode Fuzzy Hash: 3be15fbe1c5df5668b656b135fa563cdcd5b4b95c7c4fc6e3ddc075fa3830d7a
Instruction Fuzzy Hash: 17D1F770E05219DFCB18CFAAD98099EFBF6FF88340F14A52AD416AB264D7359942CF14

Function 074A5738 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c8b92e7f0557488bc27c5aded8af0804e88f1ff6ec81dd37f9f30888f75021
Instruction ID: f8a729ef56454618d068553b4f9f4d859f56f680214f96fa9673de828a1cd005
Opcode Fuzzy Hash: f6c8b92e7f0557488bc27c5aded8af0804e88f1ff6ec81dd37f9f30888f75021
Instruction Fuzzy Hash: 78E11EB4E102199FDB14DFA9C690AAEFBF2FF89305F24815AD414AB355D730A942CF60

Function 074A76B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d283c89037dbb42c656ad35f36ba1ea1442686f310ff34f56407ced4f852973
Instruction ID: 99a2b8367039001dfeb5711b4cda82af9869ba464a14154fbf461d8dce27467f
Opcode Fuzzy Hash: 8d283c89037dbb42c656ad35f36ba1ea1442686f310ff34f56407ced4f852973
Instruction Fuzzy Hash: 44E11CB4E102199FDB14DFA9C580AAEFBB2FF89305F24816AD414A7356D730A942CF60

Function 074A5300 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e209f255131da998cc4f2fa87223541716564c9b4ea531d84efd44327035793
Instruction ID: 138c32b7172ebf13521e1d2dff50810da6083d2ef29a739383a12b5eaa03fc12
Opcode Fuzzy Hash: 5e209f255131da998cc4f2fa87223541716564c9b4ea531d84efd44327035793
Instruction Fuzzy Hash: 61E10DB4E102199FDB14DFA9C690AAEFBF2FF89305F24815AD414AB355D730A942CF60

Function 074A4EC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c29128c09c347beb3d8363ee789de914064ef54b01e353b9ae4fff1b487e8e3
Instruction ID: a343a1f903b9f3366371140f5fc7ee012888b1d4a2b606c7a942de02d070b336
Opcode Fuzzy Hash: 7c29128c09c347beb3d8363ee789de914064ef54b01e353b9ae4fff1b487e8e3
Instruction Fuzzy Hash: 4EE11DB4E102199FDB14DFA9C680AAEFBF2FF89305F24816AD414A7355D731A942CF60

Function 074A6DE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e2cdb99d62c67364a4b312adeff811beb7f7540b56e1527f5bfc6b40bf0b7f
Instruction ID: 0f884a535199f0902fd319584acb66b8e79fa1db145944edd74e34cb6a27a490
Opcode Fuzzy Hash: d3e2cdb99d62c67364a4b312adeff811beb7f7540b56e1527f5bfc6b40bf0b7f
Instruction Fuzzy Hash: 1DE12CB4E002199FDB14DFA9C580AAEFBF2FF89305F24816AD414A7356D730A942CF61

Function 0560DF98 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb8cf8ff00cd79688c7b7a8cb1ad21beba23b2c4fab03b9adb92921c658190f
Instruction ID: d07284d6bce90abddc824363964e1d621c63310b4ef03033456d75be2699a5a3
Opcode Fuzzy Hash: bdb8cf8ff00cd79688c7b7a8cb1ad21beba23b2c4fab03b9adb92921c658190f
Instruction Fuzzy Hash: 13D1E674E05219DFCB08CFAAD98099EFBF6FF88340F14A52AD416AB264D7359942CF14

Function 0560DA70 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f742eb543bf6f6330ef9f86f2e4990f76b34d5a2dd14139685e964fbdb90f3
Instruction ID: 87c7e22264e99af0fabe6af19ad3099523b8ac87a66c298887947ea7d35fc3a0
Opcode Fuzzy Hash: e9f742eb543bf6f6330ef9f86f2e4990f76b34d5a2dd14139685e964fbdb90f3
Instruction Fuzzy Hash: 58B10671E04229DFDB18CFE6D88159EFBB6FF89310F14A52AD415AB264EB349906CF04

Function 0560DA60 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25218c0590ed646dbca4029312d4dab55e4662f4163fd60009c8aa11501537e8
Instruction ID: 8eb686422b7d34d1e7e968cad03b963a13ab0a8bc459482c4dedc0dcc5a80d57
Opcode Fuzzy Hash: 25218c0590ed646dbca4029312d4dab55e4662f4163fd60009c8aa11501537e8
Instruction Fuzzy Hash: 85B11971E04229DFDB18CFE6D98159EFBB6FF88310F14A52AD415A72A4EB349906CF04

Function 0560C9B9 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f0e7d46557f635a8af2bca4796e67280b4233662d25934b6551ea517b99962
Instruction ID: 4a502d4cf10e05a36f90bb99d2cc70fb200205671c80a900640fbc76d6b99f17
Opcode Fuzzy Hash: b4f0e7d46557f635a8af2bca4796e67280b4233662d25934b6551ea517b99962
Instruction Fuzzy Hash: FAD1E53192075ACACB11EB64D9A069DF7B1FF95300F21879AE5097B254EF706AC8CF81

Function 0158D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1410186993.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6f62ff371718a42f71ad8fc3ca9fea3d34cb98e7691b8841beb0aa1e838eff
Instruction ID: 9fb2ffcbdb3153922b3fcb74b9e99d4e637035269aa39a8ed9e3db0e11527b59
Opcode Fuzzy Hash: cf6f62ff371718a42f71ad8fc3ca9fea3d34cb98e7691b8841beb0aa1e838eff
Instruction Fuzzy Hash: 28A16D32E1021A8FCF15EFB5C88059EBBB2FF89304B15456AE905BF265DB31E915CB80

Function 0560C9C8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1793fa57f866dbf0f97229847948158cde8341a0396329d27c621369d8de1f1
Instruction ID: 096dbe3ae76253e8add2fb276181439d88e42fd63377180d499f09302a573d7a
Opcode Fuzzy Hash: a1793fa57f866dbf0f97229847948158cde8341a0396329d27c621369d8de1f1
Instruction Fuzzy Hash: C9D1E53192075ACACB11EB64D9A069DF7B1FF95300F21879AE5097B254EF706AC8CF81

Function 0560B178 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f107dd5ea0ae4bb708946d0eb3a94aa5692abb7e0762c7f3b57042fc47933cc6
Instruction ID: 0c4b3d6f17d2e460bb962457990926c978ac621d61ff73001a44322b46fb951d
Opcode Fuzzy Hash: f107dd5ea0ae4bb708946d0eb3a94aa5692abb7e0762c7f3b57042fc47933cc6
Instruction Fuzzy Hash: 76B10A70E142199FDB18DFA9C580AAEFBB2FF89300F24D169D419A7365D730A942CF61

Function 0560B168 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3d7b2577fef009c77b938794a3af8d74cd5dbcb1c078d326807ee36315ce59
Instruction ID: 6ce3559e777ba59d8636122da8bfd9c602e2beeba0bdac2930e12bcb9d733c0b
Opcode Fuzzy Hash: 2d3d7b2577fef009c77b938794a3af8d74cd5dbcb1c078d326807ee36315ce59
Instruction Fuzzy Hash: 3EB11A70E142199FDB18DFA9C580AAEFBB2FF89300F24D169D419A7365D7309A42CF61

Function 0560B223 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69aef3f74fbb5da103d0d5387ebc84b096933a50c68dac10dd3a4e61eb88d29
Instruction ID: 6fe173e38b30457cbfe18fa4ac61af3b7f8192ef6439545f940d84fd3c500276
Opcode Fuzzy Hash: c69aef3f74fbb5da103d0d5387ebc84b096933a50c68dac10dd3a4e61eb88d29
Instruction Fuzzy Hash: D0A13974E142199FCB14DFA9C580AAEFBB2FB89300F249199D419A7366D730A942CF60

Function 05609178 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d50890012b21b05c98a11f7dd3bd566458875b8aed8d7642aa84f17a5f4c21
Instruction ID: ffb55de76c99f5ee661f992c6d075c5694bb27ac8954339face7ebde8e30e7d0
Opcode Fuzzy Hash: 87d50890012b21b05c98a11f7dd3bd566458875b8aed8d7642aa84f17a5f4c21
Instruction Fuzzy Hash: 1481CF74A15219CFCB48CF99C58499EFBF2FF88310F249569E419AB361D734AA42CF90

Function 05609168 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816016b4489c3acd02221f2ba086963dcc0f5bd6d25e6ac41a0a7b8b73e06459
Instruction ID: 55cc781b8634f8df4fffd6eb34cc111fba985cf818390946106b3c73b1f38658
Opcode Fuzzy Hash: 816016b4489c3acd02221f2ba086963dcc0f5bd6d25e6ac41a0a7b8b73e06459
Instruction Fuzzy Hash: 8E71D074A152098FCB48CFA9C58499EFBF2FF88310F149566E415AB361D734AA42CF50

Function 05609D48 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23f20ffa3b57fabb3170b095e0eccb94643cc9a5b0c715510d691926098ba71
Instruction ID: ab6ff23561ba5f24a04d46b08f180cd296c6644e12fabae87dab1c62e57f7224
Opcode Fuzzy Hash: f23f20ffa3b57fabb3170b095e0eccb94643cc9a5b0c715510d691926098ba71
Instruction Fuzzy Hash: FE6115B4E05219DFCB08CFA9C5819AEFBB2FF88300F14A555D515AB395D730A942CFA4

Function 05609D39 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257ef177d85bed6afee564d02225e52c5165cb5e2fbeae91c88dc3c910955530
Instruction ID: 2b042cdf2f08127e68e199597553f4428f45abe5eb852b03ec244ff5104ad839
Opcode Fuzzy Hash: 257ef177d85bed6afee564d02225e52c5165cb5e2fbeae91c88dc3c910955530
Instruction Fuzzy Hash: 756103B0E1121ADFCB48CFA9C5819AEFBF2FB88300F149566D515AB395D730AD42CB94

Function 074A52F1 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1417807450.00000000074A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74a0000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8750e93552e79fb37dabc049c059a434b721dc3db559e85602b1449fe686c4a7
Instruction ID: 588d3328f4b3cb3152056b3f31a81a60ab8e3e374aef3bc1868b97cb9c456ae8
Opcode Fuzzy Hash: 8750e93552e79fb37dabc049c059a434b721dc3db559e85602b1449fe686c4a7
Instruction Fuzzy Hash: AC512DB5E002198FDB14DFA9C6806AEFBF6FF89301F24816AD418AB316D7315941CF61

Function 0560A7E8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6eb596b676d9b84bfcb368f359d28b5e48b5f3ed863c0fdced467f8a6afa14
Instruction ID: acf7e2561b90d9fe5fffdc9e96bd141aa36a3f6904d1d98bec66d56a76c90cca
Opcode Fuzzy Hash: 3d6eb596b676d9b84bfcb368f359d28b5e48b5f3ed863c0fdced467f8a6afa14
Instruction Fuzzy Hash: F9510AB5E0530ADBCB48CFE5C5815AEFBF2AF88340F24D46AC415B7254D7349A42CB95

Function 0560A7D8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54502cae794fdc02a9eba134424274d7e7429a8c8d08ab6beb42c1e8f179fa12
Instruction ID: 1c4143f28402791b358ec4b1b00b395fc7d5d3abde4b957507873a9b08314f26
Opcode Fuzzy Hash: 54502cae794fdc02a9eba134424274d7e7429a8c8d08ab6beb42c1e8f179fa12
Instruction Fuzzy Hash: 465127B5E0420ADBCB48CFA9C5805AEFBF2EF88350F24D46AC415AB254D7349A42CB95

Function 05608F69 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1a7c615d2770d44f8b586276a50f70ac69cfb1fb6e6f91edec12bb68e19e11
Instruction ID: dccc2eaea3d3e7aeca8138c655f21fa210d240b9047db60dc9729f86e268198e
Opcode Fuzzy Hash: fd1a7c615d2770d44f8b586276a50f70ac69cfb1fb6e6f91edec12bb68e19e11
Instruction Fuzzy Hash: 58414770E0520AABCB08DFA9C5805AFFBB3FF84240F50E5A9D505A7395E7349A42CB94

Function 05608F78 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df2c3d20fd06e5e5dee3c7e6f1d54175ea7bf7fa44831e673b2deed125278da
Instruction ID: 311554ff0e417dddcf39576ee6e05628e66d36610851e2b9a8a01652c356b2c7
Opcode Fuzzy Hash: 1df2c3d20fd06e5e5dee3c7e6f1d54175ea7bf7fa44831e673b2deed125278da
Instruction Fuzzy Hash: 71412770E0520AEBCB08DFA9C5805AFFBB3FF84240F60E5A9D515A7395D7349A42CB94

Function 05605188 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bf75b6471b61eaaa9b1445e518d2da18fe7a56c7e1dd0e7b476c5d7db57f12
Instruction ID: ef3701fb5bce55f48686f4b283d9d5e7b7fa017cc8f8478a9ed0c60a8ba64798
Opcode Fuzzy Hash: 86bf75b6471b61eaaa9b1445e518d2da18fe7a56c7e1dd0e7b476c5d7db57f12
Instruction Fuzzy Hash: C4310C71E116189BEB18CFABC84069FFBF3BFD8210F14D16AD419A6254EB305986CF61

Function 05605178 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1415766567.0000000005600000.00000040.00000800.00020000.00000000.sdmp, Offset: 05600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5600000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8977c9340c1e69f8e1da635ad8e9d3642d5e4932a2842ac4fa02974dcb43e516
Instruction ID: 6970e06bd99094ac29ee2f3c5a6e531a69ee337944e38f98ae5f7faa5a6590de
Opcode Fuzzy Hash: 8977c9340c1e69f8e1da635ad8e9d3642d5e4932a2842ac4fa02974dcb43e516
Instruction Fuzzy Hash: B2311C71E016189BEB18CF6BC84169FFBF3BFD8210F14D16AD809A6254EB345546CF61

Analysis Process: tnbws7pyQvMUSjF.exePID: 7856, Parent PID: 7664COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	6.5%
Total number of Nodes:	551
Total number of Limit Nodes:	66

Executed Functions

Function 0041A3DD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
rMA, xrefs: 0041A402, 0041A410
1JA, xrefs: 0041A3FC, 0041A408

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 5c0496517f31d97c259472048ca822b0fbab862c9f6c5a7a438ed9b1a19d9914
Instruction ID: 6b0eadeb9f920fdd354d08d6441780c3440f976d83cb28858d5aec770868b797
Opcode Fuzzy Hash: 5c0496517f31d97c259472048ca822b0fbab862c9f6c5a7a438ed9b1a19d9914
Instruction Fuzzy Hash: 8BF0B7B2210108AFCB14DF99DC80EEB77A9EF8C364F158649BA1D97291C630E851CBA0

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
rMA, xrefs: 0041A402, 0041A410
1JA, xrefs: 0041A3FC, 0041A408

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0041A382 Relevance: 1.6, APIs: 1, Instructions: 53
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 384f15d26221d1ce35fc860fbf05f01770ee111a2540979e292dd623a0094b7d
Instruction ID: 1d50eb2daa8320807c68a08b6faf5cc2ae5bd794e9842ed8d656efd9c24861c4
Opcode Fuzzy Hash: 384f15d26221d1ce35fc860fbf05f01770ee111a2540979e292dd623a0094b7d
Instruction Fuzzy Hash: C00129B6209148AFCB04CF98DD81CEB37EDAF8C314B14864DF958C3241E630EC118BA4

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4

Function 0041A58B Relevance: 1.5, APIs: 1, Instructions: 39
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2e6ef2fa9001d2d9cf9345e573db39239b86da486cd1fbfce64457679fac3d55
Instruction ID: e2f7334f55054fde19e298c53a6b0f2b5d857b1dd4677e4b8f5d9aa6102ffb42
Opcode Fuzzy Hash: 2e6ef2fa9001d2d9cf9345e573db39239b86da486cd1fbfce64457679fac3d55
Instruction Fuzzy Hash: 77F09AB12012086FDB14EF98EC85DE7B7ADEF88764F10455AF9489B201C531E954CBA0

Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6e6c5e82ca89ed4a42ba518b5317fd08a5cbb145625d4d903a2a484f9fb4b5bc
Instruction ID: 6fe4d53e7d8ec6a6d060faccbf19106aef2bcb785c60214f3d9d71c46fb769f5
Opcode Fuzzy Hash: 6e6c5e82ca89ed4a42ba518b5317fd08a5cbb145625d4d903a2a484f9fb4b5bc
Instruction Fuzzy Hash: A5E08C752012046BDB20EBB58C89EEB7B68EF44364F14419EFA4DAB652C930A6418A90

Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0

Function 012B2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2B6A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5edcae73344b6e8329a0a00cc40fab6fea20f10ba9a678a59444c49d7206711
Instruction ID: 4e87c89cba99e849d8c3ff59746b68b08802c828bb623884441288a6e4656d4b
Opcode Fuzzy Hash: c5edcae73344b6e8329a0a00cc40fab6fea20f10ba9a678a59444c49d7206711
Instruction Fuzzy Hash: 59900261212800034105715D4414616400A97E0601B55C125E3014590DC52689916225

Function 012B2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2BFA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 591052b660ab6b637702c3bb8b06f6e4b70991b199a7ab175d22bc4c0cad9373
Instruction ID: 631e8c3b459801628cf725c35cb89c93438dce4043cf866c4d1e2e4b04410314
Opcode Fuzzy Hash: 591052b660ab6b637702c3bb8b06f6e4b70991b199a7ab175d22bc4c0cad9373
Instruction Fuzzy Hash: D090023121180802D180715D440464A000597D1701F95C119A2025654DCA168B5977A1

Function 012B2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2ADA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 509b764a9166b5e08659d316d4b72e8272f12ab0c749e5ef46787c0d8563eede
Instruction ID: f50ed79bfeff65b259bbcf5d5c8125136dc103b7be64880969042bd36d31d50c
Opcode Fuzzy Hash: 509b764a9166b5e08659d316d4b72e8272f12ab0c749e5ef46787c0d8563eede
Instruction Fuzzy Hash: C6900435331C00030105F55D07045070047D7D5751355C135F3015550CD733CD715331

Function 012B2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2D3A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce86339c18e0bdb836eed3fca08da6b1939c86d877052d62100026641b5b2b5a
Instruction ID: 40ce76ffa25b77687c2d8272b9358806bda1e431f28f62b0e47e0f1ddec18f4d
Opcode Fuzzy Hash: ce86339c18e0bdb836eed3fca08da6b1939c86d877052d62100026641b5b2b5a
Instruction Fuzzy Hash: 0F900431311C0003D140715D541C7074005F7F1701F55D115F3414554CDD17CD575333

Function 012B2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2D1A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87f56ad527dbbb2eb15e5f00e1b47f8a5e4418ed709448c3395f28aab7949f42
Instruction ID: 0251ed1e76e69a1644aea6ea5c802544bd9ffe001a166f8f8f8d80f4de655ab0
Opcode Fuzzy Hash: 87f56ad527dbbb2eb15e5f00e1b47f8a5e4418ed709448c3395f28aab7949f42
Instruction Fuzzy Hash: 1E90022922380002D180715D540860A000597D1602F95D519A2015558CC91689695321

Function 012B2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2DFA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b0484a014786257545902ff4a1ea428ae2c2fe666da69a3520deb6eb2240e7f
Instruction ID: 18807b59947fd8505f3a53fa6b9b9b8524e6eda6016e35404a1f83d6c183db96
Opcode Fuzzy Hash: 6b0484a014786257545902ff4a1ea428ae2c2fe666da69a3520deb6eb2240e7f
Instruction Fuzzy Hash: 6F90023121180413D111715D4504707000997D0641F95C516A2424558DD6578A52A221

Function 012B2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2DDA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 155e76716a876f1f7c2183573509f809668c8c6c61b00746f68c99b72afffcf1
Instruction ID: 4fe64615941345c41e62c9665b89b11915482da5afe392fe1636700b067ac606
Opcode Fuzzy Hash: 155e76716a876f1f7c2183573509f809668c8c6c61b00746f68c99b72afffcf1
Instruction Fuzzy Hash: 0D900221252841525545B15D44045074006A7E0641795C116A3414950CC5279956D721

Function 012B2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2C7A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 517418c68671ee51055d2e1ae5a2ce33e471163abf262d7b8bc698f6bef24536
Instruction ID: 253eb4231a81ff10a38c1ba649779af3941436829c9aa5b5a6bbec16ab3abb1f
Opcode Fuzzy Hash: 517418c68671ee51055d2e1ae5a2ce33e471163abf262d7b8bc698f6bef24536
Instruction Fuzzy Hash: 0690023121188802D110715D840474A000597D0701F59C515A6424658DC69689917221

Function 012B2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2CAA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7b2204b9e42e5fd5a799d029fb0ef498284834a3fce32970e03bb7b774c4d3f
Instruction ID: cc1ae4e2f5b137d6a150985f80de31b5dd3599ce51f03e801ef1102e8142e301
Opcode Fuzzy Hash: a7b2204b9e42e5fd5a799d029fb0ef498284834a3fce32970e03bb7b774c4d3f
Instruction Fuzzy Hash: A890023121180402D100759D5408646000597E0701F55D115A7024555EC66689916231

Function 012B2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2F3A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c195d8c931bdaef67bd2d0cd5d78fa053ed2696e1ce8368296ca1c559abb8223
Instruction ID: 25afd246965453aa99959c115fc34ca1d86f406ec70df827af5cc89b63db1cdd
Opcode Fuzzy Hash: c195d8c931bdaef67bd2d0cd5d78fa053ed2696e1ce8368296ca1c559abb8223
Instruction Fuzzy Hash: 7290026135180442D100715D4414B060005D7E1701F55C119E3064554DC61ACD526226

Function 012B2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2FBA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b73767010bf126a5da7bd64bd48e756d76a7f8a130dbe83bac246d1577a96c3
Instruction ID: 668a5c44fcdc03a9acd34033d66799df804e7cc94a253dface66ca07f5a54d73
Opcode Fuzzy Hash: 6b73767010bf126a5da7bd64bd48e756d76a7f8a130dbe83bac246d1577a96c3
Instruction Fuzzy Hash: 05900221611800424140716D88449064005BBE1611755C225A2998550DC55A89655765

Function 012B2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2F9A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78b0b5a2ce9f22e726ed245c2f724374bae917c3227b16f389da58402977719b
Instruction ID: bc135ce29320daad85a47d2dd2d7f480276cba4e139f91c7ae8a8b3e6b06f551
Opcode Fuzzy Hash: 78b0b5a2ce9f22e726ed245c2f724374bae917c3227b16f389da58402977719b
Instruction Fuzzy Hash: 82900231211C0402D100715D481470B000597D0702F55C115A3164555DC62689516671

Function 012B2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2FEA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f8dc48632f312643cd47d6795b28c4ef6871ade778e6fc2bf44118e95169c333
Instruction ID: eb6928546737e09bfcf728e830cab64f9a6b7dafd9ffe8f7b0991e69e68567e2
Opcode Fuzzy Hash: f8dc48632f312643cd47d6795b28c4ef6871ade778e6fc2bf44118e95169c333
Instruction Fuzzy Hash: F7900221221C0042D200756D4C14B07000597D0703F55C219A2154554CC91689615621

Function 012B2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2EAA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: feafab837f9258569d1a27f5b56556637d8c180c80e046adaca63225262916f6
Instruction ID: e3c686e5f8d32912826f4ed8bd93ea205f8f76bd32c207a0f5441963d390f3c9
Opcode Fuzzy Hash: feafab837f9258569d1a27f5b56556637d8c180c80e046adaca63225262916f6
Instruction Fuzzy Hash: DB90027121180402D140715D4404746000597D0701F55C115A7064554EC65A8ED56765

Function 012B2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2E8A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3bb771add7bea3d2e3e7a52462ed52f29c937dd4b93fa1b6f0c6876d501504cf
Instruction ID: e7d013a4530c6bccd65bbf023524c97e798063a0aaac5f679f5e2165f30f39d4
Opcode Fuzzy Hash: 3bb771add7bea3d2e3e7a52462ed52f29c937dd4b93fa1b6f0c6876d501504cf
Instruction Fuzzy Hash: 3090022161180502D101715D4404616000A97D0641F95C126A3024555ECA268A92A231

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A5C6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6EA, xrefs: 0041A62C

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID:
String ID: 6EA
API String ID: 0-1400015478
Opcode ID: 6f91872405a5665760c44d80f0d31e8fe445e7a8515f7e2f7a920fb12f5240b4
Instruction ID: 3d5a4909fdf7ea18f232bcb6db1d04f408665bc14c263944276654def93571ea
Opcode Fuzzy Hash: 6f91872405a5665760c44d80f0d31e8fe445e7a8515f7e2f7a920fb12f5240b4
Instruction Fuzzy Hash: 67F0E2B22012057FD728DB58DC85EE7779CEF88364F08464AFA8C47742D631E951C6A4

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0041A745 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f7a7bf1258667fdb217bfec2e719a1d78622227a793214c8a229aa48233c665a
Instruction ID: f6d1d87c0eccfe0969b243c592031f2bf80321ca13f96933460332b6b96dddcb
Opcode Fuzzy Hash: f7a7bf1258667fdb217bfec2e719a1d78622227a793214c8a229aa48233c665a
Instruction Fuzzy Hash: 560176B42003446FC310DF68CC81DEB7BA8DF85620F04859AF89C5B343C238E82787A2

Function 0041A791 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2f00c1280bac6a36bee62521e0aec708fb63f00487ae07fe61214d2aa94c0a8d
Instruction ID: c2fb3efb9a5f1b1f9cdc0c4d7d7891fecec6735acce639661a3542e73fa2df2e
Opcode Fuzzy Hash: 2f00c1280bac6a36bee62521e0aec708fb63f00487ae07fe61214d2aa94c0a8d
Instruction Fuzzy Hash: 8C0124B12013046FCB24EF54CC85EE73BA8EF85324F04449AF94C1B642C638E821C7B5

Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0

Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1

Function 012B2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B2C24

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88d0338d6dbce98ba21abdf704acba42ee5ea597e93ca2cdbe335f3fcc09fc3c
Instruction ID: e56e6dc7bca76e7b217ab82afab53081190b6ad33640e282be6d3c992ed4107b
Opcode Fuzzy Hash: 88d0338d6dbce98ba21abdf704acba42ee5ea597e93ca2cdbe335f3fcc09fc3c
Instruction Fuzzy Hash: 8EB09B719119D5C5DA11E76446087177A0077D0741F16C165D3030641F4739D5D1E375

Non-executed Functions

Function 01328D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01328DB5
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01328E3F
read from, xrefs: 01328F5D, 01328F62
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01328F2D
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01328D8C
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01328E86
The instruction at %p tried to %s , xrefs: 01328F66
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01328F34
a NULL pointer, xrefs: 01328F90
This failed because of error %Ix., xrefs: 01328EF6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01328E4B
*** Resource timeout (%p) in %ws:%s, xrefs: 01328E02
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01328F26
*** enter .exr %p for the exception record, xrefs: 01328FA1
*** enter .cxr %p for the context, xrefs: 01328FBD
write to, xrefs: 01328F56
<unknown>, xrefs: 01328D2E, 01328D81, 01328E00, 01328E49, 01328EC7, 01328F3E
*** Inpage error in %ws:%s, xrefs: 01328EC8
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01328FEF
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01328DC4
The instruction at %p referenced memory at %p., xrefs: 01328EE2
*** An Access Violation occurred in %ws:%s, xrefs: 01328F3F
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01328DA3
*** then kb to get the faulting stack, xrefs: 01328FCC
The resource is owned exclusively by thread %p, xrefs: 01328E24
The critical section is owned by thread %p., xrefs: 01328E69
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01328DD3
Go determine why that thread has not released the critical section., xrefs: 01328E75
an invalid address, %p, xrefs: 01328F7F
The resource is owned shared by %d threads, xrefs: 01328E2E

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 734f68cc55ce3f35f5787ece4b23b5ea9624e6345766b6c17dbb519895a307bc
Instruction ID: 2481a37023418702fb3989982992337cf148ff207e2b00b4043c1fba348427e4
Opcode Fuzzy Hash: 734f68cc55ce3f35f5787ece4b23b5ea9624e6345766b6c17dbb519895a307bc
Instruction Fuzzy Hash: 8781137AA10224BFDB21FB199C45D7B7B79EF66B18F01009CF6086F292E3758441DB61

Function 012F2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012F3187
UnloadEventTraceDepth, xrefs: 012F24C0
@, xrefs: 012F2B74
DisableExceptionChainValidation, xrefs: 012F275F
TracingFlags, xrefs: 012F2549
GlobalFlag, xrefs: 012F2F3F, 012F3059
ExecuteOptions, xrefs: 012F25A0
FrontEndHeapDebugOptions, xrefs: 012F2489
@, xrefs: 012F2942
Initializing the application verifier package failed with status 0x%08lx, xrefs: 012F3176
RaiseExceptionOnPossibleDeadlock, xrefs: 012F2579
CFGOptions, xrefs: 012F2967
DisableHeapLookaside, xrefs: 012F246D
GlobalFlag2, xrefs: 012F2FC0
UseImpersonatedDeviceMap, xrefs: 012F251C
MaxLoaderThreads, xrefs: 012F24EC
ShutdownFlags, xrefs: 012F24A1
LdrpInitializeExecutionOptions, xrefs: 012F317D
MinimumStackCommitInBytes, xrefs: 012F2BB0
MaxDeadActivationContexts, xrefs: 012F2D82

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 1c5ef79dfea2b817f9126707083c878ff4a539562e67ae7d99184ac3f2183e60
Instruction ID: 7da0da4a5387cc67bdfa28cd2b13bc4d14d996a907cd391bd481e9438be29606
Opcode Fuzzy Hash: 1c5ef79dfea2b817f9126707083c878ff4a539562e67ae7d99184ac3f2183e60
Instruction Fuzzy Hash: 5C928A71624742EBE721DE28C881B6BFBE8BB85754F04492DFB94D7290D770E844CB92

Function 012A8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

corrupted critical section, xrefs: 012E54C2
double initialized or corrupted critical section, xrefs: 012E5508
Invalid debug info address of this critical section, xrefs: 012E54B6
Thread is in a state in which it cannot own a critical section, xrefs: 012E5543
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012E54E2
Critical section debug info address, xrefs: 012E541F, 012E552E
8, xrefs: 012E52E3
undeleted critical section in freed memory, xrefs: 012E542B
Critical section address., xrefs: 012E5502
Critical section address, xrefs: 012E5425, 012E54BC, 012E5534
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012E54CE
Address of the debug info found in the active list., xrefs: 012E54AE, 012E54FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012E540A, 012E5496, 012E5519
Thread identifier, xrefs: 012E553A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 7eb60876425325e224b995b471cbcc87463e9c925c517da28bfbb310e79d35b1
Instruction ID: 086b5585c33a37b7210b2a77b8cf412b261141e1423cf042534b61b80c5ccf0f
Opcode Fuzzy Hash: 7eb60876425325e224b995b471cbcc87463e9c925c517da28bfbb310e79d35b1
Instruction Fuzzy Hash: 0881A274A60349EFDB60CF9AC885BAEBBF9FB08718F504119FA05B7251D3B5A940CB50

Function 012A29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

RtlpResolveAssemblyStorageMapEntry, xrefs: 012E261F
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 012E2412
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 012E2409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012E25EB
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 012E2624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012E22E4
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 012E2506
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 012E2498
@, xrefs: 012E259B
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 012E2602
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012E24C0

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 49c986624a3fd8f789049f784169fd77d21cb8d224cdce3c5d07de794d8448fc
Instruction ID: a8a060794dae3c06980f9966d983e2c4badd676fcc218994784ea153fd10baef
Opcode Fuzzy Hash: 49c986624a3fd8f789049f784169fd77d21cb8d224cdce3c5d07de794d8448fc
Instruction Fuzzy Hash: B60292B1D20229DFDB31DB54CD85BE9B7B8AB44304F8141EAEB09A7241DB709E84CF59

Function 01318B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

runtimebroker.exe, xrefs: 01318B73
services.exe, xrefs: 01318B96
csrss.exe, xrefs: 01318B80
smss.exe, xrefs: 01318B8B
heapType, xrefs: 01318BCB
lsass.exe, xrefs: 01318BA1
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01318BD0
DefaultBrowser_NOPUBLISHERID, xrefs: 01318D00
SegmentHeap, xrefs: 01318BE9
svchost.exe, xrefs: 01318B68

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: f22a49b676b05f2032b8cd064480cdd344ec6d0bed88704d23e200b427e1f059
Instruction ID: 615429cf954996bc98cacbc60352f6ec68315c0440b34b20a802d7111f1034e0
Opcode Fuzzy Hash: f22a49b676b05f2032b8cd064480cdd344ec6d0bed88704d23e200b427e1f059
Instruction Fuzzy Hash: 835100B12243059BD72DDF188884BABBBECFF94348F54495DE958C3244E770D608CB96

Function 0128AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 012D80B7
DLL name: %wZ, xrefs: 012D8075
LdrGetDllHandleEx, xrefs: 012D807C, 012D83B2
Status: 0x%08lx, xrefs: 012D82D0, 012D83AB
LdrpInitializeDllPath, xrefs: 012D80AD
minkernel\ntdll\ldrfind.c, xrefs: 012D82E1
LdrpFindLoadedDllInternal, xrefs: 012D82D7
DLL search path passed in externally: %ws, xrefs: 012D80A6
minkernel\ntdll\ldrapi.c, xrefs: 012D8086, 012D83BC

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 6f80a0938afbe7f032cff413bf128a4e91d51c6ad2b04e1cabd4c3b6ac443d12
Instruction ID: fc97f696daed05568aa579584af1478ce717663406421b9802f2ba2bf65ad677
Opcode Fuzzy Hash: 6f80a0938afbe7f032cff413bf128a4e91d51c6ad2b04e1cabd4c3b6ac443d12
Instruction Fuzzy Hash: 0E12F27162A3428BD325EF28C441BBAB7E4FF94704F04491EFA858B2D1EB74D945CB52

Function 01320274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0132069F
HEAP: , xrefs: 013203A6, 013204B5, 013205DD, 01320682, 013206D9
About to reallocate block at %p to %Ix bytes, xrefs: 013203BA
Just reallocated block at %p to %Ix bytes, xrefs: 013205F1
HEAP[%wZ]: , xrefs: 01320399, 013204A8, 013205D0, 01320675, 013206CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 013204D3
RtlReAllocateHeap, xrefs: 013202BF, 01320362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 013206EA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: a53228bc4e4fbd79864c8ae4d7b3125072be1552a751ce5ac0d99906fad0abef
Instruction ID: 532ed6586c8943429631fb5e7b9341d14095f3702a4937154790f7adc60e2160
Opcode Fuzzy Hash: a53228bc4e4fbd79864c8ae4d7b3125072be1552a751ce5ac0d99906fad0abef
Instruction Fuzzy Hash: 38D11031A10695DFDB2AEF68C440AADBBF5FF0A718F18C059F4459B662C7359888CF50

Function 0127ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON

Download Yara Rule

Strings

H, xrefs: 0127AEC2
#, xrefs: 012D363D
LdrpResSearchResourceMappedFile Enter, xrefs: 0127AEB8
MUI, xrefs: 0127B410
LdrpResSearchResourceMappedFile Exit, xrefs: 0127AECC
J, xrefs: 0127AEAE
MZER, xrefs: 012D36A8

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
API String ID: 0-664215390
Opcode ID: 8027d3700b771b12c407cd50a1152cdfad3e3fcbdb0d29cb3772320e981e386c
Instruction ID: 82f70a975f288ea64819a48b64c58c9fd6d4be10ac612fc7ec0a8d1532dc5f59
Opcode Fuzzy Hash: 8027d3700b771b12c407cd50a1152cdfad3e3fcbdb0d29cb3772320e981e386c
Instruction Fuzzy Hash: 7232C27192026A8BEF22CF18C898BEFBBB5BF45340F1440E9E949A7251D7719E81CF45

Function 012F89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 012F8A3D
VerifierDebug, xrefs: 012F8CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 012F8A67
VerifierFlags, xrefs: 012F8C50
HandleTraces, xrefs: 012F8C8F
VerifierDlls, xrefs: 012F8CBD
AVRF: -*- final list of providers -*- , xrefs: 012F8B8F

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 56d1d849136eca01e8d71ad67e375c9324d471696a31d200806a8a0e680e721b
Instruction ID: 2f804bae85ced0af6f651d58f4d29b7d6cc5240ed1a4b040b8b2d9e90703e306
Opcode Fuzzy Hash: 56d1d849136eca01e8d71ad67e375c9324d471696a31d200806a8a0e680e721b
Instruction Fuzzy Hash: EE912772665306AFD721EF28C881B2AFBA8EF54B54F04443CFB41AB294D7709C44C791

Function 0127EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 0127EB62
T, xrefs: 0127EB4E
, xrefs: 0127F299
{, xrefs: 012D4643
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0127EB58
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0127EB6C

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 286773805e650d531431188d4dfd6f3c52538181677dc13a62b99aec81e1c58e
Instruction ID: 671eb483bd19e3405d92d4d5420a379220ac1321bfc0df146c7d3f12b6ca6d89
Opcode Fuzzy Hash: 286773805e650d531431188d4dfd6f3c52538181677dc13a62b99aec81e1c58e
Instruction Fuzzy Hash: 0CA25974A2566A8FDB64DF18CD887AABBB5EF45304F1442E9D91DA7290DB709EC0CF00

Function 012A63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012E40E9, 012E414B, 012E420F, 012E4269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 012E41FE
_LdrpInitialize, xrefs: 012E40DF, 012E4141, 012E4205, 012E425F
Delaying execution failed with status 0x%08lx, xrefs: 012E4258
Process initialization failed with status 0x%08lx, xrefs: 012E413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 012E40D8

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 333ce684e75d7d7c0b315ee9ad96d8e25a0b0f77a7be3653b3c55b335e62dd35
Instruction ID: 7f2ae38696db00d99937e9f03063cf4d991755faa30b8d214cd84cd535cb17f1
Opcode Fuzzy Hash: 333ce684e75d7d7c0b315ee9ad96d8e25a0b0f77a7be3653b3c55b335e62dd35
Instruction Fuzzy Hash: 18914970A30352DBEB35EF58D849BBA7BE5FB11B54F88412CDA04AB2D1D7B49801C790

Function 0126645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012C9A11, 012C9A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 012C9A01
LdrpInitShimEngine, xrefs: 012C99F4, 012C9A07, 012C9A30
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 012C99ED
apphelp.dll, xrefs: 01266496
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 012C9A2A

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 0b94ce351230cf072fbc649e7e7579c3287112d56623b07d7af07036e9ebf992
Instruction ID: 1b8356057f6d8a3e8874936024ba75a3cca4078f17281aa9a931ebb4362e5f86
Opcode Fuzzy Hash: 0b94ce351230cf072fbc649e7e7579c3287112d56623b07d7af07036e9ebf992
Instruction Fuzzy Hash: 6251C571278305DFDB24DF28D892B6B77E8FB84B48F104A1DF685971A0D670E984CB92

Function 012A2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 012E219F
SXS: %s() passed the empty activation context, xrefs: 012E2165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012E21BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 012E2178
RtlGetAssemblyStorageRoot, xrefs: 012E2160, 012E219A, 012E21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 012E2180

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 2aa1d6fc89361c0ff0f012b8eccf18e894cd0d56f01d084175719aedb8c0b94e
Instruction ID: 929cd673c67b9d7710f669a3a65fa02f62d5f7724dd209543601c83288d79f70
Opcode Fuzzy Hash: 2aa1d6fc89361c0ff0f012b8eccf18e894cd0d56f01d084175719aedb8c0b94e
Instruction Fuzzy Hash: BB31393ABB0212F7E7258A998C89F6A7BBCDB64B40F85005DFF056B201D270DB00D3A1

Function 012AC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012AC6C3
minkernel\ntdll\ldrredirect.c, xrefs: 012E8181, 012E81F5
Loading import redirection DLL: '%wZ', xrefs: 012E8170
LdrpInitializeImportRedirection, xrefs: 012E8177, 012E81EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 012E81E5
LdrpInitializeProcess, xrefs: 012AC6C4

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: f7e8da0c4b8d4ade524445a1263cab27ce84d0756c849c877518a51ba16d85dc
Instruction ID: 18411316b45786bd18b00ce567a77c789169e0e1e45b545da3e34bd710047678
Opcode Fuzzy Hash: f7e8da0c4b8d4ade524445a1263cab27ce84d0756c849c877518a51ba16d85dc
Instruction Fuzzy Hash: 693125B17647429FD324EF29D986E2AB7D4FFD4B54F40051CFA84AB291E620EC04C7A2

Function 012B096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 012B2DF0: LdrInitializeThunk.NTDLL ref: 012B2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012B0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012B0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012B0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012B0D74

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: eaa2198dc861cecb5bf7c143406c65de2bb531dbec3cb575d2a74f48b6e2c61a
Instruction ID: 320e4143a8f615a50bb5a0bfbbe0b6483f9c1f0aad5cf13925be566aa51add8a
Opcode Fuzzy Hash: eaa2198dc861cecb5bf7c143406c65de2bb531dbec3cb575d2a74f48b6e2c61a
Instruction Fuzzy Hash: AC424B71910716DFDB21CF28C885BEAB7F5FF04354F1445AAEA899B241E770A984CF60

Function 0127A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0127A3F7
LdrResFallbackLangList Enter, xrefs: 0127A3EF
LdrResFallbackLangList Exit, xrefs: 0127A3FF
8, xrefs: 0127A3E7

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 66767308f0547620396198d4e15ed1d6f0a8d7246de58d727f5f97bdd6e15c2e
Instruction ID: ae57c491cd832921ec435d8dcbdfaaa2e47c92a2e325459c5dcb617ccffd6ad8
Opcode Fuzzy Hash: 66767308f0547620396198d4e15ed1d6f0a8d7246de58d727f5f97bdd6e15c2e
Instruction Fuzzy Hash: 05C17671528382CFD721CF58C044B6FB7E4EF84724F08896AFA958B291E775C949CB52

Function 012A8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012A8421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 012A855E
LdrpInitializeProcess, xrefs: 012A8422
@, xrefs: 012A8591

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 38665b926f65b668a03d3b00456ad9149f16a458e91adee10f014bdf1cc819dd
Instruction ID: 597440a671caff46f0c14413a2c651afba65c12d5a76e56c79829ed3a41b293e
Opcode Fuzzy Hash: 38665b926f65b668a03d3b00456ad9149f16a458e91adee10f014bdf1cc819dd
Instruction Fuzzy Hash: 64917F71568345AFD721EB25CC85FABBBE8FB84784F80092DFA8496151E730D944CB62

Function 012A273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 012E21DE
.Local, xrefs: 012A28D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012E21D9, 012E22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012E22B6

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: cfa8573fa91b9e26e190de32d8f32335ddf8d45afad716fd6a64afcb1acadc23
Instruction ID: 51cca5dcf8dfe677bbb28b50d26560ba89065ec30186548d98471f74ab5b324f
Opcode Fuzzy Hash: cfa8573fa91b9e26e190de32d8f32335ddf8d45afad716fd6a64afcb1acadc23
Instruction Fuzzy Hash: 55A1C23192022ADFDB24CF68CC88BA9B7B4BF58714F6441E9DA09A7251D7709E80CF90

Function 012A4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 012E3437
RtlDeactivateActivationContext, xrefs: 012E3425, 012E3432, 012E3451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 012E342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 012E3456

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 12d4a86d0b8e76427953e544fe4ae169ae23e13ae79c37e9447dde8554fc7686
Instruction ID: 77975aa57c5fd4258c178f03c3a5e51959b855e2e7b49357ad3e5d9a2431e2dd
Opcode Fuzzy Hash: 12d4a86d0b8e76427953e544fe4ae169ae23e13ae79c37e9447dde8554fc7686
Instruction Fuzzy Hash: 156111366306539BD722DF1CC886B2AB7E1FF80B11F988529EA559B241D7B0E801CB91

Function 012764AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012D10AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 012D106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 012D0FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 012D1028

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: f9e4da2e0e3ae57c969d08a549b4c816b96cfd2221ba2baae1b0166e2a4e1a3f
Instruction ID: fa0ecfb33f0cc9359c6cc1677d9613379c3c62a4b0c01b0caf6915304f8ee2e2
Opcode Fuzzy Hash: f9e4da2e0e3ae57c969d08a549b4c816b96cfd2221ba2baae1b0166e2a4e1a3f
Instruction Fuzzy Hash: 2271F3B19247069FDB21DF14C885FA77FA8AF54754F000468FA488B286D734D588DBD1

Function 012A4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 012E362F
LdrpFindDllActivationContext, xrefs: 012E3636, 012E3662
Querying the active activation context failed with status 0x%08lx, xrefs: 012E365C
minkernel\ntdll\ldrsnap.c, xrefs: 012E3640, 012E366C

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 7370b26b7b9a2ece6bf0f0db191989d9cd5dcec5ac6a7412850ed9be034357fc
Instruction ID: e9a1ca657336482900e30cf70e0513552ef9ac97331c6a4cc9afe4154cae3ba4
Opcode Fuzzy Hash: 7370b26b7b9a2ece6bf0f0db191989d9cd5dcec5ac6a7412850ed9be034357fc
Instruction Fuzzy Hash: A731F862930A93EFDF36FA1CC849A3566A4BB01754F8E4029DB0457662D7E0DC8087D5

Function 0129245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012DA9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 012DA992
apphelp.dll, xrefs: 01292462
LdrpDynamicShimModule, xrefs: 012DA998

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: c771f718bced0f256eb07cc1ac8738e82333191d306dd3dfe0d82e068d496cf8
Instruction ID: f8ee313ecdcc417922574fa039870f39b81c49ec4231d946cbd7a45ba322abeb
Opcode Fuzzy Hash: c771f718bced0f256eb07cc1ac8738e82333191d306dd3dfe0d82e068d496cf8
Instruction Fuzzy Hash: 51316BB5620202EBDB319F6DC882EBA7BBCFB80B44F168019EA1167265C7B09841C790

Function 012829A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01283264
HEAP[%wZ]: , xrefs: 01283255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0128327D

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 8690185922ac42c4ddc2b37088e2556e654c54b9954c563a6040b9dc279102cf
Instruction ID: fe7135b3c7a8773f85db41b7adff8183cbef94cdc0c7503c9c2227d0c3e04ec4
Opcode Fuzzy Hash: 8690185922ac42c4ddc2b37088e2556e654c54b9954c563a6040b9dc279102cf
Instruction Fuzzy Hash: 1892CC70A2624ADFEB25DF68C440BAEBBF1FF08704F188059E959AB391D774A941CF50

Function 01280770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 012D50CA
HEAP: , xrefs: 012D50BD
HEAP[%wZ]: , xrefs: 012D50AE

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 6f0a5e8bd252a0f6bd2d64b8515ca69298b3c0f882befa068c1d5a0ef056777d
Instruction ID: 799ef63793c3544ffa07497b9b1d81e09395ebaed5df1360f27a435fbb11d258
Opcode Fuzzy Hash: 6f0a5e8bd252a0f6bd2d64b8515ca69298b3c0f882befa068c1d5a0ef056777d
Instruction Fuzzy Hash: FBF1ED30B21606DFEB25EF68C884B6AB7F5FF44704F148168E6069B391D7B0E985CB94

Function 01296962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01296C24
, xrefs: 012DCA51

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 692ddadb9b6382c1dac1d02b677d5cf25557e20d13b74d1ec1d709ede5dadf9b
Instruction ID: 367bf930155f06c1b651f47053731de438e49fd23861da59f9c247ebe3e32279
Opcode Fuzzy Hash: 692ddadb9b6382c1dac1d02b677d5cf25557e20d13b74d1ec1d709ede5dadf9b
Instruction Fuzzy Hash: CDC271716283429FEB25CF28C841BABBBE5BF88754F04892DFA89C7241D774D845CB52

Function 0126A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 0126A1C1
FilterFullPath, xrefs: 012CC2E6
\??\, xrefs: 012CC1E4

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 8cf9b324b74ace7704ee68c6fc9f810e15ddb24e139e462063e8a622290c8094
Instruction ID: e7ce230f5778362d802e6abf8e4ea451b86231d17259cae6b7396e13be987f94
Opcode Fuzzy Hash: 8cf9b324b74ace7704ee68c6fc9f810e15ddb24e139e462063e8a622290c8094
Instruction Fuzzy Hash: C2A14D7196162A9BDB31DF68CC88BE9B7B8EF44B10F1041E9DA0DA7250D7359E84CF50

Function 01290BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012DA121
Failed to allocated memory for shimmed module list, xrefs: 012DA10F
LdrpCheckModule, xrefs: 012DA117

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 42f729fe44dfde1dd5af5ee3a2713d18315193a249f6f99b0ec0060b1cfc6f04
Instruction ID: 9beb976517337ec07bb894952fab87f930ae17c07b59c6dd8ff15460207e2614
Opcode Fuzzy Hash: 42f729fe44dfde1dd5af5ee3a2713d18315193a249f6f99b0ec0060b1cfc6f04
Instruction Fuzzy Hash: 5171ADB0A2020ADFDF25DF6CC981BBEB7F8EB44744F14802DEA16A7251E774A941CB54

Function 01280A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 012D534D
HEAP: , xrefs: 012D5342
HEAP[%wZ]: , xrefs: 012D5335

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 0f70fc272b7865bb2e8b7ef9582ef4a6217bd5e2754aa1c7f1a67e4732fc9105
Instruction ID: 997fb635130841302063f4060929040876d98664b9c091a2759edc1cc36ba23e
Opcode Fuzzy Hash: 0f70fc272b7865bb2e8b7ef9582ef4a6217bd5e2754aa1c7f1a67e4732fc9105
Instruction Fuzzy Hash: 2961DF70621302DFDB29DF28C481B6ABBF5FF44304F14856AE9598F292D7B0E885CB95

Function 012AC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012E82E8
Failed to reallocate the system dirs string !, xrefs: 012E82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 012E82DE

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 909dbe68fbeaf4428d61fd4c752fabc7cde68e06ddde7adeac0d872962de4c8a
Instruction ID: 70fe5d0a734fb4112c22d2cb7ebbff0e760f45bc1eef375c62c10186c415ce16
Opcode Fuzzy Hash: 909dbe68fbeaf4428d61fd4c752fabc7cde68e06ddde7adeac0d872962de4c8a
Instruction Fuzzy Hash: 4841F3B1564306AFC725EB68ED45B6B7BECAF44750F40842AFA45D32A1EB70D810CB91

Function 0132C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0132C1C5
PreferredUILanguages, xrefs: 0132C212
@, xrefs: 0132C1F1

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 9f264f34d813b157bc2b38db8b3e16e4b23779aa5cb2e4696723779d9c77f86d
Instruction ID: 081bcf8bfec8da5034c41e161be7a22918fe57dbc2a78824be1a59181c8384e3
Opcode Fuzzy Hash: 9f264f34d813b157bc2b38db8b3e16e4b23779aa5cb2e4696723779d9c77f86d
Instruction Fuzzy Hash: E9416271E1031DEBDF11EAD8C881FEEBBBCAB15704F14406AE609B7280DB749A448B50

Function 01304144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01304225
LdrpResValidateFilePath Exit, xrefs: 01304172
LdrpResValidateFilePath Enter, xrefs: 01304160

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 58ff5b2c7b37472d90ce885da96eb64f2c063afc5c9d98ae9ede8813a68d9085
Instruction ID: fe3e3ee04d18c6cced57e313f3478d67163872a2337d7e09b1c68475d77ed87a
Opcode Fuzzy Hash: 58ff5b2c7b37472d90ce885da96eb64f2c063afc5c9d98ae9ede8813a68d9085
Instruction Fuzzy Hash: 81411132A112498BEB26DBA9C860BADBBF8FF55748F14045ADA01EB7C1D7349A01CB11

Function 012F4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 012F488F
minkernel\ntdll\ldrredirect.c, xrefs: 012F4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 012F4888

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: afd41acd4c67c7b7dd22a41f299eb21e7b7c3cf4f2e6f191b615436ed8c61f89
Instruction ID: 52a6e7b93db98898075a303695a2bab196c233bcb02f5c572ebc05f8649f9679
Opcode Fuzzy Hash: afd41acd4c67c7b7dd22a41f299eb21e7b7c3cf4f2e6f191b615436ed8c61f89
Instruction Fuzzy Hash: A341D032A202929FCB25EF18D941A27FBE8AF49A50F05057DEF4997365D7B0E800CB91

Function 01280BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 012D5449
HEAP: , xrefs: 012D543E
HEAP[%wZ]: , xrefs: 012D5431

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: f6a08debee2cf41474053b38f34d245e1d7288774ee16214a095d06a4540901e
Instruction ID: aa20d3d68b138d0d3989cf3e812c8183421f65afaa95ac5baae8af992dda1623
Opcode Fuzzy Hash: f6a08debee2cf41474053b38f34d245e1d7288774ee16214a095d06a4540901e
Instruction Fuzzy Hash: BD11D6313761429FD719EE18C441B7AB7B8EF40725F188129F406CB6D1E7B4E885C755

Function 012F20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 012F2104
LdrpInitializationFailure, xrefs: 012F20FA
Process initialization failed with status 0x%08lx, xrefs: 012F20F3

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: ba767517c7fa5329f81fdda4e229b983207a2d2598fb358efb4c79640f838451
Instruction ID: 5d5181b17dc936942c89529e454f68de0ad152c185697be097355111db46c091
Opcode Fuzzy Hash: ba767517c7fa5329f81fdda4e229b983207a2d2598fb358efb4c79640f838451
Instruction Fuzzy Hash: F6F0AF75660209EFE724E64CCC96FAA776DEB42B54F10006DFB0467286D2B0A9008695

Function 012803E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012D4D8A

Strings

#%u, xrefs: 012D4D82

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: cd57012d72c00254d54a217b4b929aed45c31cfdd274a40439bca172cdec7863
Instruction ID: 31c5b3d640a165d4e9f538befce3437d6a454b962f044ee9accbcef0c88bd77e
Opcode Fuzzy Hash: cd57012d72c00254d54a217b4b929aed45c31cfdd274a40439bca172cdec7863
Instruction Fuzzy Hash: FD716D71A1114A9FDB01EF98C990BAEB7F8FF18704F144069EA05E7291E734ED01CB64

Function 0127A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0127AA25
LdrResSearchResource Enter, xrefs: 0127AA13

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: c6eb9a7136f2b0c7f26d555430f7cdf9274a1659e5cd33308ff4a5816d479519
Instruction ID: 08a64530c6ed91d5e9c7d7f78e71bcb912bb00097f373b5d08b431bb1033f6db
Opcode Fuzzy Hash: c6eb9a7136f2b0c7f26d555430f7cdf9274a1659e5cd33308ff4a5816d479519
Instruction Fuzzy Hash: 15E18371E2421ADFEB22DF98C981BAFBBB9BF14320F184425EA01E7241E774D941CB51

Function 0133A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0133A44B
`, xrefs: 0133A551

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 44c3623a934d9018224df7458266750a2dafde1abb37c969fc7a9beab0eac61d
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 85C1CF312043469BEB25CF28C841B6BBBE5AFD4328F084A2DF6D6DB290D775D505CB89

Function 012EE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 012EE75A
UEFI, xrefs: 012EE751

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ced665c7678ea931493eb90cc867ea90c1457c5f83d5fe095c898e5f8aa503b4
Instruction ID: 454c9c8d506a46d8d0ebab998a716541ccc5066b7ee0d831a6ee19463036b028
Opcode Fuzzy Hash: ced665c7678ea931493eb90cc867ea90c1457c5f83d5fe095c898e5f8aa503b4
Instruction Fuzzy Hash: 83616B71E602099FDB19DFA8C884BBEBBF9FB58740F55402DE649EB291D731A900CB50

Function 013143D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01314525
@, xrefs: 01314437

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 4f8fadda07b628d374767356231a28d66687a61afcc1d7a8d3e209508a8e791f
Instruction ID: 0fea18e256a25f335d48261b9c6be7b5f1ba5118f1a9efe73c1918bd627a057c
Opcode Fuzzy Hash: 4f8fadda07b628d374767356231a28d66687a61afcc1d7a8d3e209508a8e791f
Instruction Fuzzy Hash: 94510971E1021EAFDF15DFA9CC80AEEBBBCEB48758F100529E611B7294DB309905CB60

Function 012704E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01270540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0127063D

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 8e08bc99245ff85e26709a578395bf31e2644c21f38552c2a348fe79f71e7220
Instruction ID: aa9f6d17a74dde1e753aa432d2dd4f7a0b8ebc26236a7cea135c7bbaa6d7b07a
Opcode Fuzzy Hash: 8e08bc99245ff85e26709a578395bf31e2644c21f38552c2a348fe79f71e7220
Instruction Fuzzy Hash: 8651BE715247438FD724DF69C4406A7BBE4AF86304F10883EF69A87241E770E549CB9A

Function 0127A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0127A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0127A309

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: c90bc5ac6897c01b936583c6fc200a337fdc065d1622154ba0abd55a6d597377
Instruction ID: 9def1e6ca3d86f7ebf986fa55a90f9b1cea9fcdff4df6b3e974ffc0f2375ce99
Opcode Fuzzy Hash: c90bc5ac6897c01b936583c6fc200a337fdc065d1622154ba0abd55a6d597377
Instruction Fuzzy Hash: 3B41D031A2464ADFDB25DF6DC840B6EBBB4FF84710F2840A9EA11DB291E3B5D900CB54

Function 012AA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 012AA5E4
Threadpool!, xrefs: 012AA5E9

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: bcae384d282ea500efe0cba78a8355e7b27090ba863868ef38c557c3bef15a92
Instruction ID: 0bed067025322aa4933b9af36f03359d2913f089b79964d196d7e89751b10fb2
Opcode Fuzzy Hash: bcae384d282ea500efe0cba78a8355e7b27090ba863868ef38c557c3bef15a92
Instruction Fuzzy Hash: 3501F4B2260700AFD311DF14CE46F2677E8EB94B25F008939F648C7190E374E804CB86

Function 0127C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0127C8C3, 0127CA40

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: da4838136cbe7d8113e4a942582a968e1fd87e61060d4bec4847889e123b8362
Instruction ID: c6a842babaaf66c1f2cecea69c1485923455efe0f53caf0eeb1fbd19e4813577
Opcode Fuzzy Hash: da4838136cbe7d8113e4a942582a968e1fd87e61060d4bec4847889e123b8362
Instruction Fuzzy Hash: A2826E75E2021A8FEB25CFA9C8807EEBBB1FF49310F148169EA19AB351D7709941CF50

Function 012F6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 012F65C1

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 896f105cea2b3715362e299c9db5a0e52550e29cf4b36d2c5610bb1c18da8d99
Instruction ID: b209b53d9dcf4c448fec80044e72f5299066a35bbc52b687daf129b373240862
Opcode Fuzzy Hash: 896f105cea2b3715362e299c9db5a0e52550e29cf4b36d2c5610bb1c18da8d99
Instruction Fuzzy Hash: 10917271A5021AAFEB21DB99CC85FAEBBB9EF14B50F100029F700BB190D675A900CB60

Function 012AA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 012E67C9

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 7be8dec54e1354f080506fbb370d8053a83a7525ad719ecc0af8d38080a26f56
Instruction ID: 3f66ca62b8df26f5cae24632a7ad8fd81bde739b280b5708060b979d03cf27c9
Opcode Fuzzy Hash: 7be8dec54e1354f080506fbb370d8053a83a7525ad719ecc0af8d38080a26f56
Instruction Fuzzy Hash: CA717EB5E2020A8FDF28CF9CC5956ADBBF1FF68700F54812EE605A7241E7709945CB60

Function 01314978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01314A7F

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 252678ee5f7c2366a069b9a058981f292ec91f3a7d37e4ab92bf759339219a09
Instruction ID: 4b0e91df486a85962ead33af58c5fe5e9f41fd240dc3da4a0e6e337888e3c28f
Opcode Fuzzy Hash: 252678ee5f7c2366a069b9a058981f292ec91f3a7d37e4ab92bf759339219a09
Instruction Fuzzy Hash: BB51A472D1022A9BDF18DF99D940ABEBBB8BF14B18F054129EA51BB344D7349D01CBE4

Function 0128E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0128E6A4

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: f0b670928cf644f728c55496a73d50a10251ab7ec45ae4c8005ba74060ecf4ff
Instruction ID: 5c5c08329b834c3f5ef7ba673e10fff21d7983ca014d3c2fb1af4dc9dc3531ca
Opcode Fuzzy Hash: f0b670928cf644f728c55496a73d50a10251ab7ec45ae4c8005ba74060ecf4ff
Instruction Fuzzy Hash: 2541C07252A3129BD714FB79C840B6BB7E8AF88B04F05092DFA94E71C0E674D904C797

Function 012EC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 012EC77F

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9a717a231b6e4da74ed203edf7d308efb1623c4fe40ba2e9138d8cfd2d0d4d38
Instruction ID: fcedbf1e0c25c9424c9f2dfc29e08e15a14243a3f8abecf3b7f8e0c3a0f80fdf
Opcode Fuzzy Hash: 9a717a231b6e4da74ed203edf7d308efb1623c4fe40ba2e9138d8cfd2d0d4d38
Instruction Fuzzy Hash: 4C4165B1D1022DABDF21DA90CD84FEEB7BCAB45754F4045A5EB08A7140DB709E988FA4

Function 01306B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01306B91

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7f51e6cde41aa0e4701e3b478b8b895509f384a77ae215fb0b2239f0c5454f32
Instruction ID: c6bdea57b4ff5120f009fe6d3bbadc35099b1f1c76fa1a1d16d5b95208671ef5
Opcode Fuzzy Hash: 7f51e6cde41aa0e4701e3b478b8b895509f384a77ae215fb0b2239f0c5454f32
Instruction Fuzzy Hash: AC314871A007599BEF23DB69C8A1BEE7BF8DF44708F144028E941AB2C2C775D855CB50

Function 012ECA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 012ECAA2

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: c7a8960539a7e6e17b254e217a39518ab7c2fcdad22c937b21a9e9dd25920291
Instruction ID: 066238f4ad70d89374533ac5b1063d5ce2694c3b6bebeb0aa7cd569e67d1d5e7
Opcode Fuzzy Hash: c7a8960539a7e6e17b254e217a39518ab7c2fcdad22c937b21a9e9dd25920291
Instruction Fuzzy Hash: D0313536910506AFEF15DA88C849EBFBBB4EB80720F01402DEA05A7290E7309E10D7E0

Function 012F892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 012F895E

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: e6291dce1bcf2538889b85ab0e85033caf2b9c3227df73697dd0d1b2d288f600
Instruction ID: a55cecdb538e64d880e713e340d0f205f120869088e3d904e51ec6345b659169
Opcode Fuzzy Hash: e6291dce1bcf2538889b85ab0e85033caf2b9c3227df73697dd0d1b2d288f600
Instruction Fuzzy Hash: 9601F2322302069FEB206B59CC84F6AFB69EF95298F04103CF74106661CB30A880C7A6

Function 01312000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae00ea5b15503388db7079508ae67f6556b822040a5184b05b8b4030166de15c
Instruction ID: 966f3612b0b6e91e0b63d82c2b96697515cf43e8e6b62bde87dcdb57a20b5e6f
Opcode Fuzzy Hash: ae00ea5b15503388db7079508ae67f6556b822040a5184b05b8b4030166de15c
Instruction Fuzzy Hash: 1C42E5366083419FD729CF68C890A7FBBE5BF88348F28492DFA8297254D771D845CB52

Function 01308158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd7cd5dbcd7b9b5f8c1e869934f18d03bcb70e19626155dfea46c0ae8dfffa0
Instruction ID: 48aa57bee9fb83f302d10e66ee626f181145bf372002b93608f6e45360a4d1de
Opcode Fuzzy Hash: 8bd7cd5dbcd7b9b5f8c1e869934f18d03bcb70e19626155dfea46c0ae8dfffa0
Instruction Fuzzy Hash: F9428E75E102198FEB25CF69C891BADBBF5BF88314F1580D9E948EB282D7349981CF50

Function 01282840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96b3cb46c66f7a9cae69a53f9a7b413c35bd694d79a57f74e553c61e67c0deb
Instruction ID: 8129eba5890cc8f7e50a9bceb5c51c6ee9633bad676371604d3e3f0f18159fc2
Opcode Fuzzy Hash: f96b3cb46c66f7a9cae69a53f9a7b413c35bd694d79a57f74e553c61e67c0deb
Instruction Fuzzy Hash: B7320E70A207568FEB24CF69C8457BEBBF2FF84304F24811DD6869B284D775A845CB90

Function 0131A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6236b416e2274d8a5039a68786ccc6968e3fdd269dee6b9aa80116c723a05c3
Instruction ID: e1d16b8f3784ad6da9ef06fdc79d225ace195ff743314aef60237c5485c785ba
Opcode Fuzzy Hash: f6236b416e2274d8a5039a68786ccc6968e3fdd269dee6b9aa80116c723a05c3
Instruction Fuzzy Hash: 0D22C2702066E58BEB2DCF2DC054372BBF1AF4430AF08885AD9968F68ED735D552DB60

Function 01298DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff4804dd6633ddc0acc87a669b975f9a7a3088dee41cb83e591045ce3028a3f
Instruction ID: cf096202d6790673265b6ba1b8cb897cccf16a6d14d3207c0629b2eee6670a78
Opcode Fuzzy Hash: fff4804dd6633ddc0acc87a669b975f9a7a3088dee41cb83e591045ce3028a3f
Instruction Fuzzy Hash: 6C227F70E2051A9BCF15CF99C480ABEFBF6FF45314B58805AEA459B241E774DD81CB60

Function 01276A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37325713443ba07e9b5251d9a95a7410f06d00027ea24a507bbb05470c8299ba
Instruction ID: 04aa6c0cf6c3c9d11422005d4362c6f95a276ed9b5be90e426aa2593d00f133c
Opcode Fuzzy Hash: 37325713443ba07e9b5251d9a95a7410f06d00027ea24a507bbb05470c8299ba
Instruction Fuzzy Hash: B932D270A20606CFEB25CF68C480BAEBBF1FF48310F148569EA55AB791DB74E851CB50

Function 01294A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 231e159982e02a563af11329b5aa125eed61438222ba0c936d52d64572129472
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: CDF18071E2024A9FDF15DF9DC590BAEBBF5AF48714F058129EA05AB340E774E842CB60

Function 0130892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ec8e27bbccaffcc25a8c33966331b8e774168443417054638a6a60a7b3c507
Instruction ID: d67c9d65ab9a9e08235389b9b486a4e829c16040bdcc04b73a1855de5c513fdf
Opcode Fuzzy Hash: 58ec8e27bbccaffcc25a8c33966331b8e774168443417054638a6a60a7b3c507
Instruction Fuzzy Hash: 0AD1F571E0060A8BDF16CF58C861BFEBBF5AF84318F1881A9D955A7281D735E905CB60

Function 012765D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa01736cc4b87acfccfe44a017a30afbacc80e476842947bf62de0f685f1747f
Instruction ID: 68690ec07ea3ceebb14b8220acdf427e018285d370daa47d4e93ef4994fd5974
Opcode Fuzzy Hash: fa01736cc4b87acfccfe44a017a30afbacc80e476842947bf62de0f685f1747f
Instruction Fuzzy Hash: 04E1AF71618742CFD715DF28C090A6BBBE0FF89344F04896DEA9987351EB31E905CB92

Function 01268397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef18a2f6b4c2051fb97f250d746db7ea32de3b3f8c985057100eadb69cb207a2
Instruction ID: 1d4e7f9661197fa5e5d9ec01258bcb1e87d862455e6b174fbb2048336a3c521d
Opcode Fuzzy Hash: ef18a2f6b4c2051fb97f250d746db7ea32de3b3f8c985057100eadb69cb207a2
Instruction Fuzzy Hash: 9ED1E471A2030B9FDB19DF28C882ABA77A9FF54744F14462DEA15DB2C0E774D990CB50

Function 012F8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 5060dd85745fb9bf15640e92b665a4a861bff8b4ff35308010eb30ab2ee81d10
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: B1B16275A1064A9FDF24DB99C940AABFBB9FF84304F14447EAB0297790EB74E905CB10

Function 01280535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 2c26f48edac0d94ef38d5a316a5eac4661210e5c42c61363eef8736b43251151
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 87B14831621646AFDB25EB68C840BBEBBF6BF48304F180194E642D72C1DB70ED45CBA0

Function 012783C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a456878cde65e528a0472296797ae312516688d542b189beefd514195f4e44
Instruction ID: c0fe065ae5e81d911bc02823bdf8628a859889150252f8ec4e3655ff136008ca
Opcode Fuzzy Hash: 69a456878cde65e528a0472296797ae312516688d542b189beefd514195f4e44
Instruction Fuzzy Hash: EAC168746283418FD764CF19C494BABB7E4FF88304F44496DEA8987691E774E904CF92

Function 0126C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb64099ec67b51969397e07f5bc12d875a5d375d43fe2dc3a3e2d8e6e90c0aa
Instruction ID: ef14a96b33f4d8de9c9cd47e7ffd0c283a4ce2a67d7daa0307a7e5bf911359ce
Opcode Fuzzy Hash: 8eb64099ec67b51969397e07f5bc12d875a5d375d43fe2dc3a3e2d8e6e90c0aa
Instruction Fuzzy Hash: 64B17170A2026A8BDB34DF58D890BB9B3B5EF44740F0485E9D64AE7281EB70DDC5CB25

Function 0129E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9897368afedfc026e72a61db1db43a598793b5e6873bd1680a11472c456761bf
Instruction ID: 29ce130b53a6b963d1e911b914245151ff63f9a511c5bff8cdcaa09e7d7da3f1
Opcode Fuzzy Hash: 9897368afedfc026e72a61db1db43a598793b5e6873bd1680a11472c456761bf
Instruction Fuzzy Hash: 85A12431E20256AFEF21DB9CC944BAEBBA4BB04754F060125EB01AB2D1D7B4AD41CBD5

Function 012B0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5352b814771d6f88f6ff3f8e0517c1ad291e5f2cacf2d87a82a2d36a7577472a
Instruction ID: 786b86ca88c3dc8871d3c1f8fe007297d63cc94b3e5fbe6dbe073becbdac6f93
Opcode Fuzzy Hash: 5352b814771d6f88f6ff3f8e0517c1ad291e5f2cacf2d87a82a2d36a7577472a
Instruction Fuzzy Hash: 4DA1DF70B206169FDB26CF69C9D4BEAB7F4FF44358F04402AEA4597281EB78E841CB54

Function 01344500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8576ad6e4845d3a8033e6ef36047ed77f516a1720464b721a7d10b45c492f9cf
Instruction ID: 1354f48c5e692618420a0545ce416790d4b3d4de5194e1408457b7690dd56d14
Opcode Fuzzy Hash: 8576ad6e4845d3a8033e6ef36047ed77f516a1720464b721a7d10b45c492f9cf
Instruction Fuzzy Hash: 38A1DDB2A11212DFD712DF28C980B6ABBE9FF48758F054538E5899B661D734FC01CB91

Function 012F60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a499e4efa5756a43faebdddd3a9667d29c8b52071c44d2df655de34f518491ac
Instruction ID: 915c575ebd31d79d2467817ac205c891777c9b58e008ba732c56426e7a7c7d5d
Opcode Fuzzy Hash: a499e4efa5756a43faebdddd3a9667d29c8b52071c44d2df655de34f518491ac
Instruction Fuzzy Hash: 52917F75D1021AAFDB15CFA8D894BBEFBB9EB48710F15416DEB10AB341D734D9009BA0

Function 0128E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47b89f85ff02501a98f0cce813f476948d22ffad4a5617244840d6d607b7f58
Instruction ID: 7861afd4a7af0013000d9604e02e8ca0b081925f2799b29b1e9934556be326ae
Opcode Fuzzy Hash: d47b89f85ff02501a98f0cce813f476948d22ffad4a5617244840d6d607b7f58
Instruction Fuzzy Hash: 81913471A22212CBEB24EB5CD441BB9BBA1EF94718F068069EE05DB3C1E678DC41C761

Function 012C6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0836cebbee89efafc86ad0c69d8dd41ddf93be68e8a885bbae10e33ffbcfe3ae
Instruction ID: 957ee72f90131f1611275324bb6217d36a80fcd159133fe619709ed2ac95aace
Opcode Fuzzy Hash: 0836cebbee89efafc86ad0c69d8dd41ddf93be68e8a885bbae10e33ffbcfe3ae
Instruction Fuzzy Hash: C3819471A106169FDB18CFA9D980ABEBBF9FB48B00F14852EE645E7740E334D941CB94

Function 0133AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 76cfeb16e07f060c3a0166697d0fb6310d685dd99942de6bea48d1a7d47a795d
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 3C817C31A0020A9BDF19CF98C890AAEBBB6BFC4314F188569D956DB345DB34EA01CB54

Function 01266D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f8fdd151d98de2feda7dff81eb2e0cb5783ecf8e3fbab684ca82db1c9e043d
Instruction ID: 1d8f1783ad7704d2130cd672e079a4286e4ad46f340970946596166c5bac0315
Opcode Fuzzy Hash: c8f8fdd151d98de2feda7dff81eb2e0cb5783ecf8e3fbab684ca82db1c9e043d
Instruction Fuzzy Hash: D37181716243439BDF21DE19C980B6AB7E8BB48B58F044A2EEB55D7240D730E9D4CB92

Function 012AE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f368c88ed153337481a5ae9197b1ad07bfa9c624ecef522791eecf70e865ac6
Instruction ID: 211a9a00615058815263a2edb18cc0112f118522a75f5c4c29a0118d7ec13fad
Opcode Fuzzy Hash: 7f368c88ed153337481a5ae9197b1ad07bfa9c624ecef522791eecf70e865ac6
Instruction Fuzzy Hash: 98818071A1060AEFDB21CFA9C880BEEBBF9FF88354F514429E655A7250D770AC45CB60

Function 0128C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3062166422f9c402536288c8c8c9779b617d033a3296561e55e2ecc4bbe6b450
Instruction ID: cabf03261f9cc3b75dab4bd11f04d84ce5e8dcbed4c2534dd5da925b0ff69dff
Opcode Fuzzy Hash: 3062166422f9c402536288c8c8c9779b617d033a3296561e55e2ecc4bbe6b450
Instruction Fuzzy Hash: A771C075D25266DFCB299F68C8917FDBBB8FF58710F14416AE942AB390D3709810CBA0

Function 01308D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c9a64a101ebf46c32d48161f9461b58deb92e8c8de12fa148d7e840aba52eb
Instruction ID: 056620bd182cffefd08533c14be428af153f94a5e11ff261f19ae9920ed75ff8
Opcode Fuzzy Hash: a8c9a64a101ebf46c32d48161f9461b58deb92e8c8de12fa148d7e840aba52eb
Instruction Fuzzy Hash: 9971C270D042569FDB16CF69C850AFABBF5EF45308F0480A9E998DB291E335EA45C7A0

Function 0128260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5534fdf2b43e72f57b3237607d6e2a3a42fa783d179c9091d6226e631eee50a
Instruction ID: cc7fcd514d0fdcce42c31c08ff14e1e47707cab3224a328544ad27fb2acd8c62
Opcode Fuzzy Hash: d5534fdf2b43e72f57b3237607d6e2a3a42fa783d179c9091d6226e631eee50a
Instruction Fuzzy Hash: B671E031625252CFD315EF2DC480B2AB7E5FF84314F0485AAE999CB392DB74D846CBA1

Function 012F035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 58016c2b60ba125f9462130e42c47173d300741d7b8fbc7e32941b823d27053d
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: EE717F71A1061AEFDB10DFA9C984EEEFBB9FF48700F104569E605A7291DB30EA01CB54

Function 013062A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64da7fb61e383c4cb3f3c54a929683efd19d6722a60024a80b6facfc15e022e5
Instruction ID: 9699e20b21e91dfca15d1854fbe3733a99733768a30918b8ecbca08255737cb7
Opcode Fuzzy Hash: 64da7fb61e383c4cb3f3c54a929683efd19d6722a60024a80b6facfc15e022e5
Instruction Fuzzy Hash: EC7101B2200701AFE7239F18C866F66BBE6EF40768F154428E255976E5D770E854CB50

Function 01278AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c84800964e76b370bcfca25bcf13211e0c94bac6586d41cacc8fcfa5b2b7c3
Instruction ID: f03a8dc857f991f0d716d89bcb806e4fca6aa644fefdb4ab63fbd1d3ff0d59da
Opcode Fuzzy Hash: 10c84800964e76b370bcfca25bcf13211e0c94bac6586d41cacc8fcfa5b2b7c3
Instruction Fuzzy Hash: E281C072A24316CFDB25CF9CD588BAEB7B5BF48310F15912DEA00AB295E7749D40CB90

Function 012ACDB1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e218743b85675381692e1bfb855ca3afc3f19565cbf8272bdac1e73606869bd
Instruction ID: af1a069d2a0950e18792a43dd250c8c141de1db9dc7f6b6e1183eb977fd00100
Opcode Fuzzy Hash: 4e218743b85675381692e1bfb855ca3afc3f19565cbf8272bdac1e73606869bd
Instruction Fuzzy Hash: 9A61BF71A20206DFCB19EF68C985ABEB7F5FF08314F548169E611EB391DB309911CB90

Function 01338DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341423539b5922230d537730cae369dba08c9e2e795cc882d30414c6bb488278
Instruction ID: 8bd17187d20fc92c1ed202c04ba069c87428d3eab400bd2ab58bb2cd82d204e4
Opcode Fuzzy Hash: 341423539b5922230d537730cae369dba08c9e2e795cc882d30414c6bb488278
Instruction Fuzzy Hash: DA51E5716043029FD711DF28C840BAAB7E5FFD4358F044A6CF98997291D774E909CB99

Function 012AE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f7648ac3974283fb43e890646130c49a09f1cda7ef5995a89e9ef5c0b41a42e
Instruction ID: b84f4260921f96a600a9ffba9bd750ebbdd6089698b5d17e09fa09c4cbc47083
Opcode Fuzzy Hash: 0f7648ac3974283fb43e890646130c49a09f1cda7ef5995a89e9ef5c0b41a42e
Instruction Fuzzy Hash: 4D518D71220A06DFCB22EF69D984EAAB7FDFF14784F81042AE64197260E730ED41CB50

Function 012945B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 73fa0458f4d2c9e7584c2e9788e4fd2c15e174bcc27d2e7bb09f7b9f027e96d5
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 5851AE71E1024EAFDF19EF98C550BFEBBB5AF45750F04406AEA04AB240D734D945CBA0

Function 012FE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: cdc5a021a46bc70d2a0f5eb95651ce7e635344004772cbb6d07f2ca5da93a86a
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 9751943192020EEFEF129E94C895BAEFB75BB00364F1746799711672A0E7709D4487A0

Function 01338B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b599b80f9a5204c820beb1a1c1556bfea656352eceaeec1ad7d5a67da82fb91c
Instruction ID: c8294d994296b8fa9e13869b4e156bdfc4327ede428637effb87592036bb5d47
Opcode Fuzzy Hash: b599b80f9a5204c820beb1a1c1556bfea656352eceaeec1ad7d5a67da82fb91c
Instruction Fuzzy Hash: F04116707056029BDB29DB2DC894B7BFB9AEFD0228F188798F95587290DB34D901C798

Function 012FCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd6ff683b8149210987a9210081db3d86ca45a2270d77f63a645ac526d08aa2
Instruction ID: 314574c412186b52af394b12e9d4101172e6af953bae736c200aacff8ce2bc32
Opcode Fuzzy Hash: dfd6ff683b8149210987a9210081db3d86ca45a2270d77f63a645ac526d08aa2
Instruction Fuzzy Hash: 51518FB191021ADFCB20DFA9D580EAEFBB9FF48754F118529D606A7744D730AD11CB90

Function 012AA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597eddd5c5a2890313499c83de6b3a8e69965e8e28f2a9be1582c1f0ef8299af
Instruction ID: 6ce5cd7aa7159e5082cd52e8c9169573fc4a46b12dc5d224a540ea5e87a90d92
Opcode Fuzzy Hash: 597eddd5c5a2890313499c83de6b3a8e69965e8e28f2a9be1582c1f0ef8299af
Instruction Fuzzy Hash: 9B411B71770216DFDF25EF68E881B7A37A9EB68B08F80402DFE059B251D7B19810CB60

Function 0133A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 678e2dd58ea8f1da112bc9f7fa31e81dba81263c7a872723351859fdc0c70c66
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 7941FA726117169FDB29DF58C980A6AB7E9FFC0218B05462EE992C7740EB30ED05C7D4

Function 012A01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffc98465a36b8dfbaf363228d0105b1cbcc534af439eae811223d134899584a
Instruction ID: 8196a49e6aae6cc13f319f5539a0627afe5a6810e749254465ea8f05d4c126f5
Opcode Fuzzy Hash: bffc98465a36b8dfbaf363228d0105b1cbcc534af439eae811223d134899584a
Instruction Fuzzy Hash: 2541BC36A2121ADBDB14DF98C440AEEBBB4FF48B10F94816AF915F7240D7759C41CBA8

Function 0129EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109355b93626dc2432af899553560cb3bc9f386d70f2a8499a5ca5d5320e5dbc
Instruction ID: 6c2ae06a8e27128187748299c8f54b8132c2b0d0905c7034cd667232c3560de1
Opcode Fuzzy Hash: 109355b93626dc2432af899553560cb3bc9f386d70f2a8499a5ca5d5320e5dbc
Instruction Fuzzy Hash: AA41C6B12243429FDB24EF2CC880A6BB7E9FF48224F014829E697C7651DB75E845CB64

Function 012B2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 55f60179a1c56320631e675cb8fa909dae17d4309264725d121fd27ff82a8aa3
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 38514875A10216CFCB15CF98C484AAEF7F2FF84710F6481A9DA15A7351D770AE42CB90

Function 01276154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81dbcfaebcdf3ac2981024ed67d67982dd540633849ef6de39134b4546e19ee
Instruction ID: 7c4fa37633a48a4d6b324fe4b61af6e073c17727689e10d4eede7ef8d1a3c83e
Opcode Fuzzy Hash: c81dbcfaebcdf3ac2981024ed67d67982dd540633849ef6de39134b4546e19ee
Instruction Fuzzy Hash: B35126B0920607DFEB259B28CC01BFABBB4EF01314F0482A9D225A76D1D7749981CF40

Function 01270BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b65a2882ef0e0d83e8b2eb08af5a9b75d1e1f596457cc3cb9c70162e6c5e0b
Instruction ID: 3a44e8da91eeb5f9ff42da2ec77ab6a06131179e4b3c9bd039b97be172a9e404
Opcode Fuzzy Hash: b7b65a2882ef0e0d83e8b2eb08af5a9b75d1e1f596457cc3cb9c70162e6c5e0b
Instruction Fuzzy Hash: 26418571A602699BDB21DF68C940BEE7BB8EF45B40F0101A9EA08AB241D774DE84CF55

Function 01270D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175075f2ea92b91737cd685d56f1d4e971eb89691d4d32df92fe5b68b24b32e6
Instruction ID: 61cd063177457034f4adcf6bfa2a008c4869c6c67b65c644469afc282216b62d
Opcode Fuzzy Hash: 175075f2ea92b91737cd685d56f1d4e971eb89691d4d32df92fe5b68b24b32e6
Instruction Fuzzy Hash: 874126716203159FEB31DF28CC81FAB77AAAF56740F0008A9FA459B281D7B0ED44CB55

Function 0133866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 977eb1d10d09f3911ab5369ac6751346bc050a7005e8fba98acef1c3cd286144
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 7D41D775B00105ABDB15DF9DCC84ABFBBBAAFC8618F1441A9F60097341D674DD01C7A4

Function 01270887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af08eadc95c81c8f0be1494f85da8cd497363dd1ada490e5d4918c2f2a5cfef7
Instruction ID: 0ea909fbe13e2003d77221fec3e94da0e0ab5edd74ae4d81f817e5e961de0721
Opcode Fuzzy Hash: af08eadc95c81c8f0be1494f85da8cd497363dd1ada490e5d4918c2f2a5cfef7
Instruction Fuzzy Hash: 5A41D3B0620702DFE325DF29C480A23B7F8FF4A714B108A6DE64787A51E770E849CB58

Function 0129A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b476539feb28ee71bad47916adfb752d91f19be8f676ad13b87a332eba084b41
Instruction ID: 3b83d8bbdfba388ef82cf6dc547ce2aee06f3ced7aa81fa6e64fa248a858aa51
Opcode Fuzzy Hash: b476539feb28ee71bad47916adfb752d91f19be8f676ad13b87a332eba084b41
Instruction Fuzzy Hash: 0E41B832E65306CFDF21DF6CE8857AD7BB4FB18324F044169D511AB2A2DB749904CBA0

Function 01278BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7db19e26056c1b8eb087f8f01f77ab3674a818ad284afd693e80409dee6b06
Instruction ID: e9e64abf1b51a5bd8a5ed0636dc071e76aadc2554eaa5875bd04572c4f16b27d
Opcode Fuzzy Hash: 8c7db19e26056c1b8eb087f8f01f77ab3674a818ad284afd693e80409dee6b06
Instruction Fuzzy Hash: 8E411232E21202CBD729DF58C888A6BBBB9FB94704F15C12EDA019B265D775D842CFD0

Function 01268918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e3882aee6820e4fbf0daabded6c43304a4e7e31e47a5431f088342c485b840
Instruction ID: 8b0e285c58666c1fe8e9e103de90032d7fd3a5ee0e458ee02e49b2c317f37bbd
Opcode Fuzzy Hash: d1e3882aee6820e4fbf0daabded6c43304a4e7e31e47a5431f088342c485b840
Instruction Fuzzy Hash: 6D4193315293069ED312DF69C841A6BB7E8FF84B94F00092EFA80D7290E770DE448B93

Function 0126A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: d702d72adb47fe468e1de3ae4dd1b0cacc113cfe9b1f649bbef94ff1ba47b256
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: EA413B31A20213DBDB21DE2884427BABB65EB54B94F15816EFB45AB3C1D6739DC0CB90

Function 012709AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9f27f42a2616ebef436b31460b70ffdf1ae63f4e132cc23c5c022bd674e69d
Instruction ID: ca90ca7f745ac870d2cfb1a74bab5ed17c1bbe74af351e585786f66fdb461c1a
Opcode Fuzzy Hash: 5c9f27f42a2616ebef436b31460b70ffdf1ae63f4e132cc23c5c022bd674e69d
Instruction Fuzzy Hash: 4A419AB1621702EFD321EF18C840B27BBF4FF55714F20862AE6498B291E770E946CB94

Function 012A0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 5717795d77f1b652302bcb37a30e436a3f79c6cd0f9b5f1cb94f0aac4dcaaf43
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 91417E71A10705EFDB24CF98C980AAABBF8FF18700B50496DE656D7690D730EA44CF98

Function 0127262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f68df02df3ad8ecb7335f92d69c84f4f1463d4198fa7cc6f495b9d592337a9e
Instruction ID: 06108bc15fa8bf1aee8c781365ea81eb27016304468cbd2141fb9e2bcfd3196b
Opcode Fuzzy Hash: 6f68df02df3ad8ecb7335f92d69c84f4f1463d4198fa7cc6f495b9d592337a9e
Instruction Fuzzy Hash: E341F8B1521702CFC725EF29CA41766B7F6FF44714F10825EC6169B2A1EB70A941CF51

Function 012AC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197f5b1db0d74b7b642c43dd5e22defe36804354b8f10f22e950b9dc4e277903
Instruction ID: f364d96183991ff1ed4729b40d926885b6ec4615c27357be921c9be8e569e92e
Opcode Fuzzy Hash: 197f5b1db0d74b7b642c43dd5e22defe36804354b8f10f22e950b9dc4e277903
Instruction Fuzzy Hash: F8318AB2A11346DFDB11CF98C5407A9BBF0FB09724F2081AED219EB291D3769902CF90

Function 012F07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c654684297569d09d3a8d026c93ba477d58b2b1598533dfdbd11694648eed7ab
Instruction ID: 9f1b75c7458c2189f8620710e3ba69759d5e12551ea5563cc88e279696223b86
Opcode Fuzzy Hash: c654684297569d09d3a8d026c93ba477d58b2b1598533dfdbd11694648eed7ab
Instruction Fuzzy Hash: A9418C715243019BD760DF28C845BABFBE8FF88764F008A2EF698C7251D7709804CB92

Function 012F05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157dbc53f26c3c20c7ad5fcb13c1ac5cb841946090954365fcac072a42ecb1b2
Instruction ID: cbdadc9fcc09791edf63eff3050dddb7d668ee226a1392deaaac342fc2f1d716
Opcode Fuzzy Hash: 157dbc53f26c3c20c7ad5fcb13c1ac5cb841946090954365fcac072a42ecb1b2
Instruction Fuzzy Hash: C041C4726146429FD320DF68D880A7AF7E6FFC8700F14462DFA5597681E730E904C7AA

Function 01274859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f5cf5c60b31807708c5d6c35c35daa8baf7e2f6fd36a5ef49c10fb33c5f4fb
Instruction ID: 9b8bdd2f03be2eea96e4667ebb12acab52826ecffc5b1b4267858d8137013040
Opcode Fuzzy Hash: 02f5cf5c60b31807708c5d6c35c35daa8baf7e2f6fd36a5ef49c10fb33c5f4fb
Instruction Fuzzy Hash: 5F41C070220346CBD725EF2CD884B3BBBE9EF80364F14442DEA458B2A1DB70D911CB91

Function 012802E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: ee85547a5bdd13393181f5460007f54404ade6421abc3523d67759fb86a07a95
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 9B311631A25245AFDB12AB68CC40BABBFE9AF14350F0441B5F855D7392C6B4D888CBA4

Function 01274260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7d9a1b079be640eb5870e4ae8250f903624dc046298621ebe2605331bc0e66
Instruction ID: 097a43e377bbd9bd4143c69908c5d067f5b6c7a114b98061a1d1e548fa3de357
Opcode Fuzzy Hash: 1c7d9a1b079be640eb5870e4ae8250f903624dc046298621ebe2605331bc0e66
Instruction Fuzzy Hash: C341BF71221B46DFD726DF28C885FE77BE9BF55354F108429EA998B260C770E840CB94

Function 01310DF0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
Instruction ID: a8dfb475225199db84a539b3e4dce45c7a4c45753df4cda3f771ead44fb5c5dd
Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
Instruction Fuzzy Hash: E831E472105709AFD71EDB15CC41E6BBBACEB90664F04452DF95497250E670EC44CBB1

Function 012EEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b037f8cf23a583670cba0570d92ab3c548035a002f45afad9ff5b1e8b9064131
Instruction ID: 1d438a76d8a93133b7d6fd47e1b040135185723ad4d311304774f37240931a4b
Opcode Fuzzy Hash: b037f8cf23a583670cba0570d92ab3c548035a002f45afad9ff5b1e8b9064131
Instruction Fuzzy Hash: 7B31F7317216839BF7329B5DCD4CB25BBD9BF40B44F5E00B8AB458B6D2EB68D840C225

Function 013361C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37894d1955f62886e27c48a43bb955bb2d182af35e235f238dbad570701c41e7
Instruction ID: bbebbc1075de76ba8aa9d2b8e2c168a7da21b62604b2a21134076fc0f5f64707
Opcode Fuzzy Hash: 37894d1955f62886e27c48a43bb955bb2d182af35e235f238dbad570701c41e7
Instruction Fuzzy Hash: 8631D4B5A00156BFDB15DF98CC81FAEB7B5EB84B44F464168E500EB244D770ED00CB94

Function 0131483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dcb574223ae423767da5135551578809f6a48e476bc8b6ba6fcd1b05223a5b
Instruction ID: 4970d2cfcaae11486d7249a59d0e5714bba8f3c2ea4c334f3cfce322306d27f7
Opcode Fuzzy Hash: 12dcb574223ae423767da5135551578809f6a48e476bc8b6ba6fcd1b05223a5b
Instruction Fuzzy Hash: 6C316576A4112DABCF21DF54DD88BDEBBBAAB98354F1400A5E508A7254CB30DE91CF90

Function 0129EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084437a3b5bd379883d643fe7d0c51e88497f9b3e782be2a2603326b4367c54b
Instruction ID: 77fe6b743d8e9ece15045b9856f28e95e8107d372183329f75197c70df373636
Opcode Fuzzy Hash: 084437a3b5bd379883d643fe7d0c51e88497f9b3e782be2a2603326b4367c54b
Instruction Fuzzy Hash: C731B572E21219AFDB21DFADCD40AAFBBF8FF04750F118425E616D7250E6709E008BA0

Function 013360B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cad182d02fdcdd3b671d2406eaaf36728fc8ab5f5c861ba4983aabc8eb17458
Instruction ID: 7484425c37cf8f8eaa4c5187dad17a8cacfafc76a867e32938be39246722d8e3
Opcode Fuzzy Hash: 9cad182d02fdcdd3b671d2406eaaf36728fc8ab5f5c861ba4983aabc8eb17458
Instruction Fuzzy Hash: E631D6B1A00616FFD723AF99CC51B6AB7F9EF84758F104069E505EB392DA30DE008794

Function 012707AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805ac788da8c790a79eb7699e27458cd69c80fe953629df004cb6cf6bad03222
Instruction ID: 05e74be2d0e86fc182b0476ffd7f55fe2eec2f5f1b5b1ee08797a4b9bd2909e5
Opcode Fuzzy Hash: 805ac788da8c790a79eb7699e27458cd69c80fe953629df004cb6cf6bad03222
Instruction Fuzzy Hash: 60312772A24313DBC712DE68C880E7FBBA5AF95650F02452DFD5597310DA30DC1987E9

Function 01278550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277416fff09f04d809294dbed65e8cdc9f9a7dee1d648a516a7812852512c509
Instruction ID: 8c3a6c9471fa8052fc130498585f71f09014866047ecf2b5031967c1e63226b6
Opcode Fuzzy Hash: 277416fff09f04d809294dbed65e8cdc9f9a7dee1d648a516a7812852512c509
Instruction Fuzzy Hash: 66317CB1629302CFE720CF19C844B2BBBE5FF98710F05496EEA8497251D771E844CB96

Function 012AA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 9166d328795112abe4a3d4cbda6ce89ba800d32d83f0e5ca80fe393b5a36381a
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 87312CB2B10B02AFD765CF69CD41B5BBBF8AF18750F44452DA69AC3650E630E900CB60

Function 0131EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a9a13731caadcc04801617b4756c96486ca0f99a47b71945f3cd732b59f39b
Instruction ID: ea5c44e635526c0317bcb409f46ae7735ed4edd2efdb4a4301afb6dd80ad7c4d
Opcode Fuzzy Hash: 25a9a13731caadcc04801617b4756c96486ca0f99a47b71945f3cd732b59f39b
Instruction Fuzzy Hash: 3031AEB1505302CFCB1ADF19C94095ABBF5FF99718F0489AEE8889B359D332D944CB92

Function 0129438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687bb7e646abdec5cc0398e234d01d99f06d71e562c09b270f3242a758992802
Instruction ID: 09a48c8cb80ce5ca758b798a22addd77fdb4514586f7716bedb7354d4e520701
Opcode Fuzzy Hash: 687bb7e646abdec5cc0398e234d01d99f06d71e562c09b270f3242a758992802
Instruction Fuzzy Hash: EF31D471B202869FDB20EFBCCA81A6EBBF9EB94744F008529D605D7294D730D942CB90

Function 0126CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: e20b50b9060e47696f3c1dc7c9935cd6a2ca61e3a94a766f148995bac5479b80
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 06210932E6165BAADB11EBB98811BBFBBB9AF54740F0581399F55E7380F270C9408790

Function 0126C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a9ea629a6898c8dae50d8e33d8452100b3f35e0d8778ea475a2d7c17cfc5ce
Instruction ID: 5c5992421b0eae536b8ec67dc0f07b53c26b7ba15d5d5460c14c1f77d887b8ab
Opcode Fuzzy Hash: 36a9ea629a6898c8dae50d8e33d8452100b3f35e0d8778ea475a2d7c17cfc5ce
Instruction Fuzzy Hash: 013169B15102068BD724AF68CC41BB977B4EF40714F54C2BDDB8A9B382DA34D886CBE0

Function 0132C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 2210f5aa5cbfd23b50a16ffacebde69a12fae690a09001a39eb23172993a5427
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 3F217536A0066277CF16BB998C00EBFBB74EF50714F80941AF65597691E634D940C3A0

Function 0126E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfdf5cfcb4c7bc04c5f67104a4e92e41bf719fb203a234ee24ec08c1f067cfc
Instruction ID: d390e79548212ccbd1b4e35dac0f6cdf784dc5dcfbeb3c6d215653459d955052
Opcode Fuzzy Hash: 6bfdf5cfcb4c7bc04c5f67104a4e92e41bf719fb203a234ee24ec08c1f067cfc
Instruction Fuzzy Hash: CC31D635A2112D9BDB31DB28DC81FEE77BDEB15740F0200A1E645A72D0D6B49EC08FA0

Function 012A4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 51d68a960a6b4326ad74042ed5d8d641621e104799f18be9eef31151cefbac4d
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: C021A371A10649EFCB11DF58C980A9EBBB5FF48714F548065EF159F241D6B0EE05CB90

Function 012A44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565129b451e759095d642a89733a53be3a8ee76ce8971de577f494113e5dedb9
Instruction ID: b3becc41a5082defe1e603d69dc8760be94fd8a70d016c60eef5699eb41a29b4
Opcode Fuzzy Hash: 565129b451e759095d642a89733a53be3a8ee76ce8971de577f494113e5dedb9
Instruction Fuzzy Hash: 5921D472624786DBCB21EF18D480F6BB7E4FB98750F444919F9849B241C770D9008B92

Function 0126E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 35990eac13c6579e107b47435f51f4ca9dfc8e69ecdb920a86e1aa5ee7a428f5
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 2831AB35620645EFDB21DF68C884F6AB7F9FF85354F1145A9E6128B280E770EE42CB50

Function 012EE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f86c5c33851c22751adcbe4b4adc752d275cbf35ebf2a5e721e659cf21f54e
Instruction ID: 224db280a33b62abf75c3d2359feb4f68567800bd44c7213c493fb508591291a
Opcode Fuzzy Hash: 62f86c5c33851c22751adcbe4b4adc752d275cbf35ebf2a5e721e659cf21f54e
Instruction Fuzzy Hash: 2831BF75620206DFCB14DF1CC8899AEB7F9FF84304B568459E90A9B3A1E770EA40CF94

Function 01278D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 8cae6b19adde958230cf2431e8ca94c4942fb5b0a91f8b52255cb159ef8669a9
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 87210331631682DBE726DB2CD919B767BB8EF50750F0900A4DF42976D2E7B4E841C220

Function 012F06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3226e00be4fec041fc409708f95c8213e69626901ac5e0d3a2a192f4f8c3c1
Instruction ID: f838739f90c8e0ae9e5a4cf7bd32f6127f679388fd317732d900426c13faba27
Opcode Fuzzy Hash: 5a3226e00be4fec041fc409708f95c8213e69626901ac5e0d3a2a192f4f8c3c1
Instruction Fuzzy Hash: 68219E71A1012A9BCF14DF59C881ABEF7F8FF48740F504069FA41AB250D738AD41CBA4

Function 012F019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8149090e30fb933218548de1805aca518a2795fca92028001d1777041e03ed2
Instruction ID: 1b97cb35025187b3b9cb9ec2f535fd0139e7a104b81aa989cb5cbd842954c0f8
Opcode Fuzzy Hash: b8149090e30fb933218548de1805aca518a2795fca92028001d1777041e03ed2
Instruction Fuzzy Hash: 7D218971620646ABD715EB6CC880A6AB7A8FF58780F144069FA04DB6A1D634ED40CBA8

Function 012F0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e63c18b63474c1e36fb0f0723b8b3a058e872c8b7a8366af7a0189339ea2d05
Instruction ID: f68efd836ce26d0cebb4ce538837c39a4363012358a759874da81093c845b55a
Opcode Fuzzy Hash: 5e63c18b63474c1e36fb0f0723b8b3a058e872c8b7a8366af7a0189339ea2d05
Instruction Fuzzy Hash: 8421F1729252469BD711EF5DC944B6BFBDDEF90640F08046ABF8087262D730D904C7A5

Function 01292835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ac86dde8c345879f0715fadc623552f19e74712246d501be12d65e069d68ac
Instruction ID: ff5aa2d639aadcdb011e328c6257528bdd81ebf709b96d5a8e177ddf40fe0549
Opcode Fuzzy Hash: 90ac86dde8c345879f0715fadc623552f19e74712246d501be12d65e069d68ac
Instruction Fuzzy Hash: 8221FC31635682EBE722976CDC08F247B95BF41B74F2803A4FB209F6D2D7A8D8018151

Function 012AA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6214ae637a383fa4910fab19efc5d58a330431a05259a82266f71ca2ceb58306
Instruction ID: 7286294777d25f67dffb661b884296e8733ac41981a767f642efdeb20ba9a0b7
Opcode Fuzzy Hash: 6214ae637a383fa4910fab19efc5d58a330431a05259a82266f71ca2ceb58306
Instruction Fuzzy Hash: 8421AC752216029FC725EF29CC01B56B7F5FF18B44F148468E609CB762E371E842CB94

Function 012F0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af09a1ee75cd0d454e418fab4d45cccecf8524cc46365e96a5acc6d86c9b578c
Instruction ID: 445ed8612afab21abbe653ece8da5882046413c0686661ecf56dd8630138178d
Opcode Fuzzy Hash: af09a1ee75cd0d454e418fab4d45cccecf8524cc46365e96a5acc6d86c9b578c
Instruction Fuzzy Hash: 3921F8B1E10209ABCB20DFAAD8819AEFBF9FF98B10F10412FE505A7255D7709941CF54

Function 013080A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 39958f6c16fade490fc79ade3be0d15115de3559ab24c98a42211b4eda6b090e
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 53216A72A00209EFDB129F98CC40BAEBBFAEF88314F204459F944A7291D734D9518B50

Function 012A0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: de8dcdad4728817b3ab507b01fc095dfff7ba1ab8aff92125e96cb4407fedc96
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: C111EF72611606AFE7229F48CC81FAABBB8EB80754F100029F7009B180D671ED44DB64

Function 01278770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0274d1b53b2162f634278e1d598260425d753a007f52dcd8e32ecdf9eee054
Instruction ID: 2dd43b5c0f9d2b6bd3920dad82229aa981240eb6387724727fe8911e86410034
Opcode Fuzzy Hash: 6f0274d1b53b2162f634278e1d598260425d753a007f52dcd8e32ecdf9eee054
Instruction Fuzzy Hash: 9B11EF3A7206129BDB19CF5DC484A27FBE9AF4A750B18806DEE099F205D6B2D9018790

Function 012AAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 2f31a14f182c4167af84c705424f2dce82038d7e5ce6d2763008000d9c49b8ee
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: E7218B72620642DFDB31DF49C540A66FBE6EFA4B10F55887DE64A97A20E770EC01CB80

Function 012780E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b788afe884a95072ab3b93de72a30540561c88450b6c479f1305f3c0540ab
Instruction ID: a4e7f3b81902715671413dbbd196751d1f4cf3b1e684001b1e75e2d464c7d815
Opcode Fuzzy Hash: 4f4b788afe884a95072ab3b93de72a30540561c88450b6c479f1305f3c0540ab
Instruction Fuzzy Hash: 90216D75A10206DFCB14CF99D581AAEBBF5FB88318F24816DD205AB351CB71AD06CBD0

Function 012A674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02355c0987c7d3a77509c91eddb41d08895d5187dcfd6c43a342719006c7e46b
Instruction ID: 2c0279727dde6927dc35062e7de46cd0baf8a1c30ea5023db318a584d60e52b8
Opcode Fuzzy Hash: 02355c0987c7d3a77509c91eddb41d08895d5187dcfd6c43a342719006c7e46b
Instruction Fuzzy Hash: 37218E75520A01EFD7249F68CC81B66B7E8FF44350F84882DE5AAC7250DB71A850CB60

Function 01306870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8615b83c697b1d827efa6d92a4c15bff3cffec550e3e339b19b47a21a22dbf1
Instruction ID: 72668d6824092b440248513442e77249232dc4e282356e42a78c23c1f410752c
Opcode Fuzzy Hash: b8615b83c697b1d827efa6d92a4c15bff3cffec550e3e339b19b47a21a22dbf1
Instruction Fuzzy Hash: 2A11E3B2240904EFD723DB5DCD51F9A7BE8EF55B58F014024F201DB6A5DA70E911C790

Function 0129E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3d31bd69697f142cd919c4dcb2ab13718f3203bbfb9498004716183b6bf5c7
Instruction ID: f43e8161deada63438a816cf3278527def17a725bfd226462c543e21493512b1
Opcode Fuzzy Hash: dd3d31bd69697f142cd919c4dcb2ab13718f3203bbfb9498004716183b6bf5c7
Instruction Fuzzy Hash: 9A1148763201119BCF19DB2CCD82A3B725AEFD53B4B258529DA238B281E930D802C390

Function 012A66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d4fbcea0342a0efaadf4e01bc40581b83253af70de93e34f3af546c428bc03
Instruction ID: 749212ec36438e717a98be2cef26bf38e5e219439ca9c9ad814ef48db56bc09f
Opcode Fuzzy Hash: 18d4fbcea0342a0efaadf4e01bc40581b83253af70de93e34f3af546c428bc03
Instruction Fuzzy Hash: DE11E2B2A31202DFCB29DF59C88091ABFE8EB84740F498079DA05AB310E734DC00CB90

Function 0133A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 8031832ccaf3003bdd0f747a918a3a70c2ae420e77d965f230bffe63867b48b4
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: C911E236A00919AFDB19CB58C801B9DBBB5FFC4214F058269E885A7340E671ED01CB84

Function 01270AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: d857a74701629fec58c80fb19ccdfdd5d28b653c73e1e597d93d2b54a74fea49
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: F721F4B5A00B059FD3A0CF29C481B52BBF4FB48B10F10492AE98AC7B40E371E954CB94

Function 012FE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 8b12e7d15b4d9db2eda93e4b203402a8e4a1cc4af8d0a7f5c55d6663cc455217
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 8E119171620602EFEB22AF48C840B66FBA6EB55764F17843CEB099B270D771DC40DB90

Function 012927ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f357e7165c658385ff6571ca9da27e25144869bbbc56dc361631d187b26bb8a3
Instruction ID: 0ae01f5a077d91f858dc7a1a8f754d831e2f43a8f6a3e9c31dfd8bf72c4c165e
Opcode Fuzzy Hash: f357e7165c658385ff6571ca9da27e25144869bbbc56dc361631d187b26bb8a3
Instruction Fuzzy Hash: 5901D631635646ABE726A66ED845F377B9CFF417A4F054075FA008B291DA64DC00C271

Function 01274690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9c5419a4f9d4c1fdc21b21c7ce4acc44925710e4e81cfd2e78569050994d46
Instruction ID: 5cefe7939bcd603cfd0e910c0fe158b257f3950b78f603fbec8355e7192665fc
Opcode Fuzzy Hash: 1a9c5419a4f9d4c1fdc21b21c7ce4acc44925710e4e81cfd2e78569050994d46
Instruction Fuzzy Hash: AC11C236260686AFDB29EF59D881F57BBA8EB86764F004119FA148B250C370F840CF60

Function 012A6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694b2e573aa70c4c68d2804991659663261b38d35bfb4557de61478eee3efc67
Instruction ID: 9179ff4f2d1b62718cb3018c77fae92e4d549d2d9a95ac5b5aa018ab1c2078d0
Opcode Fuzzy Hash: 694b2e573aa70c4c68d2804991659663261b38d35bfb4557de61478eee3efc67
Instruction Fuzzy Hash: EE11E572A11716AFDB21EF59C980B5EFBB8FF44B40F940454EB01A7200D734ED018B50

Function 0129EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7288afa0383310e9f2aa652a72b8cf822b0665dd1b6b0ef077f234df3c7ca20b
Instruction ID: 1bb08ed61d75dbc385b0c66f2b3f4229b99701b6fb0afd7a9729926f27112d42
Opcode Fuzzy Hash: 7288afa0383310e9f2aa652a72b8cf822b0665dd1b6b0ef077f234df3c7ca20b
Instruction Fuzzy Hash: 5101DE7151010A9FCB25DF18D404F26BBFDFBA1358F22817AE1048B2B5CBB4AC42CB90

Function 0129E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 9fd41ebe149f7c6c7e1f4a001cc290d538f05c6127b5eb4cea2bf58784f155bc
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0611E9716326C39BEB23DB2CDA44B6537D4BF00B44F1A00A0DF4287692F728D843C255

Function 012FE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 7680e60b2dbf90092dba1f7753db2c3f072bf5d4682457c357e43e866762f4c3
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: AA018432620206AFE72A5B58CC01B6AFAA9EB85750F178438EB059B1B0D775DD40CB90

Function 0126A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 92f2cad92c16d8c7640d58cbd2fe0dc8c632e505fb13b31648d402879bd2da0b
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: E9010431465B22DBCB218F19DC40A327BA8EB55760700852DFA96AB2C1C331D440CB60

Function 012EE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ea34b91043147673c81d9e8a724eaeecfed921fb886183811fe8e0ab1f8ca2
Instruction ID: 2091c2b2946d55c9383f76a654519921da6aa74173a83854758bd951f1a9e23c
Opcode Fuzzy Hash: 64ea34b91043147673c81d9e8a724eaeecfed921fb886183811fe8e0ab1f8ca2
Instruction Fuzzy Hash: BD11C072261241EFDB15EF19CD81F66BBB8FF54B84F2000A5FA059B6A1C675ED01CBA0

Function 01276259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f328353905b964029d7d0f39820398e886e4cc3cc26c384f5fcadcd7e37511c5
Instruction ID: 7bcbe9419e6dcdb59ca09620ac93d82fe34e44f6cd323f98ee527b528d7ff04f
Opcode Fuzzy Hash: f328353905b964029d7d0f39820398e886e4cc3cc26c384f5fcadcd7e37511c5
Instruction Fuzzy Hash: 7E117C71551229ABEF65EF64CC82FE9B378BF14710F5041D5A328A61E0DB70AE91CF84

Function 012A6DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction ID: d31c739394f0edb74584e2f079d3b15732eeeae1a0ef81faa119f8ad02682461
Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction Fuzzy Hash: 74014C7162411667EF2A9B59C905FAF7F68DB40B50F4A4055AF065B2C0D774D880C3E0

Function 012F6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d90e28cab939177576c7d06c710e07d9c0c5e5a0911fcd8d52bfb9bd9fc8fef
Instruction ID: de6febc2dc2ab4c44d80bcbd9abc1a49db0b77d80477b66328f50771b51a2d97
Opcode Fuzzy Hash: 4d90e28cab939177576c7d06c710e07d9c0c5e5a0911fcd8d52bfb9bd9fc8fef
Instruction Fuzzy Hash: F1111772900019ABCB11DB94CC84DEFBB7DFF58354F044166EA06E7211EA34AA15CBA0

Function 0127208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 1919fd1d32087eaf0a5fd16df4cfdcf979e92c02435724f60038674ef93ac531
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 5D01F532220102CBDF169A1DD880BA37767BFE4A00F5541A9EE018F246DAB1D881C3A0

Function 01306500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f8d0603d43fcfa27bef7ab83c8c2b3fdbb7c6642f2d4950016468cd59c4c87
Instruction ID: 8378f37dd45a05efc157031ecaf4792c5778808414d8dcf35daf72a676ea7e8d
Opcode Fuzzy Hash: a8f8d0603d43fcfa27bef7ab83c8c2b3fdbb7c6642f2d4950016468cd59c4c87
Instruction Fuzzy Hash: D211E572600145DFC302CF18D810BA2B7F9FB5A308F088159E8448B399D732EC40CBA0

Function 012FC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd91e8411a451cf90aace3c14c2ba92839eba870efb96f85c43c135c76e0bc8
Instruction ID: e4afbf0431d85b942dcbc27843b12e1b9f3ef4c7bf4f5aa3daba59f16433611a
Opcode Fuzzy Hash: 7cd91e8411a451cf90aace3c14c2ba92839eba870efb96f85c43c135c76e0bc8
Instruction Fuzzy Hash: ED1118B1A1020D9BCB00DFA9D581AAEBBF8FF58350F10806AE905E7351D674EA018BA4

Function 0126C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 0d57d7e3f4dbf880ba0c741dcc8b18f983d5661ba7e4a6ba91e80e6e5479c7c9
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: DB01F93212074A9FDB22A669D500B6777EDFFD5650F44452DA78587580DA70E442C750

Function 012B20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86825aade309b5372be63a0798127dcc41b03066f67472439ecee62f12a4bf0d
Instruction ID: ae8fb8fcfbdd1f66df7f38386c17b885b378141d10eaafe5085b0f7fe220304d
Opcode Fuzzy Hash: 86825aade309b5372be63a0798127dcc41b03066f67472439ecee62f12a4bf0d
Instruction Fuzzy Hash: BF116D35A2124DEBDB05EF64C895FAE7BB5FB44780F008059FA129B291D635EE11CB90

Function 012AE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65999bafc7b627356c5453ab9cb7a6ec761eb47bdb2a195380847728ae20b2b
Instruction ID: 3bb8f11ff0fc1e3c7ae66b284ff1fd6c8b76fd5fbdbddbf837a1c8aedd06d104
Opcode Fuzzy Hash: d65999bafc7b627356c5453ab9cb7a6ec761eb47bdb2a195380847728ae20b2b
Instruction Fuzzy Hash: BD01D4B1222502BBC711BB3DCD80E67BBECFB946A47000629B20593591DB24EC11C6B0

Function 013069C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fba1cfa48c3f01761f1d0861e9403333c00cc5661997312e3fb91270cd7ef4
Instruction ID: ffae7825a08e0941d0a4634bdaf26f7326733b5e0e24b5f3c83a26fa7d9272b0
Opcode Fuzzy Hash: d1fba1cfa48c3f01761f1d0861e9403333c00cc5661997312e3fb91270cd7ef4
Instruction Fuzzy Hash: B90128B22242069BD320EF6D88899A7BBE8FF48764F104129E959871C4E7309961C7D1

Function 012FC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e6af5381aa6b545315b33aaf1134ba89579b04d5d1a396af73e2ed718f6894
Instruction ID: ace87ed40398483f853f2bca00391bc24446e044c345b7ae6bf090d4b1453513
Opcode Fuzzy Hash: 73e6af5381aa6b545315b33aaf1134ba89579b04d5d1a396af73e2ed718f6894
Instruction Fuzzy Hash: D7116D75A1124DEBDB15EF68C884EBEBBB5FB48740F004069FE0297390DA35E921CB90

Function 012FC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f221819a2e58c573db63b70c0df348a71ca51fc01a87b9767cf8b70d5f6a57da
Instruction ID: 6f90e6bf4a322189defc9ff03f9e3baaca30c8fea753f5e4be1fd231455a0ffe
Opcode Fuzzy Hash: f221819a2e58c573db63b70c0df348a71ca51fc01a87b9767cf8b70d5f6a57da
Instruction Fuzzy Hash: DB117CB16143099FC700DF69C44199BBBE4FF98750F00852EFA98D7391D630E900CBA6

Function 012FCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55417c2657e47d3183aed2613ec45a33a86c4b395e43896f8be5266bfa9d080a
Instruction ID: b88f13f1cb9bcb5cf7adc863ce88d410056a66a2b5da53ddf1ec95536b976c78
Opcode Fuzzy Hash: 55417c2657e47d3183aed2613ec45a33a86c4b395e43896f8be5266bfa9d080a
Instruction Fuzzy Hash: CE117C716143099FC300DF69C44195BBBE4FF99750F00852EFA58D73A0E630E900CB96

Function 01344A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 2d7ce231df4d7c9d0796450cedd32668ae5e3abcbd73da6d3bc86b6c87e533ae
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 3201F732200B059FEB21DA6DD844FA7BBEAFFC5614F044829E6428B650DEB0F841C794

Function 0128E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: fb4c37d113c18c3477eb3d5c4123b1e5ad8290beeff9ad759ed2fd390b2dec92
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 0201BC322215819FE722AB1DC908F267BD8EF45B48F0E08A5FB05DB6D2C768DC81C221

Function 0126826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe87089a7e11caf4c06c7ae8ca8d6e3327928d84d289216559d77ed5e536153
Instruction ID: 20b6105dba92df1fe88c247d7e1d7a02d775fa9c0d9faaa77707603f3e0a28dd
Opcode Fuzzy Hash: 1fe87089a7e11caf4c06c7ae8ca8d6e3327928d84d289216559d77ed5e536153
Instruction Fuzzy Hash: 8A01DF31730649DBD714EB6AD8419BABBADEF90610F558029DA02A7284DE70D841C790

Function 01272582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef14052353ec06a56d3ef7a22ee108f8a83592a17449a3a658febec2330f7b5
Instruction ID: c69c52cae1bd9f519621c0cd9eb6b295318942da5f03fe621e6b6ff381900d83
Opcode Fuzzy Hash: bef14052353ec06a56d3ef7a22ee108f8a83592a17449a3a658febec2330f7b5
Instruction Fuzzy Hash: 36F0F432662A21B7C735DB5B9D40F17BAAAEB84E90F004029E60597640DA30ED01CBA0

Function 0129C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 46860b6b73dcb7e5fb07b91f0b22da0201b80f747e50232767c28fca6ee753a4
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 3FF0C2B2A00611ABD324CF4DDC40E67FBEADBD1A80F048128E645C7260EA31DD04CB90

Function 0126C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 06c7a64f47087ac9a7a51d62050e938f9034632017ed8432d5161e251066a266
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 54F0FC732656239BD73277594840B3BB59D8FD1B64F194035E3459B2C4C9B08D7157D0

Function 012ACA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 03de40f0d2277eeee5c5002fff5e8a32c8070f839cb46bb2d4dc29e69dc39a6d
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: FC01F432220A869BD736DB1DC809F69BBD8FF41750F4840A5FB448B6A2D7B8D810C250

Function 013461E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8680a1be17847792dd145253c5ed7c74ca0ba9de7431b7fbb694d02441472bfd
Instruction ID: 3d55bb1718af5e4fc39fac95cb4e81c4dd06319e3e4667ed5ce1e64057695f88
Opcode Fuzzy Hash: 8680a1be17847792dd145253c5ed7c74ca0ba9de7431b7fbb694d02441472bfd
Instruction Fuzzy Hash: 70018F71A10249EBCB00DFA9D445AEEBBF8BF58714F14405AE501E7280D734EA01CB98

Function 012F63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 8c1552b1ec845ac8e3c2de3d8744ac8506cfa1077290f790fc18b152409220f6
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 24F0127211001DBFEF019F94DD80DBF7B7DFB55698B104129FA1192160D631DD21A7A0

Function 012FA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecea3de5635cfb21fcf803a221ece5e070664aa276d6902db34832588eb8b8f
Instruction ID: 7a5b1763d87768db2a31ee6c765e122e545d15145a25cbbd93a679289e6d1054
Opcode Fuzzy Hash: eecea3de5635cfb21fcf803a221ece5e070664aa276d6902db34832588eb8b8f
Instruction Fuzzy Hash: 71019A36510109ABCF129F84DC44EDE7FA6FB4C754F058115FE1866220C732D970EB81

Function 0126C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d588628119228329b459b08ecf3eb5441f990bd008f10d302771b08d03b2f46d
Instruction ID: c773e519a1d2280b255bee8d5d6fa6ee9dee00fcf2ed36077c51cb2a58499876
Opcode Fuzzy Hash: d588628119228329b459b08ecf3eb5441f990bd008f10d302771b08d03b2f46d
Instruction Fuzzy Hash: 49F02471234242DBF714B6199C02F32329EEBC0650F2580AAEB498F7C1EA70DC918394

Function 012A656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75ba5713eed72f05c26965284399c0c771d8f6f5420a0880923aebb168d1d87
Instruction ID: bf0ef810c43c4db944d552c5ef4822feb9ed158602c7671ebb502ceed9a0a07a
Opcode Fuzzy Hash: c75ba5713eed72f05c26965284399c0c771d8f6f5420a0880923aebb168d1d87
Instruction Fuzzy Hash: 9001A4702216C2DBE732AF2CDD4CB2537E8BB50B44F9841A0FB41CBAE6D768E4018610

Function 0131437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: f103219b3c78c129efee8553d017f331a0922a658895c43b090d3c13de7fe1f5
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 3FF02E31341D1347EB3EBB2D8820B3EB6559F90F14B054D2E9605CB684DF20DC10C780

Function 012FE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 79171782a36de21361f20814977f9ff7576f9b2c64b5855a4de9d308150e0940
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 37F05E72731612ABE322AA4ECC80F16F7A9AFD5A60F1B0079A7049B270C760EC0187D0

Function 012FC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314241c785fd6521f538f73d3b027e3562609fe33cbed0056a2b40f7c8f87260
Instruction ID: 4f6666fef4668998c3babe3e5443c7e877f95708a3cfe337e75cb631d3c6c29c
Opcode Fuzzy Hash: 314241c785fd6521f538f73d3b027e3562609fe33cbed0056a2b40f7c8f87260
Instruction Fuzzy Hash: 61F0AF706253489FC314EF68C446E2AB7E4FF98710F40866EB998DB394E634E900CB96

Function 012A0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 19b73b39c1e7cd4dec6c6886af54085f6dd949e1590594e9527d9ab05a3c2385
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 57F0E972620205AFE714DF26CC01F56B7EDEF98340F158078A645D71A0FAB0DD41C658

Function 012F8D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4942dcc10fc87ab94e0df9b236e04121e80ad5c2d89726efbfa038fe6997eaed
Instruction ID: dac101a0361dcfd6d1a7876bdc8bfc926076f747e6dc28534a69d3227aa31fd1
Opcode Fuzzy Hash: 4942dcc10fc87ab94e0df9b236e04121e80ad5c2d89726efbfa038fe6997eaed
Instruction Fuzzy Hash: 52F0B4365202486FD7216A2CE848F5BFB5DFFA4758F098439FB55272A587306C80C790

Function 012FC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd684dc9549b64e3dabd484c0c9f54ef6252e4702c9d0910905d82a664ce0d67
Instruction ID: a1588890a66e178caf6714c9d9e008435aa7c4c5c6a46880ddeb42891b2efef3
Opcode Fuzzy Hash: cd684dc9549b64e3dabd484c0c9f54ef6252e4702c9d0910905d82a664ce0d67
Instruction Fuzzy Hash: 2BF0AF70A1124DDFCB04EF69C555EAEB7F4FF18300F008069A905EB385DA34EA01CB54

Function 012747FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e542769d114e974303f647a742b1bdbba8237eb8ed626c6685f3e79884b0e1
Instruction ID: b736aa93b9cb11f8b57e881e597f3a1e088a31266c26c637af16f46f1be64426
Opcode Fuzzy Hash: f1e542769d114e974303f647a742b1bdbba8237eb8ed626c6685f3e79884b0e1
Instruction Fuzzy Hash: F4F0B4319366EA9FE732FB5CCC44B27BBD49B02628F08496AD65987542C774D880C651

Function 01330115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec2b7ca3a4d101eb1b361965325464029a974b764a5d6955e29cb23db531268
Instruction ID: 4c6876eff1b252b09dca945f94fea9f918a62cac56b7acea39cee014fd007eeb
Opcode Fuzzy Hash: 9ec2b7ca3a4d101eb1b361965325464029a974b764a5d6955e29cb23db531268
Instruction Fuzzy Hash: D4F05CBE8156D016DF3A6B3C74523D12FACA7C261CF095045ECA157219C5748883C328

Function 012AC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46864991c8ffafe32c6e060dc66491bceb1a83a57b0a109fe01a74169d68646f
Instruction ID: 0d7b600e3dc07323113783e698d0d077ef895b9173b8ff042de5af313f61a7f4
Opcode Fuzzy Hash: 46864991c8ffafe32c6e060dc66491bceb1a83a57b0a109fe01a74169d68646f
Instruction Fuzzy Hash: 2BF027719316929FE732D71CC148B21BBD49BC4FA4F8894A5D616C7752C3A0F8B0CA51

Function 012B2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 3d2c47c9da14e6f74656065f438a19d07139a4d1cd6d21fa4da0f2bf0d5310a8
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 0FE0D8723116016BE712AE59CCC0FA7776EDFD2B50F040479B7045F292CAE2DC0982A4

Function 01306030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: ac9a9a9614367e17a515b401070afa082d2db86ce36c728a3049092ee6482969
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: A7F0A0B21482049FE322CF09D841F52B7F8EB05368F01C025E6088B5A0D33AEC50CBA0

Function 01270710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 91051b0c5849e1d457ebe30e8b2530871646afaae6cceaa8fe65bd944c7dec4b
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 1CF0E5392643819BDB1ADF19D040AA6BFA4FB56750B010058F9428B341E771E981CB54

Function 012A49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 134f92b66d38d8b7317e0cba3882fbf2f9b97b8796df7f4d812d26500c3b0223
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: A7E092322741C6ABD3213A598831B6676A59BD87A0F990429E2019B192DBF0EC40C798

Function 0131678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 20744f9b6d59e485ae92c3a55343c01997f42678103c57a76508e300491f6c4b
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 5BE0DF72A02210BBDB21A7998D02FAABEACDB90FA4F050054B600E70D4E5B0DE00C6D0

Function 012725E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23afe6f8bb2fb0508b103bf885fbef200c2d32e6cbb2edd054c7ee65b44b5669
Instruction ID: 4bb2e1427fd7d233fbe20a8387ba2585bc27a631b7968c7f2c36adcb6126e4c3
Opcode Fuzzy Hash: 23afe6f8bb2fb0508b103bf885fbef200c2d32e6cbb2edd054c7ee65b44b5669
Instruction Fuzzy Hash: 88E092721106949BC722FF29DD01FAB779AEB607A0F014515F115571A0CA30AC10C794

Function 012F4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 077304767008c79fe8af3e38bf00e2ce1e65f17369547b128d48b03fdc07f65f
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 8BE0AE343102468BE719DF19C040B62BBA6BFD5A10F28C07CAA488F205EB72A8428A40

Function 012ACA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0ddb2071dad880fbb4b5bafe4d5140e295f32a6a09be4b7c0f348e805cf410
Instruction ID: 47f88518928f3bf6988dc2db8a156c732e5cd2c0debf4f3500df7c89570f39dd
Opcode Fuzzy Hash: ca0ddb2071dad880fbb4b5bafe4d5140e295f32a6a09be4b7c0f348e805cf410
Instruction Fuzzy Hash: B3D02B324B50256FCF75F918BC14FB33A9D9B50720F018870F20892062D574CC9183C4

Function 0126823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 02779b9501e83017ce2f33377d4d101f9c8b9618eb37304ee8b6e115dcdd24d1
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 91E0C231071B51EFDB322F15DC01FA276A9FF68F90F204929E181164E48BB0ACC1CB44

Function 01272050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4f81b9d3916f65f58446b791f05783ab815c34c771eb40880843c7f76d9f9c
Instruction ID: de49409408317c67749e18cce624a19c9276830b73f99fb3132a7f0f32b3ede7
Opcode Fuzzy Hash: ed4f81b9d3916f65f58446b791f05783ab815c34c771eb40880843c7f76d9f9c
Instruction Fuzzy Hash: 7AE08C72110490ABC311FA5DED01E6B739EEBA56A0F004221F150872A0CA70AC00C794

Function 012A8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 72c666ae3c6f67b155b3af6478e4fc152da7d5243352b8ad479212547d0c7830
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: D1E08C33121A188BC728EE58D526B72B7A8EF45721F09463EA72787781C634E944CB98

Function 012C6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: baddae3bad73402fdbcf9e87cdd46a00c9c5ea398968fc1b7ad37ed2798bd790
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 9FD05E36521A50AFC3329F1BEA00C13BBF9FBC4E10705062EE64683A20C671E806CBA0

Function 004172E6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f2057f9e492c92e7ae47557fad13d98136afa5d6244b4f0444a323c9eb176d
Instruction ID: 82935d7001f1d21749d5be0c6e94b51b0788fe24d3ef25176d2e7924cb82d0d0
Opcode Fuzzy Hash: 63f2057f9e492c92e7ae47557fad13d98136afa5d6244b4f0444a323c9eb176d
Instruction Fuzzy Hash: 8EC0122FE101900780244C6AF480174F3F1D25B166B5432DACE8863601C50398108389

Function 012AE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 3702571a5166f7314ee7927c986b394b9d6e5ca2008c0bb734921d024b7ed346
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 3BD0A932624620ABDB32AA1CFC04FD333E9BB88B20F06045AF008C7190C360EC81CA84

Function 012EE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 29229a5f9c1a53e05840e103fe4bb7678e6911f4800d88dab00963e9fc5402a5
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 61E012759607859FDF12EF59D644F5EBBF9FB94B40F560054E1085B660C634ED00CB40

Function 00407B23 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1472437565.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_tnbws7pyQvMUSjF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91381c223d3e79ce1f750690824aa24ea4d23756e47ddee61a7ec50e393e534c
Instruction ID: 7f4a7498ca8d3d005c9e4eb6f127015ab2318149d8587cd1bac4bbf0afd31f93
Opcode Fuzzy Hash: 91381c223d3e79ce1f750690824aa24ea4d23756e47ddee61a7ec50e393e534c
Instruction Fuzzy Hash: 33C09232E2D31E87D520E84CB9812B5E7A9E3B7374E2173B3EC48E77109597DC528698

Function 0126A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: ee799cccae175a158ccca5c4be23151e75344a7c8a8013ec2f9a5ae01279d120
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 6AD0123223707197DB29A6556914F677959AB81A94F1A006DB90AB3980C5158C82D6E0

Function 012AA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 2c2346389d8e8969bca1689da0ecbf5664d9b71c8b1266b4dcff3e95731f06ee
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 2CD012771E054DBBCB11EF66DC01FA57BA9E764BA0F444020F504875A0C63AE960D684

Function 012ACA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83039b6453be8566e37c61577c45afea5ac9dde4a1f1418481e86f2ef38f4658
Instruction ID: 0a4f8df2261519482c5c6f2763292247e72862494737a1acb61f3096c71477b4
Opcode Fuzzy Hash: 83039b6453be8566e37c61577c45afea5ac9dde4a1f1418481e86f2ef38f4658
Instruction Fuzzy Hash: E4D0A735571402CBDF16DF08C529D3E36B4FB10740FC000ACE74061121D324DC11C720

Function 012802A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 6cb6dab1987383b59fc3a4b93fc89d8c3fd32413ff6abf0095f49756fee1c165
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: F5D09235222A81CFD71A9B1DC5A5B1533A4BB44A44F810490E501CBBA6D6A8D954CA04

Function 012AC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 2ab32983e8d9f71b65365c1b94ca03b48b5babdef4ea1ec3a927cfc44eeca7a7
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: B2C012322A0648AFC712EA99CD01F127BA9EBA8B40F000021F2048B6B0C631E820EA84

Function 01290310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 9c6d69e97f64a490e92c40472e619536f46540e9de40336a17c286414dcfac6c
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 6ED0123611024CEFCB01DF45C890DAA772EFBD8710F508019FD19076108A31ED62DA54

Function 01270750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 3410c6bce8174ceafeec3954b51c7d163d77bb4b8f0a8b664beb156c7f5c144c
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 0AC04C757115428FCF15DF19D294F5577E4F744B40F160890E905CB721E724F901CA10

Function 01344DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: dcb954b205523cd4ebaa46cce692416e0462e0730da8ffab2917a64fc4e466df
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: E6B01232223545DFCB026724CB00B2832A9BF017C0F0900F0650089830D6188D10E501

Function 012B4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c481dbd6b75e722dbec23e72c6a537feb1817729d5ae394e7b75ccf4ee544a
Instruction ID: c32de297ccaaaaca830f30a79aa416c5c050910916187ecb1c60b1cb438990ff
Opcode Fuzzy Hash: 02c481dbd6b75e722dbec23e72c6a537feb1817729d5ae394e7b75ccf4ee544a
Instruction Fuzzy Hash: BE900231615C00129140715D48845464005A7E0701B55C115E2424554CCA158A565361

Function 012B4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d836d6b998dbb68bfab9eb4f3cdb6270b948ea3d5addd5ed6272d0d09c258b
Instruction ID: 1250f3e8e574e1ff09b7a26b37358b9024d49b65984537088294d6eb88edca8c
Opcode Fuzzy Hash: c1d836d6b998dbb68bfab9eb4f3cdb6270b948ea3d5addd5ed6272d0d09c258b
Instruction Fuzzy Hash: 7F900261611900424140715D48044066005A7E1701395C219A2554560CC61989559369

Function 012B2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63be2124c636fa922ca333b05100c999c6e713025916daf7cde8926ac654d438
Instruction ID: f5679076ce898d1b63b5294b6a222cfef2b3714460c2a84085f6d1cc36c9f1d0
Opcode Fuzzy Hash: 63be2124c636fa922ca333b05100c999c6e713025916daf7cde8926ac654d438
Instruction Fuzzy Hash: 1690023161580802D150715D4414746000597D0701F55C115A2024654DC7568B5577A1

Function 012B2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3647c738fd479e36363c9b505033005edf0a407fcdf216e5c27c144fb2c132e1
Instruction ID: 580e0618bca7088244bd4e7c8ca052b59cacd2ad42e5b5467b93e2d79c48d567
Opcode Fuzzy Hash: 3647c738fd479e36363c9b505033005edf0a407fcdf216e5c27c144fb2c132e1
Instruction Fuzzy Hash: C690023121180802D104715D4804686000597D0701F55C115A7024655ED66689917231

Function 012B2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e7c12d167ccc4fb3d9ab0c005aa3ebc250181b8279becdf84e2857b44c7b38
Instruction ID: bfd777ddca8dedbe80534b5909c786d113c9b38e44245a1eea001c26df60d9f7
Opcode Fuzzy Hash: 59e7c12d167ccc4fb3d9ab0c005aa3ebc250181b8279becdf84e2857b44c7b38
Instruction Fuzzy Hash: 2890023121584842D140715D4404A46001597D0705F55C115A2064694DD6268E55B761

Function 012B2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e3e89746250fe582929c86e81e5d999871c8ec2754af28576d68ca7c4c917c
Instruction ID: 08bd4c78b253d30229cae315fdafc6fede4b68e45f72013b1000ea63fc10f902
Opcode Fuzzy Hash: 46e3e89746250fe582929c86e81e5d999871c8ec2754af28576d68ca7c4c917c
Instruction Fuzzy Hash: 5D9002A1211940924500B25D8404B0A450597E0601B55C11AE3054560CC52689519235

Function 012B2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179b11581d69e7aa703988f27e4ef65a6a64538f230467a27e74bd1e5537fe63
Instruction ID: c01b4c79bef27112783d8f5c7529d4d138cfc0b58402a47654c25adb91a2aa8e
Opcode Fuzzy Hash: 179b11581d69e7aa703988f27e4ef65a6a64538f230467a27e74bd1e5537fe63
Instruction Fuzzy Hash: CC900225231800020145B55D060450B0445A7D6751395C119F3416590CC62289655321

Function 012B2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086cee2060af62b4b243d235b6e9ec90505e90f317f04c737a60f8b7998a8c8f
Instruction ID: 9085ccf1f4371cdfc5df0e8f66720194b4a80f4ea468e5270ccaf6bbac92f5c8
Opcode Fuzzy Hash: 086cee2060af62b4b243d235b6e9ec90505e90f317f04c737a60f8b7998a8c8f
Instruction Fuzzy Hash: 2F90022121584442D100755D5408A06000597D0605F55D115A3064595DC6368951A231

Function 012B2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f39814eeec290c4f4a2b9ae8ba755aefcd23181f5c126a285ca6fe26be5d530
Instruction ID: 291e940f90ec21e5689a525c76f8703e1891d9bbea6101d290145310b255a7cb
Opcode Fuzzy Hash: 1f39814eeec290c4f4a2b9ae8ba755aefcd23181f5c126a285ca6fe26be5d530
Instruction Fuzzy Hash: 8090023125180402D141715D44046060009A7D0641F95C116A2424554EC6568B56AB61

Function 012B2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31997d81ee53e52e1f04d6880a7eecbbeddb94334e6c7f4425b5bfe220339f32
Instruction ID: 6459555698c7b0cc7a2e473475eedd5371698aa8bf6a45d8ebd664529d710905
Opcode Fuzzy Hash: 31997d81ee53e52e1f04d6880a7eecbbeddb94334e6c7f4425b5bfe220339f32
Instruction Fuzzy Hash: A890023121180842D100715D4404B46000597E0701F55C11AA2124654DC616C9517621

Function 012B2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d61505a129bb0c7d5a82513c5734bc9fe169d4de206688452626790e1c19ada
Instruction ID: 111964d1f5c424c22a04c0c2df9476377498cf6fa7894392399096850cd8ac3e
Opcode Fuzzy Hash: 4d61505a129bb0c7d5a82513c5734bc9fe169d4de206688452626790e1c19ada
Instruction Fuzzy Hash: F6900431311C0403D100715D550C7070005D7D0701F55D515F343455CDD757CD517331

Function 012B2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5a883a244527707623e06cc3b8c32394da39668308c4e9788053cdd757fe54
Instruction ID: 41076f7cf1fa605599257afbe0793f51e13c0f70dfb7d8747a34eebcd3c6b4bf
Opcode Fuzzy Hash: 7a5a883a244527707623e06cc3b8c32394da39668308c4e9788053cdd757fe54
Instruction Fuzzy Hash: 6190022161580402D140715D5418706001597D0601F55D115A2024554DC65A8B5567A1

Function 012B2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14b873ec0819dc712e0d8807be2432685b425ec4b762acbdfb6203fcf0ead86
Instruction ID: 617736c142606ab7ac218266da02a1c7635b97ec362731a9728d459f54fd0284
Opcode Fuzzy Hash: b14b873ec0819dc712e0d8807be2432685b425ec4b762acbdfb6203fcf0ead86
Instruction Fuzzy Hash: 86900471331C0043D104715D44047070045D7F1701F55C117F3154554CC53FCD715335

Function 012B2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c2e85d37365abf835c714c8c2828018f4d0a4794cbe3f3f44f74cfaf46cd06
Instruction ID: cb37c99fc6fea2a51ae92a8af9349659905f58714bf0ab7fe2ca1835a2028644
Opcode Fuzzy Hash: 48c2e85d37365abf835c714c8c2828018f4d0a4794cbe3f3f44f74cfaf46cd06
Instruction Fuzzy Hash: 53900231211C0402D100715D4808747000597D0702F55C115A7164555EC666C9916631

Function 012B2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063c6a88c5a0152dbb5eb5ee498e8562491bc1fad306c89f52e4a9a0287163bc
Instruction ID: c339d6be683f03b3897933d41358e8655170331be015b04254d24adb44bb0fd0
Opcode Fuzzy Hash: 063c6a88c5a0152dbb5eb5ee498e8562491bc1fad306c89f52e4a9a0287163bc
Instruction Fuzzy Hash: DD90022131180402D102715D44146060009D7D1745F95C116E3424555DC6268A53A232

Function 012B2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2bc7e211ae018450728afe2ac55b67c623b35931f67b8fa582afe41dcc2d709
Instruction ID: e9f1c51d7925ae0bee1ff64f0f55fbe5894aca7898d59aeafa49bd03acda509e
Opcode Fuzzy Hash: a2bc7e211ae018450728afe2ac55b67c623b35931f67b8fa582afe41dcc2d709
Instruction Fuzzy Hash: 50900261211C0403D140755D4804607000597D0702F55C115A3064555ECA2A8D516235

Function 012B3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e60be0e79a10dd29a50441e5bfe70d188980b64d2254e220c8c615ee691327a
Instruction ID: c151667865bc0e13bd544f8746de1a64819cdad7c5748d79809645f7f4a2cc99
Opcode Fuzzy Hash: 7e60be0e79a10dd29a50441e5bfe70d188980b64d2254e220c8c615ee691327a
Instruction Fuzzy Hash: EE900221211C4442D140725D4804B0F410597E1602F95C11DA6156554CC91689555721

Function 012B3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaa8e2e9b44032da5db7ac7538ee5e488eb08fcec399f8b2ea9d3c90bd3ee631
Instruction ID: 975f002064779ee0f2c148201ac26d1ec36df810db4da34d18d2b1063120fbd4
Opcode Fuzzy Hash: aaa8e2e9b44032da5db7ac7538ee5e488eb08fcec399f8b2ea9d3c90bd3ee631
Instruction Fuzzy Hash: 1490022125180802D140715D84147070006D7D0A01F55C115A2024554DC6178A6567B1

Function 012B35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1d672112d3e7f705846e22a2da2a83e4d56d9bd76ed2730f875518846a08dd
Instruction ID: 96ce5f832c28a8694df71163c148e41d3e3ac091210b1e2323e142ef58df1554
Opcode Fuzzy Hash: 9c1d672112d3e7f705846e22a2da2a83e4d56d9bd76ed2730f875518846a08dd
Instruction Fuzzy Hash: B390023161590402D100715D4514706100597D0601F65C515A2424568DC7968A5166A2

Function 012B39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7519da8ab53b5f85b1aa3744b078dfc572579ed33ce05825afbc5d0cd4c5d855
Instruction ID: 3581e18b6ceca5d05dfbd3108740b0ced57e6bfcf1b3939db53c61717fee8c4a
Opcode Fuzzy Hash: 7519da8ab53b5f85b1aa3744b078dfc572579ed33ce05825afbc5d0cd4c5d855
Instruction Fuzzy Hash: 44900431355C5103D150715D44047174005F7F0701F55C135F3C145D4DC557CD557331

Function 012B3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90df1b759898e1a401e89f000c5978ba4bbc40888b166dcbcf67e6fe52adc0c7
Instruction ID: 052db330a89f6508fe1295b35db2340a9e74e4bc92142286f496de64e4fe5134
Opcode Fuzzy Hash: 90df1b759898e1a401e89f000c5978ba4bbc40888b166dcbcf67e6fe52adc0c7
Instruction Fuzzy Hash: 64900231212801429540725D5804A4E410597E1702B95D519A2015554CC91589615321

Function 012B3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c2abbe87e1696b494a4ed19616545f52b8c8746ef84658f00e2bc61ce46b3b
Instruction ID: 4ac21ff584b7501b51d94ac6fc1a75a856b6f6bb68ab770a5e23689e2a55831d
Opcode Fuzzy Hash: 46c2abbe87e1696b494a4ed19616545f52b8c8746ef84658f00e2bc61ce46b3b
Instruction Fuzzy Hash: F390023521180402D510715D5804646004697D0701F55D515A2424558DC65589A1A221

Function 012B2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 5783251a11f78588bdc109c3e79211f1bb584ffe8788b171bafd787bdb9280b1
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 012B2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012B293C
___swprintf_l.LIBCMT ref: 012B295E
___swprintf_l.LIBCMT ref: 012B29A3
___swprintf_l.LIBCMT ref: 012EA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 012EA54E
ffff:, xrefs: 012EA504
:%u.%u.%u.%u, xrefs: 012EA5B8
::%hs%u.%u.%u.%u, xrefs: 012EA527

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: ea7056d26df56c729bd0843fac16ea641635e86de778331e38243356947d5b75
Instruction ID: 2ca7f8db6a9fd20e9a901b06d8de2a7641e217ae1658160c3d9f333d0f4d1c09
Opcode Fuzzy Hash: ea7056d26df56c729bd0843fac16ea641635e86de778331e38243356947d5b75
Instruction Fuzzy Hash: 4D51E9B5A20617EFCB11DB5C88D05BEFBB8BB083807548229E5A9D7641D374EE4087E0

Function 01322410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 013224A6
___swprintf_l.LIBCMT ref: 013224E2
___swprintf_l.LIBCMT ref: 0132257D
___swprintf_l.LIBCMT ref: 013225A3
___swprintf_l.LIBCMT ref: 013225C8
___swprintf_l.LIBCMT ref: 01322608

Strings

ffff:, xrefs: 0132247D, 0132249D
::%hs%u.%u.%u.%u, xrefs: 0132249E
:%u.%u.%u.%u, xrefs: 013225FF
::ffff:0:%u.%u.%u.%u, xrefs: 013224DA

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d6331ab2ba6e5383e20748f26d0d50bca1c55238387d24f49a504c2468b034f9
Instruction ID: 6d2bd360a63e6300d77a99d791839bc329fc24621bbb80ebc84e37144e329e31
Opcode Fuzzy Hash: d6331ab2ba6e5383e20748f26d0d50bca1c55238387d24f49a504c2468b034f9
Instruction Fuzzy Hash: 24510375A00666AFDB31EE9CCC9087FFBF8AB44208B148459E596D7681E6B4DA408760

Function 012A7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 012E4725
Execute=1, xrefs: 012E4713
ExecuteOptions, xrefs: 012E46A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012E46FC
CLIENT(ntdll): Processing section info %ws..., xrefs: 012E4787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 012E4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 012E4655

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: fe713dc272f181a9ca2bd2151aff5b5d955cc2cef33939dae86fadb39652c80d
Instruction ID: d79ee2012ddf8938d3dcc12b27b85392490c787bf1450317ad9385b02edf88f0
Opcode Fuzzy Hash: fe713dc272f181a9ca2bd2151aff5b5d955cc2cef33939dae86fadb39652c80d
Instruction Fuzzy Hash: 32514A3162020A7FEF24EBA8DC99FFD77B8AF14704F8400A9DA05A7191E7729E418F54

Function 012BB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 012BB6BF

Strings

0, xrefs: 012BB695
-, xrefs: 012BB650
+, xrefs: 012BB65A
0, xrefs: 012BB66F

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 7f1bbaa5a28b580907f55146a4c6ededb47dd61b98d1a8f91b949cdd08f233c8
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: B281E571E3524A9EEF29CE6CC8D17FEBBB1AF45390F184119DA61A72D1C7709880CB51

Function 0129F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012E02BD
RTL: Re-Waiting, xrefs: 012E031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012E02E7

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: d043fd97c17fbac1113aa712bbb4c49a334abc491c3d99c56da142e9eb40710c
Instruction ID: 2f7284d79b328c7dd03ff04623ec47ff62b873750dad57491d1cdef705319cdb
Opcode Fuzzy Hash: d043fd97c17fbac1113aa712bbb4c49a334abc491c3d99c56da142e9eb40710c
Instruction Fuzzy Hash: 18E1BE306247429FDB65CF2CC985B6ABBE0BB84314F144A2DF6A5CB2E1D7B4D845CB42

Function 012ABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 012E7BAC
RTL: Resource at %p, xrefs: 012E7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 012E7B7F

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 9addf71a1ca513316e9dbec32bd836a143ba5f5368c170238102f8358bd4df2d
Instruction ID: 4ee7cdb04a8fc7e51fa37cba4caa532f193bd97614cef7fbeeaa64e73a91afa9
Opcode Fuzzy Hash: 9addf71a1ca513316e9dbec32bd836a143ba5f5368c170238102f8358bd4df2d
Instruction Fuzzy Hash: 2341E3353207039FDB21CE29C951B6AB7E9EF98710F440A2DFA5AD7680DB71E805CB91

Function 012AB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012E728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 012E7294
RTL: Re-Waiting, xrefs: 012E72C1
RTL: Resource at %p, xrefs: 012E72A3

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 0fe4d8698407e1664515adb225c1c875d5729d6e6bd842d9401ecc52252219d1
Instruction ID: 19a4276fde381f1b3ada7c0d937b30ff0b5bfcdcf994bec533992cdef00b9db0
Opcode Fuzzy Hash: 0fe4d8698407e1664515adb225c1c875d5729d6e6bd842d9401ecc52252219d1
Instruction Fuzzy Hash: AD41F035620203ABD721DE29CC41B6ABBE5FB54710F500629FE55EB240DB71E806CBD1

Function 01322300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0132238D
___swprintf_l.LIBCMT ref: 013223B3

Strings

]:%u, xrefs: 013223AA
%%%u, xrefs: 01322384

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: f4fe1cf96a510a64e3eb8331cde2f7066a0fb7c91c60a8ffe9e1cb597f77b8f7
Instruction ID: e2c765ad0606625e8062c63600e5e0536eb4a02ec5e6546350852eb0a808ba6a
Opcode Fuzzy Hash: f4fe1cf96a510a64e3eb8331cde2f7066a0fb7c91c60a8ffe9e1cb597f77b8f7
Instruction Fuzzy Hash: D8318472A102299FDB20DE2DDC40BFFB7F8EF54654F444559E949E3240EB30AA448BA0

Function 012B7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 012B7E8B

Strings

-, xrefs: 012B7DDD
+, xrefs: 012B7DE8

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: becea9142fca09c9983b638d6778c45549aa503ed0a2f0f942ad60e36151e117
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: AF919F71E2020B9BEB24DF6DC8C1AFEBBA5AF847E0F14451AEA55E72C0D77099408B15

Function 01279126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01279191
@, xrefs: 01279175

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: bdac43ed9d8e65a8cccc207f151dd59531cad829f028253a2f2e0a6f90816d77
Instruction ID: 286ffe4128f5b2acae08467d027010bb873f59bffdb5433430a0c7774db7c574
Opcode Fuzzy Hash: bdac43ed9d8e65a8cccc207f151dd59531cad829f028253a2f2e0a6f90816d77
Instruction Fuzzy Hash: 08812C71D1026ADBDB35DB54CC45BEEB7B8AB08754F0041DAEA19B7280D7705E84CFA0

Function 012FCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 012FCFBD

Strings

@, xrefs: 012FCF0A
@4Qw@4Qw, xrefs: 012FCFD5, 012FCFDA, 012FCFF1

Memory Dump Source

Source File: 00000006.00000002.1473207542.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1240000_tnbws7pyQvMUSjF.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: f9c41923ce6efb578dbffd59c78675ba82e0484829946e8cb6fbf8ade6890dad
Instruction ID: 5b82750fd0234d93b7a1f7fe73ee4b1d56470412de8cd93fe6232396d4725558
Opcode Fuzzy Hash: f9c41923ce6efb578dbffd59c78675ba82e0484829946e8cb6fbf8ade6890dad
Instruction Fuzzy Hash: 70418DB1920219DFDB219FA9C840AADFBB8FF54B44F00813EEA05EB365D7749801CB61

Analysis Process: explorer.exePID: 4084, Parent PID: 7856COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	421
Total number of Limit Nodes:	16

Executed Functions

Function 0E051232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0E051449

Strings

`, xrefs: 0E05141D

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 36244c5072541b96bba4ccd2f26b300f6f769b810053e69ca56488109074d3fa
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 64224B71A19E099FCB99DF28C4947AEF7E1FB98301F40062EE85ED3650DB30A951CB81

Function 0E052E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E052E67

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 4fb60e045abafec744256a780d6697dcaccdffcc21bef4bb5b2e0909987dbb46
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 7101B531628B484F8B84EF6CD480226B7E4FBCD314F000B3EE99AC3254D770C5414742

Function 0E052E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E052E67

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: afc7c9976a67346262160d44bce6f38f9aa01557749a506fa1e4a74fd1b70dc7
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 3701A235628B884B8B48EB2C94412A6B3E5FBCE314F000B3EE99AC3250DB61D9024782

Function 0E051F82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0E05212E

Strings

&sql, xrefs: 0E052471
GET , xrefs: 0E052318
: cl, xrefs: 0E052338
tion, xrefs: 0E052331
&un=, xrefs: 0E0524F1
nnec, xrefs: 0E05232A
dat=, xrefs: 0E052290
Co, xrefs: 0E052323
&br=, xrefs: 0E052509
ose, xrefs: 0E05233F

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: getaddrinfo
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 300660673-1117930895
Opcode ID: 6582faed5af590fd112090fbafe60f4c0dd4e3fbaa3efbf46289fdd7b9f566b5
Instruction ID: 0b30c2aad385dab732fa034408998b21c8000a8f51ea454d84902f109229fcbb
Opcode Fuzzy Hash: 6582faed5af590fd112090fbafe60f4c0dd4e3fbaa3efbf46289fdd7b9f566b5
Instruction Fuzzy Hash: 9C526F32618B088BCB69EF68C4947EAB7E1FF54300F50492EC89FD7256DE34A945CB81

Function 0E04C8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E04C9A0

Strings

urlmon.dll, xrefs: 0E04C959
nt: , xrefs: 0E04C91E
on.d, xrefs: 0E04C902
User-Agent: , xrefs: 0E04C935, 0E04C948

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 74a762c1fb94694cd59a2b5f284504d6ace6b774120df2c83ef153a1f3881924
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 9531C071614A0C8BCB44EFA8D8987EEBBE0FF58204F40062AD84ED7250DF789A458799

Function 0E04C8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E04C9A0

Strings

urlmon.dll, xrefs: 0E04C959
nt: , xrefs: 0E04C91E
on.d, xrefs: 0E04C902
User-Agent: , xrefs: 0E04C935, 0E04C948

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: b37168fca260fff97346a219d553d551c6594698479d2c2c785609060627b771
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 0121F5B1610B0C8BCB44EFA8C8987EEBBE0FF58244F40062AD85AD7350DF789A05C785

Function 0E048B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0E048CCA

Strings

kern, xrefs: 0E048B99
.dll, xrefs: 0E048BCD
el32, xrefs: 0E048BA0

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 6c470bb7e30284d41c45698dcbfffb43aa53bb40bf974e940343413802389d93
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: AB416DB0918A088FDB98EFA8C894BED77F0FB58300F00467AD84ADB255DE349945CB95

Function 0E048B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0E048CCA

Strings

kern, xrefs: 0E048B99
.dll, xrefs: 0E048BCD
el32, xrefs: 0E048BA0

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 6fb61a999638398746071527831649e0077c9ab6bbceb3d7a532251ca434a826
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: AF414B71918A088FDB84EFA8C498BEEB7F0FB58300F04457AD84EDB259DE349945CB95

Function 0E04E5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0E04E611

Strings

sock, xrefs: 0E04E5D9

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 2ebae4c6c747460b527cf81d650ad82e8290f142728d8af9192a0236b01aba8a
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: F1012170618A188FCB84EF1CE048B55BBE0FB59354F1545ADD85ECB266C7B0C9818B86

Function 0E0462DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0E04632D

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: bad99bcb6adfb47c6f0619c5da0051057a4c412c33b6937960af5efe1dd6a364
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: DB31ACF0614B48CECBA4AF6990482E9B7E0FB45302F44467EC91DCB206DB31A850CFD1

Function 0E046412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0E046461

Memory Dump Source

Source File: 00000007.00000002.3859950022.000000000DFF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DFF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_dff0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 0b404cf8e0ee5f1a195e9de209d061e5c387c654fa59ca4a82f2dbfda61fac08
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: F3F0C230268A484FDB88EB2CD44566AF3E0FBE9215F450A3EA94DC3264DA79C9824716

Non-executed Functions

Function 0DF39D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

wini, xrefs: 0DF39F72
dll, xrefs: 0DF39F4C
M, xrefs: 0DF3A082
user, xrefs: 0DF39F03
S, xrefs: 0DF3A073
.dll, xrefs: 0DF39F2F
kern, xrefs: 0DF39F5A
el32, xrefs: 0DF39F27
32.d, xrefs: 0DF39F0B
net., xrefs: 0DF39F44
ll, xrefs: 0DF39F13

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 0837f971ee5e27019dd28480b53b3bf752eca70b946b47ca8a91dfbb78755e5b
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: F9E14B74618F488FC764EF68C8947AAB7E0FB58300F518A2E969BC7255DF30E541CB89

Function 0DF3C792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

guid, xrefs: 0DF3C7CE
user, xrefs: 0DF3C876
e, xrefs: 0DF3C8BD
encr, xrefs: 0DF3C8D2
name, xrefs: 0DF3C87D
form, xrefs: 0DF3C84D
ypte, xrefs: 0DF3C8DA
Fiel, xrefs: 0DF3C884
encr, xrefs: 0DF3C89D
Subm, xrefs: 0DF3C855
swor, xrefs: 0DF3C8EA
ypte, xrefs: 0DF3C8A5
rnam, xrefs: 0DF3C8B5
d, xrefs: 0DF3C8F2
dUse, xrefs: 0DF3C8AD
dPas, xrefs: 0DF3C8E2
itUR, xrefs: 0DF3C85D

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: aaa6bc06db3e5dc3ebd585fac0de8b380fcfc7a787ff127d7c9579494e47a521
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 68B19C30518B488EDB14EF68C885AEEBBF1FF98300F51851ED59AD7251EF70D9058B86

Function 0DF3A622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

n, xrefs: 0DF3A6C1
w, xrefs: 0DF3A6B3
c, xrefs: 0DF3A697
d, xrefs: 0DF3A6CF
l, xrefs: 0DF3A682
l, xrefs: 0DF3A6D6
d, xrefs: 0DF3A67B
l, xrefs: 0DF3A6AC
i, xrefs: 0DF3A69E
2, xrefs: 0DF3A674
e, xrefs: 0DF3A66D
p, xrefs: 0DF3A690
t, xrefs: 0DF3A6C8
n, xrefs: 0DF3A6BA
d, xrefs: 0DF3A6A5
s, xrefs: 0DF3A689
u, xrefs: 0DF3A661

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 1e1fbc78f5dacc7f95e4a8a4bb686f87f9d2cf666b4f43d2c7b2a44e834fc458
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 8841BE70A1CB088FDB18DF8DA8856BD7BE2EB48704F01425ED889D3241DBB5DD458BD6

Function 0DF41AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

], xrefs: 0DF41CA8
[, xrefs: 0DF41BF6
[, xrefs: 0DF41C90
b, xrefs: 0DF41C73
], xrefs: 0DF41C3D
[, xrefs: 0DF41C66
[, xrefs: 0DF41CCD
[, xrefs: 0DF41C2D
e, xrefs: 0DF41CA0
l, xrefs: 0DF41CE2
n, xrefs: 0DF41C98
c, xrefs: 0DF41C0B
l, xrefs: 0DF41C35
D, xrefs: 0DF41CDA

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 32ff4b3e3de5c9578c6a60f4eb3d9e4c30390699ed5693835e371d836837eab4
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: C5C16C74618B098BC758EF28C8856EAF7E1FB98304F41862E959EC7210DF70E955CB86

Function 0DF41F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 0DF41F63
r, xrefs: 0DF41F88
r, xrefs: 0DF41F90
r, xrefs: 0DF41FB0
0, xrefs: 0DF41F5B
r, xrefs: 0DF41FA8
c, xrefs: 0DF41FC8
r, xrefs: 0DF41F98
r, xrefs: 0DF41FC0
n, xrefs: 0DF41F6B
r, xrefs: 0DF41FA0
r, xrefs: 0DF41FB8

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 75f39fffa341cd2b333b89287209b47ec780b947df59d9900fa74b1c4f0d7301
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: EF51C13151C7488FD719DF18D8812AABBE5FBC4304F509A3EE98B87241DBB4D946CB86

Function 0DF3B2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0DF3B32E
4.dl, xrefs: 0DF3B4DB
l, xrefs: 0DF3B4E2
cli., xrefs: 0DF3B327
opera_browser.dll, xrefs: 0DF3B629
dragon_s.dll, xrefs: 0DF3B614
nspr, xrefs: 0DF3B4D4
sspi, xrefs: 0DF3B320

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 8a2aee5ce0bab98e037eb514402e3f3cd1ffe33a59c494be14d7e69d16e49715
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 6EC1B070A18A194FC758EF2CD895AAAB7E1FF94304F56C329950EC7251DF70EA01CB85

Function 0DF3B2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0DF3B32E
4.dl, xrefs: 0DF3B4DB
l, xrefs: 0DF3B4E2
cli., xrefs: 0DF3B327
opera_browser.dll, xrefs: 0DF3B629
dragon_s.dll, xrefs: 0DF3B614
nspr, xrefs: 0DF3B4D4
sspi, xrefs: 0DF3B320

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 8ef709f69b4e97e8895d78bceeda81d3c6f26059ac1fbcdfee008a73e6c2948b
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 95C1B070A18A194FC758EF2CD895AAAB7E1FF94304F56C329950EC7251DF70EA01CB85

Function 0DF3CCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 0DF3CDAB
Pass, xrefs: 0DF3CD97
L: , xrefs: 0DF3CD66
word, xrefs: 0DF3CD9E
2, xrefs: 0DF3CDE1
UR, xrefs: 0DF3CD5F
name, xrefs: 0DF3CDB2

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 6a227da0030e85a0af01b5eabe51e1c821928131e33b1ae24bd773ab8a4b2327
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: FEA19070A187488BDB18EF6CD4447EEBBE1FF84300F40862DE58AE7251EF7499458789

Function 0DF3CCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 0DF3CDAB
Pass, xrefs: 0DF3CD97
L: , xrefs: 0DF3CD66
word, xrefs: 0DF3CD9E
2, xrefs: 0DF3CDE1
UR, xrefs: 0DF3CD5F
name, xrefs: 0DF3CDB2

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: d37ff00f7efde96cbc68387fa6df5c1fd9a6ad76ba78cc286df9a922f3ac0b4b
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: DC918070A187488BDB18EFACD4447EEBBE1FF98300F40862DE58AD7251EF7499458789

Function 0DF3C352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

n, xrefs: 0DF3C3E7
, xrefs: 0DF3C47C
v, xrefs: 0DF3C4A0
., xrefs: 0DF3C3B0
e, xrefs: 0DF3C48E

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: e3a3b640a6b928821f70cb035070d3ae93f6aace72ab4499a3cf617e45ce0b24
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 6C719031A18B488FD758EFA8C4887AAB7F0FF58304F01862ED54AD7261EB71D9458B85

Function 0DF37C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 0DF37C97
shel, xrefs: 0DF37C90
dll, xrefs: 0DF37C9E
ole3, xrefs: 0DF37C5D
2.dl, xrefs: 0DF37C64

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 727ee4cd758389e51ad7ef9fe4cb7bee8e4f685c15be346fe4398fbbcd3cc10f
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 52514CB0918B4C8BDB54EFA8C445AEEB7F1FF58300F41862E959AE7214EF309541CB89

Function 0DF3886F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

4, xrefs: 0DF389E9
\, xrefs: 0DF389E0
ion., xrefs: 0DF388EC
dll, xrefs: 0DF388F4
vers, xrefs: 0DF388E4

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: f952ec7572f2b21685a7ac3b678a4fe9315a6f8cbc9b4e9fbf238b640510e0ff
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 66416030618B8C8BCB65EF2898457EA77E4FB98305F51862E998EC7240EF34D9458782

Function 0DF3A4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 0DF3A50E
dll, xrefs: 0DF3A51C
32.d, xrefs: 0DF3A4DA
user, xrefs: 0DF3A4D3
cli., xrefs: 0DF3A515

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 14818e29fff8aa0a6cb05aad048a446cd14fccc73d198be0eaa3f9b3a5655f4b
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: F3416D30A18F0DCFCB98EF6D84957AD77E1FB58300F52816AA84AD7240DE70C9808BC6

Function 0DF38432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 0DF3853F
kern, xrefs: 0DF3852A
el32, xrefs: 0DF38537
h, xrefs: 0DF3851F

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 173661d8351b1ef60283f37a0775299bea70108799e8e90aa1204193b3c574ef
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 69417270A08B484FD7A9DF2C84843AAB7E1FBA8341F158A6EA59AC2255DF70C945CB41

Function 0DF3F0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0DF3F13D
, xrefs: 0DF3F184
Snif, xrefs: 0DF3F154
om:, xrefs: 0DF3F146

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: a52b2bdc8a46f32471c15f0b575adf74f3fac81ed9cb5f1c79a16f5250008652
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 7231D23150CB886FD71AEB28D4846DABBD0FF84300F50891EE59BD7251EE71E949CA42

Function 0DF3F0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0DF3F13D
, xrefs: 0DF3F184
Snif, xrefs: 0DF3F154
om:, xrefs: 0DF3F146

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 1404b731cb96d81394011bc8f38bc79f5aede1b1e913fc18cfbd98e609c6c4ff
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 0C31E27190CB486FD719EB2CD8846EAB7E4FF94300F50891EE59BD3255EE70E906CA42

Function 0DF3AFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 0DF3AFF6
.dll, xrefs: 0DF3AFFE
me_c, xrefs: 0DF3AFEE
chro, xrefs: 0DF3B023

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 49a0e87bf1b167d5b15e3c9a25e410d41f8409b6eb1ced2b3af4f8ca695ed148
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 70315C7061CB484FC784EF68C894BAAB6E1FF98200F96862D954ECB254DF30C945C792

Function 0DF3AFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 0DF3AFF6
.dll, xrefs: 0DF3AFFE
me_c, xrefs: 0DF3AFEE
chro, xrefs: 0DF3B023

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 747cf8e69c851cbec6b3bfca36e144b5603ace9091e541ff98d40961951719ea
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 2D315B7061CB484FC784EF6CC894BAAB7E1FF98200F96862D954ACB255DF30C945CB92

Function 0DF3D8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0DF3D959
nt: , xrefs: 0DF3D91E
on.d, xrefs: 0DF3D902
User-Agent: , xrefs: 0DF3D935, 0DF3D948

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: bd867295b7dac187b840e0c6ac1cb035c6059cf7b9879a14efb1bd0433a9c865
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 6E31D131A14A0C8BCB05EFACC8847EDBBE0FB58214F41822AD55EE7240DE74CA45C789

Function 0DF3D8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0DF3D959
nt: , xrefs: 0DF3D91E
on.d, xrefs: 0DF3D902
User-Agent: , xrefs: 0DF3D935, 0DF3D948

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 903062b87107437b1cf63d62496ce4f7d264d55b765277d5a6411600b294c24a
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 17219170A14A5C8ACB05EFACC8847EDBBE1FF58208F41822AD55AE7250DF74CA45C789

Function 0DF3EE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0DF3EF03
l, xrefs: 0DF3EF26
t, xrefs: 0DF3EEF4
., xrefs: 0DF3EF1F

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 21dc53655fa97cc6f6f8629c4b229019cccaa9cbbee60ec08acf3d2683a9fc0e
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 6B218D74A28A0D9FDB08EFA8D4447AEBAF0FF58304F51862ED509E3610DBB4D591CB84

Function 0DF3EE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0DF3EF03
l, xrefs: 0DF3EF26
t, xrefs: 0DF3EEF4
., xrefs: 0DF3EF1F

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: de6d030a5f143639943e47d3c4dd745d85244153737cf1e3f0bdf407603609da
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 93215C74A28A0D9BDB08EFA8D4447E9BBF1FB58304F51862DD509E3600DBB4D5918B84

Function 0DF3EFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 0DF3F015
pass, xrefs: 0DF3F022
logi, xrefs: 0DF3F03C
auth, xrefs: 0DF3F02F

Memory Dump Source

Source File: 00000007.00000002.3859724979.000000000DE50000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DE50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_de50000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 17e0b2b9d502f189859bcba241d79ed34303acc46cf1c25426250ef61b8a86a5
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 4321C0B0A18B0D8BCB05DF9D98807EEB7E1EF88344F058619D80AEB244D7B0D9148BD2

Analysis Process: cmstp.exePID: 8172, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	0%
Total number of Nodes:	621
Total number of Limit Nodes:	77

Executed Functions

Function 02D0A382 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D04BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D04BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D0A37D

Strings

.z`, xrefs: 02D0A36D, 02D0A378

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 8ec784265806de9398d5a8a8bf5c04919236b0974f2722abeb54408d36a7578a
Instruction ID: b8af948efb34ef98d7b3e808f94cf182c7e58987ecbbd9515610865b01f2ace5
Opcode Fuzzy Hash: 8ec784265806de9398d5a8a8bf5c04919236b0974f2722abeb54408d36a7578a
Instruction Fuzzy Hash: 8C0117B6208248AFCB04CF98DC81DAB37ADAF8C314B14864DFA48C3241E630EC118BA0

Function 02D0A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D04BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D04BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D0A37D

Strings

.z`, xrefs: 02D0A36D, 02D0A378

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 4ac56c46f273d2b4543143eb0db6e461994de3c7ad6857f3c1eebcf8ae3d5a83
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 11F0B2B2211208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Function 02D0A3DD Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D04D72,5EB65239,FFFFFFFF,02D04A31,?,?,02D04D72,?,02D04A31,FFFFFFFF,5EB65239,02D04D72,?,00000000), ref: 02D0A425

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2a833da6bee607256d26486a53dc488f89c638afe47e36b38ea11586295ade73
Instruction ID: 19b38385cf759858d368a0476f1f8ba6fff1df9cc626929d24a5858448e1e013
Opcode Fuzzy Hash: 2a833da6bee607256d26486a53dc488f89c638afe47e36b38ea11586295ade73
Instruction Fuzzy Hash: B2F0BDB2210105AFCB14DF99DC80EEB77A9EF8C764F158649BA1D97294C630E851CBA0

Function 02D0A3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D04D72,5EB65239,FFFFFFFF,02D04A31,?,?,02D04D72,?,02D04A31,FFFFFFFF,5EB65239,02D04D72,?,00000000), ref: 02D0A425

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 820178928afb92d12b6f8a71197e95366bc3294f5219865976e0dbcdb542a10b
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F0F0A4B2210208ABCB14DF89DC80EEB77ADEF8C754F158249BA1D97251DA30E8118BA0

Function 02D0A45A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D04D50,?,?,02D04D50,00000000,FFFFFFFF), ref: 02D0A485

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 87039191fb6f0105beca3f00b3621d924706572783bb79f05d6defdb794ab7c0
Instruction ID: 1e17b951244393045988994c9b7f98792b3bad75a99df5caac3dca1382761444
Opcode Fuzzy Hash: 87039191fb6f0105beca3f00b3621d924706572783bb79f05d6defdb794ab7c0
Instruction Fuzzy Hash: 5DE086761002046BD710EBB48C89EE77F54EF44350F14419AFA4D97692C930A5008A90

Function 04C42CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42CAA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cc5cc0420b5126909c78ed4ca76533f71c6a38fce982039871691a9b110d459
Instruction ID: 77d420ee2a2355d96d378092f57e5580742dd97978851c137ca4639a42f4ae39
Opcode Fuzzy Hash: 1cc5cc0420b5126909c78ed4ca76533f71c6a38fce982039871691a9b110d459
Instruction Fuzzy Hash: 0690027120140402F1007598540864A00068BF0705F55D021B9029556EC665D9E16535

Function 04C42C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42C6A

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4e3f97bc1e295bdce51aadbcfba7fe56c9ba2d8da460d3ccedf2abd6467c142
Instruction ID: 9d87deda2a7fa4ae7629565e298d870cda089a26615fd428e24a605a2e0fddd4
Opcode Fuzzy Hash: c4e3f97bc1e295bdce51aadbcfba7fe56c9ba2d8da460d3ccedf2abd6467c142
Instruction Fuzzy Hash: 1090027120140842F10071584404B4A00068BF0705F55C026B4129655D8615D9A17935

Function 04C42C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42C7A

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4cac340e717c3183be95b154da85bb48c9bedf0c3389c0dfab03a7121e23e65c
Instruction ID: 0031847427b7072c8c91ac2082fb47b28471ba67c4c10f972882de7c05695954
Opcode Fuzzy Hash: 4cac340e717c3183be95b154da85bb48c9bedf0c3389c0dfab03a7121e23e65c
Instruction Fuzzy Hash: F690027120148802F1107158840474E00068BE0705F59C421B8429659D8695D9E17535

Function 04C42DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42DDA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 507fe97deb5b630f7e76ef2804a5b6bff9a453093ba5a099328cfb7aee33f20f
Instruction ID: ce8153f2fb57b45a038fcedc1d5168eb6b969978ca2f585fa3fffc3c085c7ef8
Opcode Fuzzy Hash: 507fe97deb5b630f7e76ef2804a5b6bff9a453093ba5a099328cfb7aee33f20f
Instruction Fuzzy Hash: CF900261242441527545B158440450B40079BF0645795C022B5419951C8526E9A6DA35

Function 04C42DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42DFA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db20bf1a5d882234ea2a4d603343019eb038d2ba38a35499766cb2a996e6abdd
Instruction ID: c221ed2181bf0f12d3d0d2b08b6132f2fb65406f97ae1bf575d5d92ea12bba50
Opcode Fuzzy Hash: db20bf1a5d882234ea2a4d603343019eb038d2ba38a35499766cb2a996e6abdd
Instruction Fuzzy Hash: 8F90027120140413F1117158450470B000A8BE0645F95C422B4429559D9656DAA2A535

Function 04C42D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42D1A

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 381b5826467a303edec0ef2593ff454ad0a5ee062a81ab7e6c9e6dc96fbef95c
Instruction ID: 9248ea4f4e0af7e09db6c318ac6dd1ff11d0fabeb94d27a339e519991b788b46
Opcode Fuzzy Hash: 381b5826467a303edec0ef2593ff454ad0a5ee062a81ab7e6c9e6dc96fbef95c
Instruction Fuzzy Hash: FF90026921340002F1807158540860E00068BE1606F95D425B401A559CC915D9B95735

Function 04C42EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42EAA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4025ab14327daf3df2fe1dad74426d6cfc7e748e3c1e4aad40de44e81cd2c5d1
Instruction ID: 7e9626c63cb5fb82b5ae1b407b925e603578597b24fb8c733617c0e86bd37fdc
Opcode Fuzzy Hash: 4025ab14327daf3df2fe1dad74426d6cfc7e748e3c1e4aad40de44e81cd2c5d1
Instruction Fuzzy Hash: 589002B120140402F1407158440474A00068BE0705F55C021B9069555E8659DEE56A79

Function 04C42FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42FEA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 218644a0f6b3e57e0f71cbaa5b6e089381452a9f399a2fbbce6721f5372b7663
Instruction ID: 2caec92f5b15e8d5588a759572e0bd4c79167e7674a5af911d43a4d27790d9cc
Opcode Fuzzy Hash: 218644a0f6b3e57e0f71cbaa5b6e089381452a9f399a2fbbce6721f5372b7663
Instruction Fuzzy Hash: F9900261211C0042F20075684C14B0B00068BE0707F55C125B4159555CC915D9B15935

Function 04C42F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42F3A

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0b8435f59611dbd9a482f4c9ac3891067466266b402834fb9484d650c1ef2b3
Instruction ID: 4fbcd60d8ea134b95d9a103bef850882e5e3e1a8ee28101df9cf4c69a74c869e
Opcode Fuzzy Hash: f0b8435f59611dbd9a482f4c9ac3891067466266b402834fb9484d650c1ef2b3
Instruction Fuzzy Hash: B49002A134140442F10071584414B0A0006CBF1705F55C025F5069555D8619DDA2653A

Function 04C42AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42ADA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2aae0449ae588ae0ab06c822da3dd3f33e62ce4eca8031d1bda0483568478246
Instruction ID: 53ce170b68950fc5c11466f820d5a02811033cd32af84909a0cd04c81b3ca72e
Opcode Fuzzy Hash: 2aae0449ae588ae0ab06c822da3dd3f33e62ce4eca8031d1bda0483568478246
Instruction Fuzzy Hash: 53900265211400032105B558070450B00478BE5755355C031F501A551CD621D9B15535

Function 04C42BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42BEA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f22beae01676a8b778a1ad8fe9714e074b2ffaecb1f55e5ab095589d915c9100
Instruction ID: 058b2fa0fd5a4a353aba332696e31b782ef46a725792b0319f6e2ccee19a7510
Opcode Fuzzy Hash: f22beae01676a8b778a1ad8fe9714e074b2ffaecb1f55e5ab095589d915c9100
Instruction Fuzzy Hash: 5E90027120544842F14071584404A4A00168BE0709F55C021B4069695D9625DEA5BA75

Function 04C42BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42BFA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 95fd25d750005be54c433d1330f9077060cb8579444d66006cad7d28b3ddf668
Instruction ID: f40bb0e639e057354997dba8588b447b94c25082472d38d41ae9eecdc9dab3b4
Opcode Fuzzy Hash: 95fd25d750005be54c433d1330f9077060cb8579444d66006cad7d28b3ddf668
Instruction Fuzzy Hash: 1E90027120140802F1807158440464E00068BE1705F95C025B402A655DCA15DBA97BB5

Function 04C42B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42B6A

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6865fb2aa8c4e7a34ee34f585acf6ef3c582f6c41b59692798c49c55008eccf3
Instruction ID: c1b572903f14bfaed2d2599299aaaca45e2e00cd044d89424904bfa018f2f38e
Opcode Fuzzy Hash: 6865fb2aa8c4e7a34ee34f585acf6ef3c582f6c41b59692798c49c55008eccf3
Instruction Fuzzy Hash: 5F9002A12024000361057158441461A400B8BF0605B55C031F5019591DC525D9E16539

Function 04C435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C435CA

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0dd01589b884efa3c67565988cd547fe079ab2f87cd1b763c84b66c645c492d
Instruction ID: c4dc88f2588d5e1956a46304adb9962678d8d54cd9f87d82866a09afd41479b8
Opcode Fuzzy Hash: f0dd01589b884efa3c67565988cd547fe079ab2f87cd1b763c84b66c645c492d
Instruction Fuzzy Hash: D090027160550402F1007158451470A10068BE0605F65C421B4429569D8795DAA169B6

Function 02D09050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D090F8

Strings

wininet.dll, xrefs: 02D090AE, 02D090B7
net.dll, xrefs: 02D090C1, 02D09147, 02D0911F, 02D0912B, 02D09153

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 97f5b2742c7a20207df6cd05a41e5c5d838a2148da8c0b3e46eeee33a577d05b
Instruction ID: d5b3576443263bf48dabaaf441e24ba8aefec538c6737fba1b450628ea85d2c7
Opcode Fuzzy Hash: 97f5b2742c7a20207df6cd05a41e5c5d838a2148da8c0b3e46eeee33a577d05b
Instruction Fuzzy Hash: 2A3183B2500644ABC714DF64C8C5FA7B7B9EB48B00F10851DE62E5B385D630BA50CBA9

Function 02D0904F Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D090F8

Strings

wininet.dll, xrefs: 02D090AE, 02D090B7
net.dll, xrefs: 02D090C1, 02D0911F, 02D0912B

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e35cf1b2c95ba3f46dd28145ce5870e4e25c50029406349a918782c0e7a42873
Instruction ID: 3750d2965d1b87d261e0d73c09a256811627178fa9d32da96512313d45147951
Opcode Fuzzy Hash: e35cf1b2c95ba3f46dd28145ce5870e4e25c50029406349a918782c0e7a42873
Instruction Fuzzy Hash: E321A2B1A00704ABC714DF64C8C5FA7B7B8EB48B04F10811DE6296B385D770A950CBA5

Function 02D0A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02CF3AF8), ref: 02D0A66D

Strings

.z`, xrefs: 02D0A65C, 02D0A668

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 21a336610984beb578beb640fdd703fc366213647f57786b24a78a02026cb0f5
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 6EE01AB22102046BD714DF59CC44EA777ADEF88750F014555BA0857291C630E9108AB0

Function 02CF8310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02CF836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02CF838B

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction ID: 1e536d8b4555aa89e008fbfe2fd56e652ec637f5265013bd9a5d997cd945a255
Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction Fuzzy Hash: CF01DB31A8022877E760A6949C42FFF776D9B40F51F050115FF08BA1C1E7E46A0547F5

Function 02D0A791 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02CFF1D2,02CFF1D2,?,00000000,?,?), ref: 02D0A7D0

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 189592f576d2bd95a883775349b6870281d4547b84e51cc009a85d165165b5d4
Instruction ID: 45ad11e89491b32e2ed8ebd4c7158f021d91cea409a5975adb4e48558beb3a64
Opcode Fuzzy Hash: 189592f576d2bd95a883775349b6870281d4547b84e51cc009a85d165165b5d4
Instruction Fuzzy Hash: 6E01B1B22003046BDB14DF54CCC5FD73BA9EF85714F148599FA481B692CA35A815CBF4

Function 02D0A745 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02CFF1D2,02CFF1D2,?,00000000,?,?), ref: 02D0A7D0

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 41da36e7b2189632b0396bdefc1b8be038fceca8c89dde02334715cc291fe110
Instruction ID: 6d44580c30f7076449e4053b654c9dcd9ffb6610fc2321f37ae4ff5617bf74ae
Opcode Fuzzy Hash: 41da36e7b2189632b0396bdefc1b8be038fceca8c89dde02334715cc291fe110
Instruction Fuzzy Hash: 4F0126B52043446FD711DF68DCC0EDB7BA9DF85610F048599F9995B392C634E8168BB0

Function 02CFACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02CFAD62

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 04787cc3f35c418c666dd3182cf01a6e4260f872c72525fffe02e06450f76bbf
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: C3011EB6D4020DBBDB50EBE4DC81F9DB379DB54308F1045A6AA0C97290FA31EB14CBA1

Function 02D0A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D0A704

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 6394456539f4e34107649b1d9795141b0b1de05c5a801b32aafbdca135d571dd
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C601AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97250C630E851CBA4

Function 02D09180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02CFF050,?,?,00000000), ref: 02D091BC

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
Instruction ID: 177615d56aadc2d54ef7e9e844e0f4fffc88066c509a42a21b8a4469b5fc0f62
Opcode Fuzzy Hash: 3ca6a205792d7ef5e9bf1524afc8b1dc678e378c6025c1e3997efacd26045c0b
Instruction Fuzzy Hash: 49E06D773802043AE23065A9AC42FA7B29CDB91B20F140026FA0DEB2C1D995F80146A9

Function 02D0A600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D04536,?,02D04CAF,02D04CAF,?,02D04536,?,?,?,?,?,00000000,00000000,?), ref: 02D0A62D

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 68d9c16056f30b90ba10adcea6fb2990de94088e1ace62b6feaa18872ff71bdf
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 88E01AB2210204ABD714DF59CC40EA777ADEF88654F114559BA085B281C530F9118AB0

Function 02D0A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02CFF1D2,02CFF1D2,?,00000000,?,?), ref: 02D0A7D0

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 74ce2a06a9f004b9d80769ec6fee4fdc7c2a197307adc60806f7d3d155bebc01
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 7BE01AB22102086BDB10DF49CC84EE737ADEF88650F018155BA0857281C930E8118BF5

Function 02CFF6C7 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02CF8D14,?), ref: 02CFF6FB

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 000c20c3ab78cc68b142fe19b5625fbb3675551c76b3bbe5ab95d62b1f34ffab
Instruction ID: 4201ce6047a6c04d7f6ffa2e5ecc498c2be37fb97b8c4f2cf27b5e94d927b1c5
Opcode Fuzzy Hash: 000c20c3ab78cc68b142fe19b5625fbb3675551c76b3bbe5ab95d62b1f34ffab
Instruction Fuzzy Hash: B1D02B757502013AFB00FAA09D42FA625C69781782F490028F649E63C3ED10D5004120

Function 02CFF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02CF8D14,?), ref: 02CFF6FB

Memory Dump Source

Source File: 00000009.00000002.3847658525.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cf0000_cmstp.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction ID: 1bb74803754f06a6cd3edca666b6ff2693f9e2461853dec0db90f1c8aed71c57
Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction Fuzzy Hash: 2CD05E616503082AE610AAA49C02F2632899B44B04F490064FA48963C3ED50E5004565

Function 04C42C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C42C24

Memory Dump Source

Source File: 00000009.00000002.3848544185.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: true

Associated: 00000009.00000002.3848544185.0000000004CF9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004CFD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3848544185.0000000004D6E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4bd0000_cmstp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5619c17646b79199c171a094d2f55c740d9bbb63909c53564d01173c0b6fa6cd
Instruction ID: 48034fc6efaae813d1c2290ea140548e529c0834f22a81b45e7843cc89be080f
Opcode Fuzzy Hash: 5619c17646b79199c171a094d2f55c740d9bbb63909c53564d01173c0b6fa6cd
Instruction Fuzzy Hash: 93B09B719015C5C5FB11F760470971B79016BD0745F15C071F2034642E4778D1D1E575

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tnbws7pyQvMUSjF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tnbws7pyQvMUSjF.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kqi12ac.5ys.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekohflb5.uah.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_puqmwdli.dyy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sekfrt1b.201.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
tnbws7pyQvMUSjF.exe

Function 0560AC50 Relevance: 3.9, Strings: 3, Instructions: 143
COMMON

Function 0560AC40 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Function 0158D031 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre